Make it possible to override credentialsTreatedAsExpired in credential-provider-node

[thomaschaaf]

Describe the feature

Be able to override expiration time validation.

Use Case

We are using AWS Transcribe. It uses a presigned url to receive data via a websocket. Once the session runs out we are unable to receive data anymore. We are unable to update the session without creating a new websocket connection - during handover we loose data or have to deal with duplicate data. Right now the session can get as short as 5 minutes. We use AWS Transcribe to transcribe calls our calls are usually shorter than one hour. We'd like to change the code so that the session is automatically refreshed if it's valid for less than an hour. Right now we are recreating the provider for every incoming call so we are sure to not loose data - this is causing the session to be created every time and no memoization is being done - which causes unneeded calls to the sts service.

Proposed Solution

Make it possible to override the credentialsWillNeedRefresh. Alternatively provide the chain so that we can create our own memoized version of it. I do not want to have to maintain the chain myself.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

3.744.0

Environment details (OS name and version, etc.)

alpine linux 3.21

[zshzbh]

Hey @thomaschaaf ,

I appreciate your feedback. After consulting with our service team, I've received guidance on the most effective ways to utilize this service.

Ideally you would push Transcibe responses to something like a Kinesis Data Stream and have that to push to downstream

https://github.com/aws-samples/amazon-transcribe-live-meeting-assistant/tree/main?tab=readme-ov-file#processing-flow-overview
Please check out the call processing micro service.

Please let me know if you still it's necessary for this feature request after checking the micro service usage.

[thomaschaaf]

@zshzbh I don't understand how this is connected to the session expiring...

The problem is that the presigned url of the transcription dies because the underlying session has run out because the credentials are memoized. So at some point the presigned url will only be valid for 5 minutes (even if I change the session duration to 12 hours).

[zshzbh]

Hey,

To better help you with this issue, could you please provide a minimal code reproduction?

Usually -

• For Temporary Security Credentials (STS):

  • Default maximum duration: 12 hours for IAM users

• For AWS IAM Role credentials:

  • Default duration: 1 hour

  • These credentials are automatically refreshed by the SDK before they expire

• For Amazon Cognito:

  • Access tokens: Default is 1 hour

• For AssumeRole operations:

  • Default duration: 1 hour

Please provide the minimal code reproduction so that we can dive deep and understand what credential provider you use and how you call it& use it along with the service call

Thanks!