How to configure expiration time for AWS container credentials

Question

By default the AWS container credentials expiration time is 6 hours.

https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html

Is there any way to configure this?

Answer 1

This use case can be achieved using assume role. You can create a role and define the duration in which you want credentials to be expired and then use that role in ECS. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.

You can read the link below to modify role with expire time you want: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage.html

Read more about assume role: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Steps

• Open IAM Console and select the IAM Role
• To view a role's maximum session duration (console)
• In the navigation pane of the IAM console, choose Roles.
• Choose the name of the role that you want to view.
• Next to Maximum CLI/API session duration, view the maximum session length that you can specify in your AWS CLI or API operation.

When you use an AWS CLI or API operation to assume a role, you can specify a value for the DurationSeconds parameter. You can use this parameter to specify the duration of the role session, from 900 seconds (15 minutes) up to the Maximum CLI/API session duration setting for the role. Before you specify the parameter, you should view this setting for your role. If you specify a value for the DurationSeconds parameter that is higher than the maximum setting, the operation fails.