The credentials used to connect to ElastiCache are temporary(use assume role). Will subsequent operations fail once the credentials expire? #6431

mappei · 2025-02-12T02:24:20Z

mappei
Feb 12, 2025

Background:

We followed the approach recommended in the official documentation by implementing the resolve method in the CredentialsResolver to obtain the credentials. While the AWS credentials provided by the official method could be permanent, in our scenario, we create temporary credentials using the assume role method and have set an expiration time of 15 minutes.

I conducted local testing by using temporary credentials as a parameter, instead of the new DefaultAWSCredentialsProviderChain() shown in the official example. However, after 15 minutes, requests can still access the service normally without any errors.

Questions

First, I'd like to confirm the token regeneration logic: when the token expires after 15 minutes, if there are any subsequent Redis operations, will the system first fetch a new token from the CredentialsResolver.resolve() method?
The second question is regarding temporary credentials: why are subsequent operations still able to continue after the temporary credentials expire? Is there another automatic credential renewal mechanism in place? The code details are as follows:

public class AWSAuthCredentialsProvider implements CredentialsResolver {

    private final String userName;
    private final IAMAuthTokenRequest iamAuthTokenRequest;
    private final AwsCredentialsProvider awsCredentialsProvider;

    private volatile CompletionStage future;
    private volatile Long lastTime = System.currentTimeMillis();

    public AWSAuthCredentialsProvider(String userName, IAMAuthTokenRequest iamAuthTokenRequest,
            AwsCredentialsProvider awsCredentialsProvider) {
        this.userName = userName;
        this.iamAuthTokenRequest = iamAuthTokenRequest;
        this.awsCredentialsProvider = awsCredentialsProvider;
    }

    @Override
    public CompletionStage resolve(InetSocketAddress address) {
        if (System.currentTimeMillis() - lastTime > 15 * 60 * 1000 || future == null) {
            String token = iamAuthTokenRequest.toSignedRequestUri(
                    awsCredentialsProvider.resolveCredentials());
            future = CompletableFuture.completedFuture(new Credentials(userName, token));
            lastTime = System.currentTimeMillis();
        }
        return future;
    }
}

/** The generate awsCredentialsProvider code */
public AwsCredentials getAwsCredentials(AWSCredentialConfig awsCredentialConfig, Integer durationSeconds) {
        AwsBasicCredentials awsCreds = AwsBasicCredentials.create(awsCredentialConfig.getAccessKey(), awsCredentialConfig.getSecretKey());
        StsClient stsClient = StsClient.builder()
                .region(awsCredentialConfig.getRegion())
                .credentialsProvider(StaticCredentialsProvider.create(awsCreds)).build();
        AssumeRoleRequest assumeRoleRequest = createAssumeRoleRequest(stsClient, awsCredentialConfig.getRoleName(), durationSeconds);

        Credentials sessionCredentials = stsClient.assumeRole(assumeRoleRequest).credentials();
        return AwsSessionCredentials.create(
                sessionCredentials.accessKeyId(),
                sessionCredentials.secretAccessKey(),
                sessionCredentials.sessionToken());
    }

What are the best practices when using temporary credentials? I changed the way temporary credentials are created, moving from passing them as constructor parameters to generating them within the resolve method, which automatically regenerates the temporary credentials when they expire.

public CompletionStage resolve(InetSocketAddress address) {
        if (System.currentTimeMillis() - lastTime > DURATION_SECONDS * 1000 || future == null) {
+            StaticCredentialsProvider awsCredentialsProvider = getAwsCredentialProvider();
            String token = iamAuthTokenRequest.toSignedRequestUri(
                    awsCredentialsProvider.resolveCredentials());
            future = CompletableFuture.completedFuture(new Credentials(userName, token));
            lastTime = System.currentTimeMillis();
        }
        return future;
    }

Best Regards~~

mappei · 2025-02-13T03:22:05Z

mappei
Feb 13, 2025
Author

Any comments? This issue has been puzzling me for a long time. I would really appreciate your help.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The credentials used to connect to ElastiCache are temporary(use assume role). Will subsequent operations fail once the credentials expire? #6431

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

The credentials used to connect to ElastiCache are temporary(use assume role). Will subsequent operations fail once the credentials expire? #6431

Uh oh!

mappei Feb 12, 2025

Background:

Questions

Replies: 1 comment

Uh oh!

mappei Feb 13, 2025 Author

mappei
Feb 12, 2025

mappei
Feb 13, 2025
Author