Allow To Set a Custom Expiry Window for Preemptive Token Rotations When Using AWS IAM Auth #2169
+207
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Primary use case (from me) is to: Use the client for to generate presigned urls which are valid for longer. With the the previous rotate after 80% rule this still cuts away a lot of time of the max. 12h token duration. This allows the users to use IAM Auth and create presigned urls which can be valid for as long as the expiry window is configured. Signed-off-by: Jannik Hollenbach <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sorry didn't get to it for quit a while.
Closes #2136
This allows to specify a ExpiryWindow when building up a AWS IAM Credential Provider.
Full transparentcy: the tests were genereated by an LLM, only had a look over them to make sure they acutally do something reasonable, the actual iam_aws code change was written by me (a human :D)
What I don't super like about this change is that the ExpiryWindow is passed as a time.Duration, the default with percentage based approach (rotate after 80% of the token duration) seems to have less footgun potential.
A
time.Durationwould allow people to configure windows which are longer than their IAM credentials are valid for. This would cause the token to get rotated constantly. I was hestitent to use a percentage here though, the credentialValuewrapper type doesn't seem to support a percentage based approach and I wasn't sure if overcomplicating this was a good idea. Any ideas how we could prevent this? Or am I overthinking this :D