feat: store credential expiration epoch in secret for proactive refresh#157
Conversation
STS AssumeRoleWithWebIdentity returns an Expiration timestamp, but the secret only stored key_id/secret/session_token — discarding the expiration. Consumers (duckdb-iceberg) had no way to know when creds expire and resorted to fixed-interval refresh timers. Store credentials.GetExpiration() as 'expiration_epoch' (epoch seconds) in the secret_map. Consumers can now refresh at ~80% TTL instead of guessing with arbitrary intervals.
65d3190 to
aec765a
Compare
Tmonster
left a comment
There was a problem hiding this comment.
thanks! Just a quick comment
| // can refresh proactively at ~80% TTL instead of guessing with a fixed timer. | ||
| auto expiration = credentials.GetExpiration(); | ||
| if (expiration != Aws::Utils::DateTime()) { | ||
| result->secret_map["expiration_epoch"] = Value::BIGINT(expiration.Seconds()); |
There was a problem hiding this comment.
Is this used consumed anywhere? We are planning on fixing up our secret refresh functionality soon, so happy to have this in, but I don't think this is inspected anywhere else (i.e duckdb-httpfs won't use it, and I don't see it used in your duckdb-iceberg PR)
There was a problem hiding this comment.
Thanks @Tmonster .yep it's not used at all currently. But if this is supported then I can update my pr in duckdb-iceberg to use it, instead of a fixed TTL. Let me know if that makes sense or not.
There was a problem hiding this comment.
That's fine then, we can iterate on this
| // can refresh proactively at ~80% TTL instead of guessing with a fixed timer. | ||
| auto expiration = credentials.GetExpiration(); | ||
| if (expiration != Aws::Utils::DateTime()) { | ||
| result->secret_map["expiration_epoch"] = Value::BIGINT(expiration.Seconds()); |
There was a problem hiding this comment.
That's fine then, we can iterate on this
Problem
When the
credential_chainprovider creates a secret withweb_identityorstschains, the STS response includes anExpirationtimestamp — but the extension only storeskey_id,secret, andsession_token. The expiration is discarded.Consumers (e.g., duckdb-iceberg) that need to refresh credentials have no way to know when they expire, and must resort to fixed-interval timers (e.g., refresh every 300s regardless of actual TTL).
Fix
Store
credentials.GetExpiration()asexpiration_epoch(epoch seconds as BIGINT) in thesecret_mapwhen the expiration is non-empty. This is backwards-compatible — existing consumers that don't read it are unaffected.Usage by consumers
Related