Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/aws_secret.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,13 @@ static unique_ptr<BaseSecret> CreateAWSSecretFromCredentialChain(ClientContext &
result->secret_map["key_id"] = Value(credentials.GetAWSAccessKeyId());
result->secret_map["secret"] = Value(credentials.GetAWSSecretKey());
result->secret_map["session_token"] = Value(credentials.GetSessionToken());

// Store credential expiration as epoch seconds so consumers (e.g., duckdb-iceberg)
// can refresh proactively at ~80% TTL instead of guessing with a fixed timer.
auto expiration = credentials.GetExpiration();
if (expiration != Aws::Utils::DateTime()) {
result->secret_map["expiration_epoch"] = Value::BIGINT(expiration.Seconds());

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this used consumed anywhere? We are planning on fixing up our secret refresh functionality soon, so happy to have this in, but I don't think this is inspected anywhere else (i.e duckdb-httpfs won't use it, and I don't see it used in your duckdb-iceberg PR)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Tmonster .yep it's not used at all currently. But if this is supported then I can update my pr in duckdb-iceberg to use it, instead of a fixed TTL. Let me know if that makes sense or not.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine then, we can iterate on this

}
}

ParseCoreS3Config(input, *result);
Expand Down