Renewing AWS credentials


I'm following this AWS documentation to make ECS tasks access other AWS services using task role credentials. When I run curl$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI it returns a JSON document that looks something like this JSON document:


My ECS instances are long running which means they will outlive the expiration timestamp provided in the above result.

Do I need to poll that endpoint regularly to avoid expired credentials? if so is there a way to extend the credentails life?

已提问 1 年前1533 查看次数
1 回答

You will need to periodically refresh the credentials obtained from the metadata endpoint because as you mentioned, they have an expiration timestamp. You can do this by setting up a scheduled task or a cron job to fetch the new credentials from the metadata endpoint before they expire. To extend the credentials' life, you can increase the session duration when you assume the task role using AWS Security Token Service (STS). When you assume a role, you can specify the duration of the role session, up to a maximum of 12 hours. The default session duration is one hour.

From here - Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.

profile pictureAWS
已回答 1 年前
  • Note that AWS-supplied SDKs will poll the Instance Metadata Service for you - so this answer does depend on the libraries you're using.

  • @Brettski-AWS that's excellent info but unfortunately for me this is an Elixir app so I won't get that benefit for free.

    Scratch what I said above. As you say, ex_aws will take care of this.

您未登录。 登录 发布回答。