Skip to content

Conversation

@jirislav
Copy link

@jirislav jirislav commented Nov 26, 2025

Description

When s3.use-web-identity-token-credentials-provider is configured, then the WebIdentityTokenFileCredentialsProvider is used in AWS SDK to communicate with S3. This provider supports specifying the prefetchTime & staleTime (by default it's 5 & 1 minute).

Why is this important? Well, because when we presign an S3 URL (e.g. for Trino client to retrieve the data using the spooling protocol), the attached token will be valid only for as long, as is the remaining validity time of the temporary token that was used to sign the URL. For example, if the MaxSessionDuration in AWS IAM role is kept to it's default 1 hour, then what happens is that every hour new temporary credentials need to be fetched. If prefetch time is 5 minutes (and stale time 1 minute), then the worst-case scenario is that every hour the Trino clients might experience the ExpiredToken exception when downloading the spooled segments from a signed S3 url later than 1-5 minutes since their creation.

This issue is even worse in case some Trino workers finish their job early, upload their segments to S3, sign them, but then the Trino client still needs to wait for all the remaining workers to finish their part, which might take several more minutes. So if the query is executed just before the session is about to expire, then the clients running such heavy queries are almost guaranteed to experience the ExpiredToken exception.

Release notes

Release notes are required. Please propose a release note for me.

@cla-bot cla-bot bot added the cla-signed label Nov 26, 2025
@jirislav jirislav force-pushed the jirislav/support-prefetch-and-stale-time-in-s3-credentials-provider branch from 8ef4343 to 3c5e82a Compare November 26, 2025 12:11
@github-actions github-actions bot added the docs label Nov 26, 2025
@jirislav jirislav force-pushed the jirislav/support-prefetch-and-stale-time-in-s3-credentials-provider branch from 3c5e82a to 4dc20af Compare November 26, 2025 14:15
@chenjian2664
Copy link
Contributor

@wendigo @electrum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

2 participants