`--duration` non-operational

[upenn-hughmac]

While I can adjust the AWS Maximum session duration for a Role, and "see" it (so it can be > 3600s default), using the --duration option to set at less than the max is inoperable.

Validation steps:

$ aws-federated-auth --list --account 432399220289
Username: hughmac
...
wharton-research-programming-2-AdministratorAccess                       43200 432399220289   AdministratorAccess
wharton-research-programming-2-research-it-q-role                         3600 432399220289   research-it-q-role
$ aws-federated-auth --account 432399220289 --duration 900
...
PROFILE NAME                                                      MAX DURATION ACCOUNT NUMBER ROLE NAME
wharton-research-programming-2-AdministratorAccess                       43200 432399220289   AdministratorAccess
wharton-research-programming-2-research-it-q-role                         3600 432399220289   research-it-q-role

Then something like:

$ export AWS_PROFILE='wharton-research-programming-2-AdministratorAccess'
$ while aws s3 ls | grep zappa>/dev/null 2>&1; do echo "$(date +%H:%M:%S) :: OK"; done; echo "$(date +%H:%M:%S) :: EXP
IRED"

... doesn't expire until max, instead of the desired 900s.

With --logging=debug I only see:

{"time":"2024-09-05 07:50:31","name":"shib.awsshib","level":"   DEBUG","message":"Attempting to query max duration"}

... no errors, etc.

Let me know if I'm missing something, etc.