Configure the duration of your users' AWS access portal sessions

By default, the duration of a AWS access portal session, which is the maximum length of time that a user can be signed into the AWS access portal without re-authenticating into the portal, is 8 hours. You can specify a different duration, from a minimum of 15 minutes to a maximum of 90 days.

The following topics provide information about configuring the duration of your users' AWS access portal sessions.

Prerequisites and considerations

Following are the prerequisites and considerations for configuring the duration of your users' AWS access portal sessions.

External identity providers

If you're using an external identity provider (IdP) as an identity source for IAM Identity Center, the duration of an AWS access portal session is the lesser of the duration that you set in your IdP or IAM Identity Center. For example, if your IdP session duration is 24 hours and you set an 18-hour session duration in IAM Identity Center, your users must re-authenticate in the AWS access portal after 18 hours. If you set a 72-hour session duration in IAM Identity Center and your IdP has a session duration of 18 hours, your users must re-authenticate after 18 hours.

Note

If you're using Active Directory as an identity source for IAM Identity Center, session management isn't supported.

AWS CLI and SDK sessions

If you're using the AWS Command Line Interface, AWS Software Development Kits (SDKs), or other AWS development tools to access AWS services programmatically, the following prerequisites must be met for AWS access portal session duration settings to be applied.

• You must configure the AWS access portal session duration in the IAM Identity Center console.

• You must define a profile for single sign-on settings in your shared AWS config file. This profile is used to connect to the AWS access portal. We recommend that you use the SSO token provider configuration. With this configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens. For more information, see SSO token provider configuration in the AWS SDK and Tools Reference Guide.

• Users must run a version of the AWS CLI or an SDK that supports session management.

Minimum versions of the AWS CLI that support session management

Following are the minimum versions of the AWS CLI that support session management.

• AWS CLI V2 2.9 or later

• AWS CLI V1 1.27.10 or later

For information about how to install or update the latest AWS CLI version, see Installing or updating the latest version of the AWS CLI.

If your users are running the AWS CLI, if you refresh your permission set just before the IAM Identity Center session is set to expire and the session duration is set to 20 hours while the permission set duration is set to 12 hours, the AWS CLI session runs for the maximum of 20 hours plus 12 hours for a total of 32 hours. For more information about the IAM Identity Center CLI, see AWS CLI Command Reference.

Minimum versions of SDKs that support IAM Identity Center session management

Following are the minimum versions of the SDKs that support IAM Identity Center session management.

SDK	Minimum version
Python	1.26.10
PHP	3.245.0
Ruby	aws-sdk-core 3.167.0
Java V2	AWS SDK for Java v2 (2.18.13)
Go V2	Whole SDK: release-2022-11-11 and specific Go modules: credentials/v1.13.0, config/v1.18.0
JS V2	2.1253.0
JS V3	v3.210.0
C++	1.9.372
.NET	v3.7.400.0

How to configure the session duration

Use the following procedure to configure the duration of your users' AWS access portal sessions.

1. Open the IAM Identity Center console.

2. Choose Settings.

3. On the Settings page, choose the Authentication tab.

4. Under Authentication, next to Session settings, choose Configure. A Configure session settings dialog box appears.

5. In the Configure session settings dialog box, choose the maximum session duration in minutes, hours, and days for your users by selecting the drop down arrow. Choose a the length for the session, and then choose Save. You return to the Settings page.