Reputation: 85
AWS temporary credentials — is the Expiration time in UTC?
I imagine this is likely, but I haven't found any explicit information saying that it's true.
When receiving a Credentials object from AssumeRole, is the Expiration in UTC time?
Upvotes: 3
Views: 3015
Answers (3)
Reputation: 1
Yes it'll be in UTC So irrespective of your time zone.. check the present time of your timezon. Take the UTC time of that and add 8 hours or whatever the expiry time ur company have provided. see if that is matching with the one expiry time given in that Respone
Upvotes: 0
Reputation: 1192
When you invoke sts using boto3, the expiration date shows that it's in utc
sts = boto3.client('sts')
role = sts.assume_role(
RoleArn='<role>',
RoleSessionName='STSTest',
DurationSeconds=900
)
role["Credentials"]["Expiration"]
>>datetime.datetime(2018, 5, 15, 4, 51, 50, tzinfo=tzutc())
Upvotes: 0
Reputation: 36073
The response from sts:AssumeRole includes a property called Expiration:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
The Expiration value is an ISO 8601 formatted date. This means, that the date can be in any timezone, but the timezone is specified in the date itself. The example above is UTC due to the "Z" at the end of the date value.
To be 100% correct, you should probably anticipate the value could be non-UTC value, which you may need to timezone-shift the value. However, in practice, most likely, the value will be UTC.
Upvotes: 6
Related Questions
- Ways to find out how soon the AWS session expires?
- How to increase the duration of STS credentials validity from one hour?
- Temporary password expiration with AWS Cognito
- How to configure expiration time for AWS container credentials
- Using aws STS to get temporary credentials: Where is the web identity token?
- Expiration time of AWS EC2 instance profile credentials
- How can I to use an AWS temporary security credential just one time?
- How secret is the session token in AWS temporary security credentials?
- Validity of temp credentials by STS Assume role
- Extend duration of AWS temporary security credentials