From 338d245341e9799b65321c2636620b2e2331b9bd Mon Sep 17 00:00:00 2001
From: Jason Hernandez <7144515+jasonhernandez@users.noreply.github.com>
Date: Wed, 20 May 2026 09:42:32 -0700
Subject: [PATCH] ci(scratch-aws-access): cut assume-role session from 12h to
 2h

CI jobs rarely run longer than ~2h, but the scratch-aws-access plugin
requests a 12h STS session. Any credential leak (test logs, printenv in
a malicious step, exfil from the agent host) stays valid for half a day.

Paired with a matching change in i2 to cut max_session_duration on the
underlying `mz-scratch-ci-role`. Land this PR first; the role-side cap
in i2 won't matter until this client-side request is also reduced.

Tracking: i2 SEC-573 / SEC-566 audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 ci/plugins/scratch-aws-access/hooks/pre-command | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/plugins/scratch-aws-access/hooks/pre-command b/ci/plugins/scratch-aws-access/hooks/pre-command
index e57579c370e99..1ff204bed79c2 100644
--- a/ci/plugins/scratch-aws-access/hooks/pre-command
+++ b/ci/plugins/scratch-aws-access/hooks/pre-command
@@ -15,7 +15,7 @@ set -euo pipefail
 
 ci_unimportant_heading "Assuming scratch AWS role"
 
-creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 43200 --role-session-name ci)
+creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 7200 --role-session-name ci)
 
 AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' <<< "$creds")
 AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' <<< "$creds")