AWS' Golang SDK says that I should use stscreds.AssumeRoleProvider to assume a cross-account role (in this case, for querying another account's DynamoDb table from a web server). This code works:

var sess *session.Session

func init() {

  sess = session.Must(session.NewSession(&aws.Config{
    Region: aws.String("us-west-2"),
  }))

}

func getDynamoDbClient() *dynamodb.DynamoDB {

  crossAccountRoleArn := "arn:...:my-cross-account-role-ARN"

  creds := stscreds.NewCredentials(sess, crossAccountRoleArn, func(arp *stscreds.AssumeRoleProvider) {
    arp.RoleSessionName = "my-role-session-name"
    arp.Duration = 60 * time.Minute
    arp.ExpiryWindow = 30 * time.Second
  })

  dynamoDbClient := dynamodb.New(sess, aws.NewConfig().WithCredentials(creds))

  return dynamoDbClient
}

According to the documentation, the returned client is thread-safe:

DynamoDB methods are safe to use concurrently.

The question is, since the credential are auto-renewed via stscreds.AssumeRoleProvider, do I

• Need to new up a new client on each request (to ensure that I've got unexpired credentials), or

• Can I new up a DynamoDb client when the web server starts up, and reuse it for the life of the web server?

Edited To Note:

I dug into the source code for the Golang AWS SDK, and it looks like the credentials returned by stscreds.NewCredentials() are nothing more than a wrapper around a reference to the stscreds.AssumeRoleProvider. So it seems likely to me that the client will magically get auto-renewed credentials.

AWS' documentation leaves something to be desired.