I can get a token and secret in an ECS container from 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI (see https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-access-aws-services/).
The AWS Java SDK v1 appears to wrap this: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html?com/amazonaws/auth/ContainerCredentialsProvider.html
It also seems to provide methods to check the expiration date and refresh the retrieved data.
The AWS Java SDK v2 also appears to wrap this: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html
It doesn't give an expiry date though, so how is this meant to be used? The impression I get is that the token lasts for less than a day.
The AWS Java SDK v2 also appears to wrap another way: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.Builder.html
It doesn't give a refresh method or the expiry date but the parent class (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/HttpCredentialsProvider.Builder.html) allows you to set whether it gets asynchronously refreshed, and to set a thread name (presumably to handle the async refresh) but there is no documentation around how to use asyncThreadName.
So how can I get the token and secret and know how/when to refresh them?
According to AWS Support, adding a call to asyncCredentialUpdateEnabled(true) does the refreshing in the background without any further effort.