On expiry of IAM roles:
Instance roles such as those used in EMR are renewed automatically:
The application is granted the permissions for the actions and resources that you've defined for the role through the security credentials associated with the role. These security credentials are temporary and we rotate them automatically . We make new credentials available at least five minutes before the expiration of the old credentials.
Look in the AWS SDK for com.amazonaws.auth.InstanceProfileCredentialsProvider
; this is called by the clients to get the IAM Credentials. It spawns a thread com.amazonaws.auth.EC2CredentialsFetcher
which does HTTP requests to the special 169.xxx http server which provides these details. Every spark worker creating an s3 client (or s3a, on ASF builds) will instantiate an InstanceProfileCredentialsProvider, after which everything will "just work"
IAM roles used to always expire after 1h; any job lasting 65+ minutes would have triggered a refresh.
try it and see.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.