IAM Role / key rotation frequency

Question

Good morning all, we are moving to a more secure method of using IAM Roles for permissions vs keys in credential files. This is being done on numerous applications, Java is our biggest one. We make a lot of requests, and from the documentation, there is no "every X hours they rotate", so is the best practice to simply request the keys on each call? I'm being asked about caching it, etc. can they dynamically refresh as they could then cache for an hour or so, invalidate, request and store for an hour, etc .

I am just not sure what impact (network, CPU, etc.) we will see if every request makes that call for a key each time.

Thanks

I am just not sure what impact (network, CPU, etc.) we will see if every request makes that call for a key each time.

Thanks

Accepted Answer

IAM role allow you to set the maximum session duration on role level and when assuming that role you can specify how long you want to assume that role for (i.e your current session duration). You can specify 1 hour on both and then in your Java app you can request the credentials again every hour and keep them cached in your app for 1 hour.

For more information please check: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

For Java SDK the Credentials object has the **expiration()** method which can tell you when the credentials are expiring. For more information please check following examples

https://docs.aws.amazon.com/code-samples/latest/catalog/javav2-sts-src-main-java-com-example-sts-AssumeRole.java.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html

Answer

Thanks for the detailed help.   I like the fact of expiring it as well so I can pass on those options to the dev team.

Thank you again.

IAM Role / key rotation frequency

Relevant content