In this SDK, EC2 Instance Profile credentials are refreshed if they are within 15 minutes of expiration, as seen here:
https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/EC2CredentialsFetcher.java#L43-L53
I believe this is an issue for a couple reasons:
- Most AWS SDKs refresh tokens if they are within 5 minutes of expiration. I verified this in the Ruby and Go SDKs. Javascript does not seem to refresh tokens early. Java is far longer than any other SDK I've seen so far.
- 15 minutes is the minimum length of time a token can be created for, which matches this SDK's early expiration window. This is problematic as there are 3rd party tools that help to manage Instance Profile credentials (such as KIAM, in our case) that default to using the most conservative configurations possible (reasonably so). In this scenario, this SDK refreshes tokens on EVERY request.
- This is non-configurable.
I think this 15 minute window should be dropped to 5 minutes to match the other libraries and enable conservative token policies.
In this SDK, EC2 Instance Profile credentials are refreshed if they are within 15 minutes of expiration, as seen here:
https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/EC2CredentialsFetcher.java#L43-L53
I believe this is an issue for a couple reasons:
I think this 15 minute window should be dropped to 5 minutes to match the other libraries and enable conservative token policies.