feat: add processCredentialTimeout option to token command

cmd/aws-iam-authenticator/token.go

@@ -42,6 +42,7 @@ var tokenCmd = &cobra.Command{
 		forwardSessionName := viper.GetBool("forwardSessionName")
 		sessionName := viper.GetString("sessionName")
 		cache := viper.GetBool("cache")
+		procCredTimeout := viper.GetDuration("processCredentialTimeout")
 
 		if clusterID == "" {
 			fmt.Fprintf(os.Stderr, "Error: cluster ID not specified\n")
@@ -69,11 +70,12 @@ var tokenCmd = &cobra.Command{
 		}
 
 		tok, err = gen.GetWithOptions(context.Background(), &token.GetTokenOptions{
-			ClusterID:            clusterID,
-			AssumeRoleARN:        roleARN,
-			AssumeRoleExternalID: externalID,
-			SessionName:          sessionName,
-			Region:               region,
+			ClusterID:                clusterID,
+			AssumeRoleARN:            roleARN,
+			AssumeRoleExternalID:     externalID,
+			SessionName:              sessionName,
+			Region:                   region,
+			ProcessCredentialTimeout: procCredTimeout,
 		})
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "could not get token: %v\n", err)
@@ -99,6 +101,7 @@ func init() {
 		false,
 		"Enable mapping a federated sessions caller-specified-role-name attribute onto newly assumed sessions. NOTE: Only applicable when a new role is requested via --role")
 	tokenCmd.Flags().Bool("cache", false, "Cache the credential on disk until it expires. Uses the aws profile specified by AWS_PROFILE or the default profile.")
+	tokenCmd.Flags().Duration("process-credential-timeout", 0, "Timeout for AWS credential_process execution (e.g. 5m, 120s). 0 uses SDK default (1m).")
 	if err := viper.BindPFlag("region", tokenCmd.Flags().Lookup("region")); err != nil {
 		fmt.Printf("Failed to bind flag '%s' - %+v\n", "region", err)
 		os.Exit(1)
@@ -127,6 +130,10 @@ func init() {
 		fmt.Printf("Failed to bind flag '%s' - %+v\n", "cache", err)
 		os.Exit(1)
 	}
+	if err := viper.BindPFlag("processCredentialTimeout", tokenCmd.Flags().Lookup("process-credential-timeout")); err != nil {
+		fmt.Printf("Failed to bind flag '%s' - %+v\n", "processCredentialTimeout", err)
+		os.Exit(1)
+	}
 	if err := viper.BindEnv("role", "DEFAULT_ROLE"); err != nil {
 		fmt.Printf("Failed to bind env '%s' - %+v\n", "role", err)
 		os.Exit(1)

pkg/token/token.go

@@ -36,6 +36,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/middleware"
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials/processcreds"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
@@ -120,6 +121,9 @@ type GetTokenOptions struct {
 	AssumeRoleARN        string
 	AssumeRoleExternalID string
 	SessionName          string
+	// ProcessCredentialTimeout, if set to a positive duration, overrides the SDK's
+	// default 1 minute timeout for running credential_process.
+	ProcessCredentialTimeout time.Duration
 }
 
 // FormatError is returned when there is a problem with token that is
@@ -235,6 +239,11 @@ func (g generator) GetWithOptions(ctx context.Context, options *GetTokenOptions)
 		config.WithAssumeRoleCredentialOptions(func(options *stscreds.AssumeRoleOptions) {
 			options.TokenProvider = StdinStderrTokenProvider
 		}),
+		config.WithProcessCredentialOptions(func(o *processcreds.Options) {
+			if options.ProcessCredentialTimeout > 0 {
+				o.Timeout = options.ProcessCredentialTimeout
+			}
+		}),
 		config.WithEC2IMDSClientEnableState(imds.ClientEnabled),
 	)
 	if err != nil {