Open
Conversation
The `@refresh_lead_time` in AuthCache controls how far in advance of
credential expiry a refresh is triggered. The previous hardcoded value
of 300_000ms (5 min) means presigned URLs signed with temporary
credentials could have as little as ~5 minutes of effective validity,
since AWS rejects requests when the embedded security token expires
regardless of X-Amz-Expires.
This makes the lead time configurable via:
config :ex_aws, auth_refresh_lead_time: 7_500_000 # 2h 5min
allowing consumers that generate long-lived presigned URLs to ensure
credentials are always refreshed early enough.
Defaults to 300_000ms (5 min), preserving existing behaviour.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
@refresh_lead_timeinAuthCachecontrols how far in advance of credential expiry a refresh is triggered. The hardcoded value of 300,000ms (5 min) means presigned URLs signed with temporary credentials (instance role / ECS task role) can have as little as ~5 minutes of effective validity — AWS rejects requests once the embeddedX-Amz-Security-Tokenexpires, regardless ofX-Amz-Expires.This makes the lead time configurable via application env:
Defaults to
300_000(5 min), preserving existing behaviour.Motivation
When generating presigned S3 URLs that must remain valid for hours (e.g. upload URLs for long-running sessions), the 5-minute refresh window means a URL signed just before credential refresh becomes invalid almost immediately. By allowing consumers to increase the lead time, credentials are refreshed early enough to guarantee sufficient remaining validity on the security token.
Changes
lib/ex_aws/config/auth_cache.ex: Replace hardcoded@refresh_lead_timewithApplication.compile_env(:ex_aws, :auth_refresh_lead_time, 300_000)No other files changed. No behaviour change for existing users.