Allow custom token expiration

[mpender]

Instead of the hardcoded 1 hour token expiration time is it possible to have cloudgate query token expiration from a given role instead?

https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/
https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp_request.html

That way not every role used by cloudgate is governed by a single expiration time and can allow each account/role-owner to have granular controls over token expiration

[rgooch]

Creating a global configuration option to change the token length would be simple enough. Making the configuration more granular poses some challenges:

• how to expose the configuration without complicating the WebUI
• how to express different timeouts for different accounts or roles in cg-client
• change the STS refresh interval for different account/role combinations

What is your use-case? If you are seeking to increase the STS token lifetimes then there is another issue: how to quickly revoke user access. One of the first questions I get from auditors or managers is how to revoke access quickly. Currently, STS tokens are 1 hour and this generally seems to be fast enough. If a user has an STS token which lasts 12 hours, this is more concerning if there is a perceived risk to the user retaining access for that long.

[mpender]

This request comes directly from some of our users who cannot use a dedicated IAM user account/instance role and must use CloudGate.

This PR is to see how feasible or how much of a security-hole it would be to have a configuration flag in the static-config.yml where admins can set a flag to have CG either continue to enforce the IAM role of 1hr (default) or respect the maximum token expiration as defined by the IAM role when CG looks it up.

Having a maximum flag to check against the default user_defined_limit
if > default 1hr and < user_defined_limit (lets 4 hours), issue token. So no 12 hr tokens can get though and users can have extra time with tokens.

"how to expose the configuration without complicating the WebUI"
this is something to have in the cloudgate static-config.yml only, the user doesnt need to see this.

"how to express different timeouts for different accounts or roles in cg-client"
Anything with a default limit could continue to auto-refresh, add another flag to enable refresh custom STS tokens ? similar to how you have to specify getting tokens for Admin roles using cg-client

For the overall security and integrity of this, I agree, having a way to kill tokens is important. That said, AWS account admins should be aware regardless if they use CG or not is of how to revoke tokens using something like this https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html (Granted I have not tested this myself with CG generated tokens but I assume it would work).

I am not expecting CG to have this kill feature, this is about proposing custom token lengths or at least altering the hard limit.

[mpender]

Any more thoughts on this ?