sts: Always slash expiry time by 80% (#1533)

Currently, STS expiration time is reduced by 10 seconds, but this is not always good since an S3 call can be called near expiration time but evaluated after the expiration time - the window here is 10 seconds which can be not enough to upload some large data to an S3 server before this latter rejects it with bad (expired) credentials. This commit will slash expiration time by 80% instead by default.
minio · Aug 19, 2021 · 7877ed5 · 7877ed5
1 parent 91307c6
commit 7877ed5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/pkg/credentials/credentials.go b/pkg/credentials/credentials.go
@@ -22,8 +22,13 @@ import (
 	"time"
 )
 
-// STSVersion sts version string
-const STSVersion = "2011-06-15"
+const (
+	// STSVersion sts version string
+	STSVersion = "2011-06-15"
+
+	// How much duration to slash from the given expiration duration
+	defaultExpiryWindow = 0.8
+)
 
 // A Value is the AWS credentials value for individual credential fields.
 type Value struct {
@@ -82,10 +87,15 @@ type Expiry struct {
 // the expiration time given to ensure no requests are made with expired
 // tokens.
 func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration) {
-	e.expiration = expiration
-	if window > 0 {
-		e.expiration = e.expiration.Add(-window)
+	if e.CurrentTime == nil {
+		e.CurrentTime = time.Now
+	}
+	cut := window
+	if cut < 0 {
+		expireIn := expiration.Sub(e.CurrentTime())
+		cut = time.Duration(float64(expireIn) * (1 - defaultExpiryWindow))
 	}
+	e.expiration = expiration.Add(-cut)
 }
 
 // IsExpired returns if the credentials are expired.

diff --git a/pkg/credentials/iam_aws.go b/pkg/credentials/iam_aws.go
@@ -38,7 +38,10 @@ import (
 // prior to the credentials actually expiring. This is beneficial
 // so race conditions with expiring credentials do not cause
 // request to fail unexpectedly due to ExpiredTokenException exceptions.
-const DefaultExpiryWindow = time.Second * 10 // 10 secs
+// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
+// When used the tokens refresh will be triggered when 80% of the elapsed
+// time until the actual expiration time is passed.
+const DefaultExpiryWindow = -1
 
 // A IAM retrieves credentials from the EC2 service, and keeps track if
 // those credentials are expired.