Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose expiration property on temporary STS credentials #3078

Closed
2 tasks
OnKey opened this issue Oct 25, 2023 · 6 comments
Closed
2 tasks

Expose expiration property on temporary STS credentials #3078

OnKey opened this issue Oct 25, 2023 · 6 comments
Labels
credentials feature-request A feature should be added or improved. p2 This is a standard priority issue queued v4

Comments

@OnKey
Copy link

OnKey commented Oct 25, 2023

Describe the feature

Currently the expiry time for a token is not exposed when getting a temporary STS token. This property is stored as part of the CredentialsRefreshState is the class below. Could you look at adding this property into ImmutableCredentials or exposing it in some other way.

https://github.com/aws/aws-sdk-net/blob/main/sdk/src/Core/Amazon.Runtime/Credentials/RefreshingAWSCredentials.cs

Use Case

I need to know when I need to refresh temporary STS credentials and don't want to call GetCredentials() before every AWS API call in my application.

Proposed Solution

Add Expiration property into ImmutableCredentials and populate it in the Copy method where it exists.

https://github.com/aws/aws-sdk-net/blob/main/sdk/src/Core/Amazon.Runtime/Credentials/ImmutableCredentials.cs

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS .NET SDK and/or Package version used

AWSSDK.SSO 3.7.100.83

Targeted .NET Platform

.NET 7

Operating System and version

Windows 10
@OnKey OnKey added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2023
@ashishdhingra
Copy link
Contributor

Appears to be useful feature request. Needs review with the team.

@ashishdhingra ashishdhingra added needs-review p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2023
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Nov 10, 2023
edited
Loading

@OnKey Please elaborate your use case. Credentials are refreshed automatically when RefreshingAWSCredentials are nearing expiration.

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed p2 This is a standard priority issue needs-review labels Nov 10, 2023
@OnKey
Copy link
Author

OnKey commented Nov 14, 2023

@ashishdhingra the credentials are only refreshed if I call GetCredentials() every time I need to call an AWS endpoint. In this case, I need to pass the credentials (Access Key, Secret Key & Session token) to a 3rd party library and know when they need to be refreshed. The 3rd party library does not use the SDK directly, it just accepts a set of credentials to use when accessing AWS.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 15, 2023
@ashishdhingra ashishdhingra added the p2 This is a standard priority issue label Jun 17, 2024
@mungojam
Copy link

I've hit the same limitation now. My use case is that we generate credentials for use with credentials_process, but to make that work well, we need to return the expiry date. It's frustrating that we can't get at it when it's clearly stored within the class.

@dscpinheiro
Copy link
Contributor

We just released the latest preview of V4 (https://www.nuget.org/packages/AWSSDK.SecurityToken/4.0.0-preview.9), and now there's an optional Expiration property added to AWSCredentials, which will be populated when using short-term credentials (such as STS):

var sts = new AmazonSecurityTokenServiceClient();
var response = await sts.AssumeRoleAsync(new AssumeRoleRequest
{
    RoleArn = "arn:aws:iam::111122223333:role/ReadOnly",
    RoleSessionName = "read-only-session",
});
Console.WriteLine(response.Credentials.Expiration);

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 4, 2025

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
credentials feature-request A feature should be added or improved. p2 This is a standard priority issue queued v4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mungojam @dscpinheiro @OnKey @ashishdhingra