Configure STS Token Expiry Buffer for STS Token¶

AWS STS session credentials are valid for a fixed period (default one hour). Right at that boundary, we can observe failures like a token was valid when work started but is expired before it finishes—showing up as intermittent authentication errors or broken access mid-session. An STS expiry buffer makes the dataserver assume the credential expires sooner than the timestamp AWS returns, so it refreshes the token early and leaves a safety margin. The default buffer is 60 seconds.

Self Managed

Open the vars.dataserver.aws.yml file:

Bash
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.dataserver.aws.yml

To configure the STS Token expiry buffer for a configured profile, include the following property in the profile properties:

YAML
STS_EXPIRY_BUFFER_SECONDS: "<BUFFER_IN_SECONDS>"

For example, to configure the STS Token expiry buffer to 120 seconds, include the following property in the profile properties:

YAML
DATASERVER_AWS_MULTI_ACCOUNT_PROFILE_ENABLE: "true"
DATASERVER_AWS_PROFILE_NAME_DEFAULT: "aws_account1"
DATASERVER_AWS_PROFILE_NAMES: "aws_account1"
DATASERVER_AWS_PROFILE_PROPERTIES: 
- PROFILE_NAME: "aws_account1"
    PROFILE_PROPERTIES:
    - AUTHN_METHOD: "INSTANCE_IAM"
    - STS_EXPIRY_BUFFER_SECONDS: "120"

Run the following command to deploy the service with updated configurations:

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Run the following command to run the post install steps:

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Prev topic: Advanced Configuration