IAM Role / key rotation frequency


Good morning all, we are moving to a more secure method of using IAM Roles for permissions vs keys in credential files. This is being done on numerous applications, Java is our biggest one. We make a lot of requests, and from the documentation, there is no "every X hours they rotate", so is the best practice to simply request the keys on each call? I'm being asked about caching it, etc. can they dynamically refresh as they could then cache for an hour or so, invalidate, request and store for an hour, etc .

I am just not sure what impact (network, CPU, etc.) we will see if every request makes that call for a key each time.


asked 2 years ago782 views
2 Answers
Accepted Answer

IAM role allow you to set the maximum session duration on role level and when assuming that role you can specify how long you want to assume that role for (i.e your current session duration). You can specify 1 hour on both and then in your Java app you can request the credentials again every hour and keep them cached in your app for 1 hour.

For more information please check: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

For Java SDK the Credentials object has the expiration() method which can tell you when the credentials are expiring. For more information please check following examples

https://docs.aws.amazon.com/code-samples/latest/catalog/javav2-sts-src-main-java-com-example-sts-AssumeRole.java.html https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html

answered 2 years ago

Thanks for the detailed help. I like the fact of expiring it as well so I can pass on those options to the dev team.

Thank you again.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions