From aec765a9e2942317677468a13dc4f017b112534d Mon Sep 17 00:00:00 2001 From: hao-xu5 Date: Sat, 20 Jun 2026 00:34:58 -0700 Subject: [PATCH] feat: store credential expiration epoch in secret for proactive refresh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit STS AssumeRoleWithWebIdentity returns an Expiration timestamp, but the secret only stored key_id/secret/session_token — discarding the expiration. Consumers (duckdb-iceberg) had no way to know when creds expire and resorted to fixed-interval refresh timers. Store credentials.GetExpiration() as 'expiration_epoch' (epoch seconds) in the secret_map. Consumers can now refresh at ~80% TTL instead of guessing with arbitrary intervals. --- src/aws_secret.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/aws_secret.cpp b/src/aws_secret.cpp index 17e66bf..b11f4d7 100644 --- a/src/aws_secret.cpp +++ b/src/aws_secret.cpp @@ -476,6 +476,13 @@ static unique_ptr CreateAWSSecretFromCredentialChain(ClientContext & result->secret_map["key_id"] = Value(credentials.GetAWSAccessKeyId()); result->secret_map["secret"] = Value(credentials.GetAWSSecretKey()); result->secret_map["session_token"] = Value(credentials.GetSessionToken()); + + // Store credential expiration as epoch seconds so consumers (e.g., duckdb-iceberg) + // can refresh proactively at ~80% TTL instead of guessing with a fixed timer. + auto expiration = credentials.GetExpiration(); + if (expiration != Aws::Utils::DateTime()) { + result->secret_map["expiration_epoch"] = Value::BIGINT(expiration.Seconds()); + } } ParseCoreS3Config(input, *result);