ECS Local Endpoints works great if you have IAM User credentials, because those are long-term and don’t expire, so it works to inject them into the container. The problem is that if you are injecting temporary credentials (i.e., if you’re using an assumed role, you’ve got a session token) as environment variables, it means the credentials served by the ECS metadata server will expire if it’s a long-running process, and the code inside the container has no way of refreshing them — the exact situation I am warning about in this article. This is a problem I attempted to solve with aws-export-credentials by starting a server on the host (which then can refresh the credentials), but found that the SDK code that contacts the ECS metadata server does not allow contacting host.docker.internal, which is necessary to contact a server on the host (except when using --network host on Linux).