% curl http://169.254.170.2/creds
{"AccessKeyId":"ASIA----------EGKVOM","Expiration":"","RoleArn":"","SecretAccessKey":"4su0....","Token":"FQoG...."}
# export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/creds
# python3
Python 3.7.4 (default, Jul 30 2019, 19:56:38)
[GCC 7.3.1 20180712 (Red Hat 7.3.1-6)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> boto3.__version__
'1.9.246'
>>> boto3.client("ssm")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.7/site-packages/boto3/__init__.py", line 91, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/boto3/session.py", line 263, in client
aws_session_token=aws_session_token, config=config)
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 827, in create_client
credentials = self.get_credentials()
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 426, in get_credentials
'credential_provider').load_credentials()
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 1934, in load_credentials
creds = provider.load()
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 1797, in load
return self._retrieve_or_fail()
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 1812, in _retrieve_or_fail
expiry_time=_parse_if_needed(creds['expiry_time']),
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 196, in _parse_if_needed
return parse(value)
File "/usr/local/lib/python3.7/site-packages/dateutil/parser/_parser.py", line 1358, in parse
return DEFAULTPARSER.parse(timestr, **kwargs)
File "/usr/local/lib/python3.7/site-packages/dateutil/parser/_parser.py", line 652, in parse
raise ValueError("String does not contain a date:", timestr)
ValueError: ('String does not contain a date:', '')
I'm fairly certain the session token does include an expiration date in there, but it's not for consumption outside of the AWS Auth service. (I'm fairly certain it's encrypted, and if we could decrypt it anyone could also go about generating secret keys and session tokens, which would be... bad. The Auth team would know for sure, though.)