Is there a grace period for updating IAM credentials through a metadata request?

Question

Is there a grace period for updating IAM credentials through a metadata request?

An EC2 instance can get there metadata from an HTTP GET up to "169.254.169.254". If an instance has correctly assigned the IAM role, it can automatically "discover" its API credentials.

But they are temporary and should be updated periodically. Boto does this automatically if they expire in less than 5 minutes after verification.

Sometimes the update can be very long (a couple of minutes). Before moving on to this system, is there a period during which both current and “future” credentials can be used, or are current credentials invalid when I request new ones?

+4

amazon-web-services amazon-iam

yadutaf Sep 7 '12 at 16:45

source share

1 answer

user1663470 · Accepted Answer · 2012-09-11T16:24:38+0000

New credentials are issued automatically and are forced into the instance before the expiration of the old credentials.

When you request the instance metadata service at 169.254.169.254 , you will always get valid (unexpired) credentials.

If you cache the credentials in your application, management should update the credentials by calling the instance metadata service at least 15 minutes before the previous ones expire. If you use the AWS SDK, the SDK update automatically updates the SDK.

More information can be found at http://aws.amazon.com/iam/faqs/#How_do_i_get_started_with_IAM_roles_for_EC2_instances

Is there a grace period for updating IAM credentials through a metadata request?

More articles: