Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V2 SDK does not support duration_seconds for the Assume role credential provider when configured via shared AWS config file #5695

Open
1 task
tkhill-AWS opened this issue Nov 1, 2024 · 1 comment
Open
1 task

V2 SDK does not support duration_seconds for the Assume role credential provider when configured via shared AWS config file #5695

tkhill-AWS opened this issue Nov 1, 2024 · 1 comment
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@tkhill-AWS
Copy link
Contributor

tkhill-AWS commented Nov 1, 2024
edited by debora-ito
Loading

Describe the bug

In my shared AWS config file, I set configured it to trigger the SDK to use the StsAssumeRoleCredentials provider. I used the following settings in the config file:

[default]
role_arn = arn:aws:iam::111122223333:role/s3-listbuckets-only-role
duration_seconds = 900
role_session_name = test-temp-session
source_profile = main-profile

main-profile settings not shown, but it configures an sso session setup to use IdC.

In code, with wire logging enabled, I create an S3 client S3Client s3Client = S3Client.create();.

I see the following response that lists the expiration time (<Expiration>):

2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "x-amzn-RequestId: fda3def1-b162-46e8-91dc-d590bc9feed8[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "Content-Type: text/xml[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "Content-Length: 1477[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "Date: Fri, 01 Nov 2024 21:00:47 GMT[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "[\r][\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "  <AssumeRoleResult>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "    <AssumedRoleUser>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <AssumedRoleId>AROATKON37RG6VSFDTY4F:test-temp-session</AssumedRoleId>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <Arn>arn:aws:sts::111122223333:assumed-role/s3-listbuckets-only-role/test-temp-session</Arn>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "    </AssumedRoleUser>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "    <Credentials>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <AccessKeyId>xxx</AccessKeyId>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <SecretAccessKey>xxx</SecretAccessKey>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <SessionToken>xxx</SessionToken>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "      <Expiration>2024-11-01T22:00:48Z</Expiration>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "    </Credentials>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "  </AssumeRoleResult>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "  <ResponseMetadata>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "    <RequestId>fda3def1-b162-46e8-91dc-d590bc9feed8</RequestId>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "  </ResponseMetadata>[\n]"
2024-11-01 17:00:48 [main] DEBUG org.apache.http.wire:73 - http-outgoing-1 << "</AssumeRoleResponse>[\n]"

No matter what I set the duration_seconds value to, the expiration is always 1 hour (the default) after the initial call to STS.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

The SDK should honor the duration_seconds provided in the config file. This setting is not listed as an exception in the SDK reference (https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html#assume-role-sdk-compat)

Current Behavior

The SDK ignored the duration_seconds provided in the config file and used the default value (3600 seconds).

Reproduction Steps

See earlier.

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.29.5

JDK version used

17

Operating System and version

Mac - Sonoma 14.5
@tkhill-AWS tkhill-AWS added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 1, 2024
@tkhill-AWS tkhill-AWS changed the title V2 SDK does not support duraction_seconds for the Assume role credential provider when configured via shared AWS config file V2 SDK does not support duration_seconds for the Assume role credential provider when configured via shared AWS config file Nov 3, 2024
@debora-ito
Copy link
Member

Confirmed, duration_seconds config file attribute is being ignored.

Want to point out that StsAssumeRoleCredentialsProvider will still refresh the credentials periodically.

@debora-ito debora-ito added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@debora-ito @tkhill-AWS