3

I imagine this is likely, but I haven't found any explicit information saying that it's true.

When receiving a Credentials object from AssumeRole, is the Expiration in UTC time?

Derek Hauffe
  • 85
  • 10
  • I don't think this is associated with any timezone. Temporary credentials are for the duration you ask for (In the range of 15 minutes to 36 hours) – kosa Jun 02 '17 at 18:16
  • Thanks. I understand that. The return is a concrete DateTime object, however. The request specifies a desired duration in seconds. The response is a DateTime of when the credentials expire. – Derek Hauffe Jun 02 '17 at 18:18
  • 1
    Yes, because in your datetime object no timezone associated, it will default to UTC. – kosa Jun 02 '17 at 18:20
  • Gotcha. Thanks, @Nambari. – Derek Hauffe Jun 02 '17 at 18:25

3 Answers3

5

The response from sts:AssumeRole includes a property called Expiration:

{
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
        "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
    },
    "Credentials": {
        "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
        "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
        "Expiration": "2016-03-15T00:05:07Z",
        "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
    }
}

The Expiration value is an ISO 8601 formatted date. This means, that the date can be in any timezone, but the timezone is specified in the date itself. The example above is UTC due to the "Z" at the end of the date value.

To be 100% correct, you should probably anticipate the value could be non-UTC value, which you may need to timezone-shift the value. However, in practice, most likely, the value will be UTC.

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
0

When you invoke sts using boto3, the expiration date shows that it's in utc

sts = boto3.client('sts')
role = sts.assume_role(
    RoleArn='<role>',
    RoleSessionName='STSTest',
    DurationSeconds=900
)

role["Credentials"]["Expiration"]
>>datetime.datetime(2018, 5, 15, 4, 51, 50, tzinfo=tzutc())
Sujay DSa
  • 1,172
  • 2
  • 22
  • 37
0

Yes it'll be in UTC So irrespective of your time zone.. check the present time of your timezon. Take the UTC time of that and add 8 hours or whatever the expiry time ur company have provided. see if that is matching with the one expiry time given in that Respone

Akshay RK
  • 1