问题
I am going through this AWS doc about temporary credentials, and I have come across this, about the duration of them:
The GetSessionToken action must be called by using the long-term AWS security credentials of the AWS account or an IAM user.
Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
So, what is the difference between created by IAM users and created by using account credentials?
I am creating my temporary credentials using STS via boto3, and they are being expired within an hour. How do I make them be valid for the 36 hours which is mentioned here, via boto3?
回答1:
The maximum duration is related to the credentials used to make the call to STS.
If you use your Root Credentials (where you login with an email address), it is considered an Account Credential. You should not typically use root credentials since they are too powerful and cannot be restricted. You should always create an IAM User and use it for your day-to-day work on AWS. This allows the credentials to be restricted or revoked, which provides much better security control.
Therefore:
- If you call STS with Root Credentials, the limit is 1 hour
- If you call STS with IAM User Credentials, the limit is 36 hours
来源:https://stackoverflow.com/questions/45539658/how-to-increase-the-duration-of-sts-credentials-validity-from-one-hour