EC2 instance can retrieve there metadata with an HTTP GET to "169.254.169.254". If the instance in properly assigned an IAM role, it can automatically "discover" its API credentials.
But these are temporary and must be periodically renewed. Boto automatically does it if they expire less than 5 minutes after the check.
Occasionally, the renew can be very long (a couple of minutes). Before I switch to this system, Is there a period during which both current and "future" credentials can be used or are the current credentials invalidated as soon as I query for the new ones ?
New credentials are issued automatically and pushed out to the instance before the old credentials expire.
When you query the instance meta data service at 169.254.169.254
, you will always get valid(unexpired) credentials.
If you are caching credentials in your application, the guidance is to refresh the credentials by calling the instance meta data service at least 15 minutes before the prior ones expire. If you are using the AWS SDK, refreshing of credentials is automatically taken care of by the SDK.
More details are also available at http://aws.amazon.com/iam/faqs/#How_do_i_get_started_with_IAM_roles_for_EC2_instances
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With