Пользовательский AwsCredentialsProvider постоянно обновляет учетные данные каждые 10 секунд. ⇐ JAVA

[Anonymous]

У меня есть собственный AwsCredentialsProvider, написанный на Java, который вызывает API CreateSession для ролей AWS Anywhere. Это работает отлично. В ответе REST от AWS есть срок действия ZonedDateTime, который я помещаю в AwsSessionCredentials expirationTime.
Во время выполнения я вижу свои журналы показано, что методsolveCredentials() вызывается ровно каждые 10 секунд. Однако срок действия токена сеанса истекает через час, однако AWS IAM SDK постоянно обновляется в течение этого короткого 10-секундного интервала.
Что мне нужно сделать в цепочке поставщиков учетных данных или в AwsSessionCredentials? Я пытаюсь предотвратить постоянное обновление учетных данных каждые 10 секунд?
2024-10-11T13:20:26.689-04:00 INFO 10128 --- [Data service] [essage_source-2] uration$RolesAnywhereCredentialsProvider : Refreshing RolesAnywhere credentials
2024-10-11T13:20:36.993-04:00 INFO 10128 --- [Data service] [essage_source-2] uration$RolesAnywhereCredentialsProvider : Refreshing RolesAnywhere credentials

Я пробовал взять срок действия из ответа API Roles Anywhere createSession и установить его как AwsSessionCredentials expirationTime, но это не повлияло на базовые учетные данные обработка обновления каждые 10 секунд.
Продолжительность сеанса AWS Roles Anywhere: 4 часа
Код для получения сеанса Roles Anywhere
@Override
public AwsCredentials resolveCredentials() {
log.info("Refreshing RolesAnywhere credentials");

final String METHOD = "POST";
final String SERVICE = "rolesanywhere";
final String REGION = "us-east-1";

final String RESTAPIHOST = "%s.%s.amazonaws.com".formatted(SERVICE, REGION);
final String RESTAPIPATH = "/sessions";

final String ALGORITHM = "AWS4-X509-RSA-SHA256";
final String X_AMZ_DATE_HEADER_NAME = "X-Amz-Date";
final String X_AMZ_X509_HEADER_NAME = "X-Amz-X509";

final String AUTHORIZATION_HEADER_TEMPLATE = "%s Credential=%d/%s, SignedHeaders=%s, Signature=%s";
final String CANONICAL_REQUEST_TEMPLATE = "%s\n%s\n%s\n%s\n%s\n%s";
final String CANONICAL_HEADERS_TEMPLATE = "content-type:%s\nhost:%s\n%s:%s\n%s:%s\n";
final String CREDENTIAL_SCOPE_TEMPLATE = "%s/%s/%s/aws4_request";
final String SIGNED_HEADERS = "content-type;host;%s;%s".formatted(X_AMZ_DATE_HEADER_NAME.toLowerCase(), X_AMZ_X509_HEADER_NAME.toLowerCase());
final String SIGNING_TEMPLATE = "%s\n%s\n%s\n%s";

// Get the private key and the certificate
AwsRolesAnywhereAuthResponse rolesAnywhereResponse = null;
try {
PrivateKey privateKey = RSA.getPrivatePemKey(new ClassPathResource("clientEntity.key").getInputStream());
X509Certificate x509Certificate = (X509Certificate) RSA.getCertificate(new ClassPathResource("clientEntity.pem").getInputStream());
String certificate = RSA.encode(x509Certificate.getEncoded());

// Create a datetime object for signing
ZonedDateTime now = ZonedDateTime.now();
DateTimeFormatter longDateTimeFormat = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'", Locale.US).withZone(UTC);
DateTimeFormatter shortDateTimeFormat = DateTimeFormatter.ofPattern("yyyyMMdd", Locale.US).withZone(UTC);
String dateTimeStampNow = longDateTimeFormat.format(now);
String dateStampNow = shortDateTimeFormat.format(now);

// Create the canonical request
String canonicalUri = RESTAPIPATH;
String canonicalQuerystring = "";

String canonicalHeaders = CANONICAL_HEADERS_TEMPLATE.formatted(MediaType.APPLICATION_JSON, RESTAPIHOST, X_AMZ_DATE_HEADER_NAME.toLowerCase(), dateTimeStampNow, X_AMZ_X509_HEADER_NAME.toLowerCase(), certificate);

String iamRolesAnywhereProfileName = "legolandserver";
AwsRolesAnywhereProperties awsRolesAnywhereProperties = awsIamRolesAnywhereProperties.getAwsIamRolesAnywhereMapProperties()
.rolesAnywhereProfile(iamRolesAnywhereProfileName)
.orElseThrow(() -> new RuntimeException("Unable to find rolesAnywhere profile name [%s]".formatted(iamRolesAnywhereProfileName)));

// Request parameters for CreateSession--passed in a JSON block.
AwsRolesAnywhereAuthRequest awsRolesAnywhereAuthRequest = AwsRolesAnywhereAuthRequest.builder()
.durationSeconds(awsRolesAnywhereProperties.getDurationSeconds())
.profileArn(awsRolesAnywhereProperties.getProfileArn())
.roleArn(awsRolesAnywhereProperties.getRoleArn())
.trustAnchorArn(awsRolesAnywhereProperties.getTrustAnchorArn())
.build();
String payload = objectMapper.writeValueAsString(awsRolesAnywhereAuthRequest);
String payloadHash = RSA.sha256Hex(payload);

String canonicalRequest = CANONICAL_REQUEST_TEMPLATE.formatted(METHOD, canonicalUri, canonicalQuerystring, canonicalHeaders, SIGNED_HEADERS, payloadHash);

// Create the string to sign
String credentialScope = CREDENTIAL_SCOPE_TEMPLATE.formatted(dateStampNow, REGION, SERVICE);
String hashedCanonicalRequest = RSA.sha256Hex(canonicalRequest);
String stringToSign = SIGNING_TEMPLATE.formatted(ALGORITHM, dateTimeStampNow, credentialScope, hashedCanonicalRequest);

// Sign the string
String signature = RSA.bytesToHex(RSA.sign(privateKey, stringToSign, "SHA256withRSA"));

// Add signing information to the request
String authorizationHeader = AUTHORIZATION_HEADER_TEMPLATE.formatted(ALGORITHM, x509Certificate.getSerialNumber(), credentialScope, SIGNED_HEADERS, signature);

HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
headers.add("Accept-Encoding", "gzip");
headers.add("Host", RESTAPIHOST);
headers.add("Authorization", authorizationHeader);
headers.add(X_AMZ_DATE_HEADER_NAME, dateTimeStampNow);
headers.add(X_AMZ_X509_HEADER_NAME, certificate);

HttpEntity request = new HttpEntity(payload, headers);
String url = "https://%s/sessions".formatted(RESTAPIHOST);
ResponseEntity response = awsRolesAnywhereRestTemplate.exchange(url, HttpMethod.POST, request, AwsRolesAnywhereAuthResponse.class);

rolesAnywhereResponse = response.getBody();
} catch (Exception e) {
throw new RuntimeException(e);
}

return Stream.ofNullable(rolesAnywhereResponse.getCredentialSet())
.flatMap(Collection::stream)
.findFirst()
.map(CredentialSet::getCredentials)
.map(credentials ->
new AwsSessionCredentials.Builder()
.accessKeyId(credentials.getAccessKeyId())
.expirationTime(credentials.getExpiration().toInstant())
.secretAccessKey(credentials.getSecretAccessKey())
.sessionToken(credentials.getSessionToken())
.build())
.orElseThrow(() -> new RuntimeException("No CredentialSet present in RolesAnywhere response"));
}


Подробнее здесь: https://stackoverflow.com/questions/790 ... ery-10-sec