Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider expiration of security credentials for expiration of a PresignedRequest #2379

Open
1 task done
steinybot opened this issue Apr 6, 2021 · 2 comments
Open
1 task done

Consider expiration of security credentials for expiration of a PresignedRequest #2379

steinybot opened this issue Apr 6, 2021 · 2 comments
Labels
feature-request A feature should be added or improved. p1 This is a high priority issue

Comments

@steinybot
Copy link

Describe the Feature

Update software.amazon.awssdk.awscore.presigner.PresignedRequest#expiration so that it returns the minimum out of the expiration time of the security credentials and the requested signed duration.

Is your Feature Request related to a problem?

It is impossible to tell when a PresignedRequest will actually expire. It makes it difficult to generate a presigned URL using an instance profile as it could expire at any time up to a maximum of 6 hours. The provided signatureDuration is practically useless except to restrict that to something less than 6 hours.

Proposed Solution

The AwsSessionCredentials would need to be modified to have an additional expiration field that is set in software.amazon.awssdk.auth.credentials.HttpCredentialsProvider#refreshCredentials. This would make a lot of sense since the STS API already returns it.

software.amazon.awssdk.services.s3.internal.presigner.DefaultS3Presigner#initializePresignedRequest can then be modified to get the AWS_CREDENTIALS attribute from the ExecutionContext and get the expiration if they are an instance of AwsSessionCredentials. Then it can use the minimum of that and the one from the PRESIGNER_EXPIRATION attribute as the expiration of the presignedRequest.

Describe alternatives you've considered

I have to maintain my own cached credentials with a known expiration time and provide them to the presigner which is just duplicating all the same logic that the default implementations already do.

Additional Context

I want to generate presigned URLs and know when they will expire.

  • I may be able to implement this feature request

Your Environment

  • AWS Java SDK version used: 2.15.25
  • JDK version used: 1.8
  • Operating System and version: Amazon Linux 2
@steinybot steinybot added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 6, 2021
@debora-ito
Copy link
Member

Hi @steinybot thank you for the detailed description. Yes, this is a very reasonable feature request, marking as such.

@debora-ito debora-ito removed the needs-triage This issue or PR still needs to be triaged. label Apr 14, 2021
@mullermp mullermp mentioned this issue May 12, 2021
Closed
@debora-ito debora-ito mentioned this issue May 10, 2022
Closed
2 tasks
@yasminetalby yasminetalby added the p1 This is a high priority issue label Nov 14, 2022
@jimhcvent
Copy link

Also very interested in this feature!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p1 This is a high priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@debora-ito @steinybot @yasminetalby @jimhcvent