aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

Custom duration for STSAssumeRole

Open fehmer opened this issue 3 years ago • 3 comments

Describe the feature

Allow to specify the DurationSeconds when using the default provider chain.

Currently the duration of the session defaults to 3600 with no easy way to use lower or higher values.

Use Case

Using AWS SDK on ec2 instances with STS assume role. (Provider STSAssumeRoleWithWebIdentitySessionCredentialsProvider)

When creating e.g. S3 presigned URLs the maximum duration the link is valid for is determined by the session duration. When requesting a presigned URL with an expiration of two hours you get a valid URL from the SDK. When using the URL after one hour it fails because its expired.

Proposed Solution

add a new environment variable e.g. AWS_ROLE_SESSION_DURATION_SECONDS and use this value for the assume role

Other Information

No response

Acknowledgements

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

AWS Java SDK version used

1.12.121

JDK version used

openjdk version 11.0.15

Operating System and version

linux

fehmer avatar May 07 '22 09:05 fehmer

Hi @fehmer thank you for reaching out. I think we can separate the feature request in two parts:

(1) Allow customization of DurationSeconds in STSAssumeRoleWithWebIdentitySessionCredentialsProvider (2) The session duration is different from the presigned url duration, the presigned url expiration date should consider the credential duration

I don't think (1) is really necessary, as STSAssumeRoleWithWebIdentitySessionCredentialsProvider does refresh automatically the session credentials in the background. (2) is the real problem, and ideally the SDK should be able to set the expiration of the presigned url to what will come first: credential expiration or presigned url expiration. We do have an open feature request in the Java SDK 2.0 (https://github.com/aws/aws-sdk-java-v2/issues/2379), and it has better chances to be implemented as the team is focused in SDK 2.0 features.

Let me know if you have any question.

debora-ito avatar May 10 '22 23:05 debora-ito

Hi @debora-ito thank you for your feedback.

I don't think (2) will solve the problem for me. I want to use presigned s3 (upload) URLs with a validity of 24 hours.

I have configured the serviceAccount to allow max validity of 24 hours, but when requesting the session credentials from STSAssumeRoleWithWebIdentitySessionCredentialsProvider and generating the presigned s3 url with (with explicit setting the expiration to 24 hours) I cannot use the URL after one hour.

As far as I understand the proposed solution in https://github.com/aws/aws-sdk-java-v2/issues/2379 it would take the 60 minutes from the session I get from STSAssumeRoleWithWebIdentitySessionCredentialsProvider.newSession instead of my configured 24 hours on the GeneratePresignedUrlRequest.setExpiration

My current workaround is to extend the STSAssumeRoleWithWebIdentitySessionCredentialsProvider and call withDurationSeconds(86400) on the assumeRoleRequest. With that the presigned URL is valid for 24 hours.

I am not very deep into the sdk internals, so maybe I am missing the obvious solution for my problem.

fehmer avatar May 11 '22 05:05 fehmer

Got it, in addition to (2) you would like to customize/ increase the expiration to the max possible. Funny thing that the AssumeRole docs mention that "you can specify a parameter value of up to 43200 seconds (12 hours)", same for AssumeRoleWithWebIdentity, and not 24h.

Marking as a feature request then. As I mentioned, we are prioritizing Java SDK 2.0 work, so this has better chances to be implemented over there. Feel free to open a feature request in the 2.0 repo if you're interested: https://github.com/aws/aws-sdk-java-v2/issues

debora-ito avatar May 12 '22 21:05 debora-ito