Managing AWS credentials for long-running jobs

Last updated: June 18, 2025

When using AWS credentials in Spacelift jobs through assume role with web identity, you may encounter token expiration issues on long-running jobs. This article explains the current limitations and available workarounds.

Token Expiration Limitations

AWS imposes strict time limits on assumed role credentials. You may encounter errors like this on long-running jobs over 60 minutes. To assume roles, we make a request to the AWS API. There's information about the DurationSeconds parameter in the docs here: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Available Solutions

There are two main approaches for assuming AWS roles in Spacelift:

  1. Assume role on Spacelift's end

    • Uses role chaining (Spacelift's backend role assumes another role)

    • Limited to maximum 1 hour duration due to AWS restrictions

  2. Assume role on the worker

    • Recommended approach for long-running jobs

    • Can have duration up to 12 hours

    • Not subject to role chaining limitations

Temporary Workaround

For one-off runs that will take over an hour and cannot assume the role on the worker, you can temporarily add AWS credentials directly as environment variables. Note that this is not recommended as a permanent solution.