Skip to content

Configure STS Token Expiry Buffer for STS Token

AWS STS session credentials are valid for a fixed period (default one hour). Right at that boundary, we can observe failures like a token was valid when work started but is expired before it finishes—showing up as intermittent authentication errors or broken access mid-session. An STS expiry buffer makes the dataserver assume the credential expires sooner than the timestamp AWS returns, so it refreshes the token early and leaves a safety margin. The default buffer is 60 seconds.

  1. Open the vars.dataserver.aws.yml file:

    Bash
    1
2
    cd ~/privacera/privacera-manager
vi config/custom-vars/vars.dataserver.aws.yml

  2. To configure the STS Token expiry buffer for a configured profile, include the following property in the profile properties:

    YAML
    1
    STS_EXPIRY_BUFFER_SECONDS: "<BUFFER_IN_SECONDS>"

    For example, to configure the STS Token expiry buffer to 120 seconds, include the following property in the profile properties:

    YAML
    1
2
3
4
5
6
7
8
    DATASERVER_AWS_MULTI_ACCOUNT_PROFILE_ENABLE: "true"
DATASERVER_AWS_PROFILE_NAME_DEFAULT: "aws_account1"
DATASERVER_AWS_PROFILE_NAMES: "aws_account1"
DATASERVER_AWS_PROFILE_PROPERTIES: 
- PROFILE_NAME: "aws_account1"
    PROFILE_PROPERTIES:
    - AUTHN_METHOD: "INSTANCE_IAM"
    - STS_EXPIRY_BUFFER_SECONDS: "120"

  3. Run the following command to deploy the service with updated configurations:

    Bash
    1
2
3
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

    Run the following command to run the post install steps:

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install
  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Connected Applications screen, select S3.
  3. On the screen, click the edit icon, click on Access Management -> ADVANCED tab.
  4. Add the following property with the appropriate value for <your_profile_name>:
    Properties
    1
    dataserver.aws.<your_profile_name>.sts.expiry.buffer.seconds=60
  5. Click the Test Connection button to verify the connection.
  6. Once the connection is successful, click Save.