Renewing AWS credentials


I'm following this AWS documentation to make ECS tasks access other AWS services using task role credentials. When I run curl$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI it returns a JSON document that looks something like this JSON document:


My ECS instances are long running which means they will outlive the expiration timestamp provided in the above result.

Do I need to poll that endpoint regularly to avoid expired credentials? if so is there a way to extend the credentails life?

질문됨 일 년 전1533회 조회
1개 답변
수락된 답변

You will need to periodically refresh the credentials obtained from the metadata endpoint because as you mentioned, they have an expiration timestamp. You can do this by setting up a scheduled task or a cron job to fetch the new credentials from the metadata endpoint before they expire. To extend the credentials' life, you can increase the session duration when you assume the task role using AWS Security Token Service (STS). When you assume a role, you can specify the duration of the role session, up to a maximum of 12 hours. The default session duration is one hour.

From here - Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.

profile pictureAWS
답변함 일 년 전
  • Note that AWS-supplied SDKs will poll the Instance Metadata Service for you - so this answer does depend on the libraries you're using.

  • @Brettski-AWS that's excellent info but unfortunately for me this is an Elixir app so I won't get that benefit for free.

    Scratch what I said above. As you say, ex_aws will take care of this.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠