AWS IAM and java sdk service clients - How does credentials are generated using role associated with a service?

Question

I am running java app on ECS fargate and have attached a role with the fargate task to perform s3 operations. From my java process i have started using DefaultCredentialsProviderChain.java from aws sdk to get the credentials and create s3 client. I am facing issues to understand below mentioned questions:

1. Which class in the chain (in DefaultCredentialsProviderChain.java) gets credentials (temporary key and secret access key) from the role associated ? And For how long these temp credentials are valid ?
2. Can i cache the s3 client created with credentials from DefaultCredentialsProviderChain.java so that on java service startup s3 client will be built once or s3 client needs to be created each and every time any s3 operation needs to be performed?

I followed below mentioned link but did not get my answers, Can anyone please help me to understand these queries.

https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html#credentials-chain

Answer 1

Which class in the chain (in DefaultCredentialsProviderChain.java) gets credentials

As you have attached a runtime role, the AWS will provide a metadata service. The credential provider will use the service to fetch the runtime credentials. By default the runtime credentials are valid for one hour (as far I recall).

https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingTempSessionToken.html

Can i cache the s3 client created with credentials

Yes you can. The credential provider keeps track of the session lifetime and refresh the token some time before expiration (as well - as far I remember).

This actually places some limits when creating a presigned url. The presigned url is valid only until the credentials are valid. So it may happen that you create a presigned url and the url will be valid shorter time than expected