Search code examples
amazon-web-servicesamazon-ecsaws-ssoaws-credentials

AWS Access token and secret key of SSO User get expired after 8 hours in ECS Deployment


I have deployed my nodeJs application to ECS, but it uses other resources such as SNS and SES. However, to use SES, I must store AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN in env. So, everything is working fine at this point, but the keys expire every 8 hours due to SSO, so I can't figure out how to programmatically get these tokens in my code and update the env

Note: After logging in via SSO, I assume a role and use those keys, which eventually expire.


Solution

  • In most scenarios that require credentials to access other AWS services, you should use a task role. This is similar to an instance role but scoped for ecs tasks. Since the role will implicitly issue the task temporary credentials, they'll not be valid beyond 12 hours. But ECS will keep renewing them in the background and your application would not encounter any problems.

    One scenario that does not lend itself to using task roles is the need to generate presigned urls that are valid for longer than 12 hours. In this case, you'll have to either presign the url using static/long-term IAM credentials that are permament or presign on-demand.