How to override the default session duration when using IAM For Service Accounts

[auswells]

Describe the issue

How can I override the default session duration when using IAM for Service Accounts? We are generating presigned S3 urls that are expiring after 1 hour. I'd like to extend the session duration so the presigned Urls are not expiring when the session that created them expires.

We are using AWS SDK version 1.11.955

Here's how we are initializing the S3 client:

            AmazonS3ClientBuilder.EndpointConfiguration endpointConfiguration = new AmazonS3ClientBuilder.EndpointConfiguration(repositoryConfig.getAwsServiceEndpoint(), repositoryConfig.getAwsSigningRegion());
            s3Client = AmazonS3ClientBuilder.standard().withEndpointConfiguration(endpointConfiguration).withPathStyleAccessEnabled(repositoryConfig.isAwsPathStyleAccessEnabled()).build();

Then here's the code to generate the presigned url

           // Generate the presigned URL.
            GeneratePresignedUrlRequest generatePresignedUrlRequest =
                    new GeneratePresignedUrlRequest(bucketName, objectKey)
                            .withMethod(HttpMethod.GET)
                            .withExpiration(Date.from(Instant.now().plus(7,ChronoUnit.DAYS)));

            return s3Client.generatePresignedUrl(generatePresignedUrlRequest);

But with the expiration set to 7 days on the presigned URL, the session used in the presigned URL is expiring after an hour.

I've extended the IAM role's max session duration to 12 hours, but that does not appear to have changed the behavior. I'm assuming I need to override the default 1hr session duration in the credentials provider when creating the S3 client, or mount an aws config file that sets duration_seconds to our container(s)

Steps to Reproduce

n/a

Current behavior

n/a

AWS Java SDK version used

1.11.955

JDK version used

11

Operating System and version

Alpine Linux

[aaoswal]

Hi @auswells,
Thank you for submitting the issue.

To override the default 1 hour session duration have you used AssumeRoleRequest and used the setDurationSeconds method to set the duration between 1 hour and 12 hours?

This should extend the duration while setting the AWSSecurityTokenService client and would work in this use-case.

If not, could you please provide some additional information on any other methods that you might be using in your use-case which might be different from the ones I listed above?

Hope this helps!

[auswells]

Hi @aaoswal This issue can be closed, I was able to get this working by doing the following:

    private URL getPresignedUrl(String bucketName, String objectKey) throws NotFoundException {
        try {
            // Generate the presigned URL.
            GeneratePresignedUrlRequest generatePresignedUrlRequest =
                    new GeneratePresignedUrlRequest(bucketName, objectKey)
                            .withMethod(HttpMethod.GET)
                            .withExpiration(Date.from(Instant.now().plus(7, ChronoUnit.DAYS))); // ignore this when using IAM for Service Accounts, expiration will be 12 hr maximum
            BasicSessionCredentials stsSession = getNewSession();
            if (stsSession != null) {
                generatePresignedUrlRequest.withRequestCredentialsProvider(new AWSStaticCredentialsProvider(stsSession));
            }
            return s3Client.generatePresignedUrl(generatePresignedUrlRequest);
        } catch (AmazonServiceException e) {
            // The call was transmitted successfully, but Amazon S3 couldn't process
            // it, so it returned an error response.
            log.error("", e.getMessage());
            throw new NotFoundException(e.getMessage());
        }
    }


    private BasicSessionCredentials getNewSession() {
        if (stsClient == null) return null;
        try {
            AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()
                    .withDurationSeconds(repositoryConfig.getAwsStsSessionDuration())
                    .withRoleArn(System.getenv("AWS_ROLE_ARN"))
                    .withWebIdentityToken(getWebIdentityToken(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")))
                    .withRoleSessionName("aws-sdk-java-" + System.currentTimeMillis());
            AssumeRoleWithWebIdentityResult result = stsClient.assumeRoleWithWebIdentity(request);
            log.debug("Created new session to generate s3 presigned url with expiration: " + result.getCredentials().getExpiration());
            return new BasicSessionCredentials(result.getCredentials().getAccessKeyId(), result.getCredentials().getSecretAccessKey(), result.getCredentials().getSessionToken());
        } catch (Exception ex) {
            log.warn("Failed to create new session to generate s3 presigned url: " + ex.getMessage());
            return null;
        }
    }

[shreyasGit]

thanks for the solution, but how did you read web identity token file ? - getWebIdentityToken(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")