[英]AWS IAM role expiry
On expiry of IAM roles: IAM 角色到期时:
Instance roles such as those used in EMR are renewed automatically: 实例角色(例如 EMR 中使用的角色)会自动续订:
The application is granted the permissions for the actions and resources that you've defined for the role through the security credentials associated with the role.通过与角色关联的安全凭证,应用程序被授予您为角色定义的操作和资源的权限。 These security credentials are temporary and we rotate them automatically .这些安全凭证是临时的,我们会自动轮换它们。 We make new credentials available at least five minutes before the expiration of the old credentials.我们会在旧凭据到期前至少五分钟提供新凭据。
Look in the AWS SDK for com.amazonaws.auth.InstanceProfileCredentialsProvider
;查看com.amazonaws.auth.InstanceProfileCredentialsProvider
的 AWS 开发工具com.amazonaws.auth.InstanceProfileCredentialsProvider
; this is called by the clients to get the IAM Credentials.这由客户端调用以获取 IAM 凭证。 It spawns a thread com.amazonaws.auth.EC2CredentialsFetcher
which does HTTP requests to the special 169.xxx http server which provides these details.它产生一个线程com.amazonaws.auth.EC2CredentialsFetcher
,它向提供这些详细信息的特殊 169.xxx http 服务器发出 HTTP 请求。 Every spark worker creating an s3 client (or s3a, on ASF builds) will instantiate an InstanceProfileCredentialsProvider, after which everything will "just work"每个创建 s3 客户端(或 s3a,在 ASF 版本中)的 spark worker 都会实例化一个 InstanceProfileCredentialsProvider,之后一切都会“正常工作”
IAM roles used to always expire after 1h; IAM 角色过去总是在 1 小时后过期; any job lasting 65+ minutes would have triggered a refresh.任何持续 65 分钟以上的工作都会触发刷新。
try it and see.试试看。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.