Reputation: 4121
Amazon SDK - Temporary Credentials and AssumeRoleRequest
I am using version 1.11.79 of the Amazon Java SDK I have a job that creates a snapshot of all my server volumes. With sleeps etc (to satisfy Amazon SDK guidelines) - this has started to take over an hour
I use the following code to construct my AmazonEC2Client using temporary credentials
AssumeRoleRequest assumeRequest = new AssumeRoleRequest().withRoleArn(roleARN).withExternalId(externalId).withDurationSeconds(3600)
.withRoleSessionName(roleSessionName);
AssumeRoleResult assumeResult = amazonSecurityTokenServiceClient.assumeRole(assumeRequest);
Credentials credentials = assumeResult.getCredentials();
temporaryCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
CustomAmazonCredentialsProviderVO customAmazonCredentialsProviderVO = new CustomAmazonCredentialsProviderVO();
customAmazonCredentialsProviderVO.setCredentials(temporaryCredentials);
LOG.debug("customAmazonCredentialsProviderVO:{}", customAmazonCredentialsProviderVO);
amazonEC2Client = new AmazonEC2Client(customAmazonCredentialsProviderVO, amazonClientConfiguration);
The problem is with the AssumeRoleRequest and the withDurationSeconds method - the max you can set it to is 3600 seconds (1 hour)
I need to be able to set this to say 2 or 3 hours
Does anyone know if there is another way to create temporary credentials that will last more than 1 hour?
Thanks Damien
Upvotes: 12
Views: 6221
Answers (3)
Reputation: 6751
For those of you who gets to this thread , and want a solution that will make sure the session always lives. you can use the STSAssumeRoleSessionCredentialsProvider given by the AWS SDK , but notice it will create extra thread to make sure the session is alive . you can also use custom implementation that is not creating extra thread like the below netflix implementation:
Upvotes: 0
Reputation: 10325
Assuming you are in control of the role which the job assumes, you can simply set the MaxSessionDuration property. From the docs (emphasize mine):
The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. Minimum value of 3600. Maximum value of 43200.
Increasing this limit should allow you to use a value > 3600 in your AssumeRoleRequest.
I just tried this using the AWS SDK for .NET, and it seems to work fine.
Upvotes: 0
Reputation: 18270
You can make use of GetSessionToken, which accepts the DurationSeconds value as high as 129600 provided you are an IAM user.
From the docs:
Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours)
Upvotes: 6
Related Questions
- How to refresh AWS temporary credentials from within an app running in EC2
- AWS JAVA SDK - Can i programmatically access other services using aws sdk running inside same aws account without hard coding credentials?
- Temporary Security Credentials - How to get access, given a role name & AWS account id?
- Getting temporary AWS credentials using Java SDK2
- AWS Java SDK: AssumeRole from EC2 instance profile?
- AWS Java SDK credentials
- aws-java-sdk get temporary credentials for non aws environment
- How to retrieve temporary AWS credentials from Amazon using IAM role associated with the EC2 instance(in java)?
- Why aren't Temporary Credentials being generated using aws-sdk?
- To generate temporary credentials using "AssumeRole" api AWS iOS sdk