2 files changed, 115 insertions, 7 deletions

diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java
index fc9c03a824a..6de8b5c0142 100644
--- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java
+++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java
@@ -14,45 +14,87 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 public class VespaAwsCredentialsProvider implements AWSCredentialsProvider {
 
+    private static final Logger logger = Logger.getLogger(VespaAwsCredentialsProvider.class.getName());
     private static final String DEFAULT_CREDENTIALS_PATH = "/opt/vespa/var/vespa/aws/credentials.json";
-
-    private final AtomicReference<AWSCredentials> credentials = new AtomicReference<>();
+    private static final Duration REFRESH_INTERVAL = Duration.ofMinutes(30);
+    private final AtomicReference<Credentials> credentials = new AtomicReference<>();
     private final Path credentialsPath;
-
+    private final Clock clock;
 
     public VespaAwsCredentialsProvider() {
-        this.credentialsPath = Path.of(DEFAULT_CREDENTIALS_PATH);
+        this(Path.of(DEFAULT_CREDENTIALS_PATH), Clock.systemUTC());
+    }
+
+    VespaAwsCredentialsProvider(Path credentialsPath, Clock clock) {
+        this.credentialsPath = credentialsPath;
+        this.clock = clock;
         refresh();
     }
 
     @Override
     public AWSCredentials getCredentials() {
-        return credentials.get();
+        Credentials sessionCredentials = credentials.get();
+        if (Duration.between(clock.instant(), sessionCredentials.expiry).abs().compareTo(REFRESH_INTERVAL)<0) {
+            refresh();
+            sessionCredentials = credentials.get();
+        }
+        return sessionCredentials;
     }
 
     @Override
     public void refresh() {
         try {
+            logger.log(Level.FINE, "Refreshing credentials from disk");
             credentials.set(readCredentials());
         } catch (Exception e) {
             throw new RuntimeException("Unable to get credentials. Please ensure cluster is configured as exclusive. See: https://cloud.vespa.ai/en/reference/services#nodes");
         }
     }
 
-    private AWSSessionCredentials readCredentials() {
+    private Credentials readCredentials() {
         try {
             Slime slime = SlimeUtils.jsonToSlime(Files.readAllBytes(credentialsPath));
             Cursor cursor = slime.get();
             String accessKey = cursor.field("awsAccessKey").asString();
             String secretKey = cursor.field("awsSecretKey").asString();
             String sessionToken = cursor.field("sessionToken").asString();
-            return new BasicSessionCredentials(accessKey, secretKey, sessionToken);
+            Instant defaultExpiry = Instant.now().plus(Duration.ofHours(1));
+            Instant expiry;
+            try {
+                expiry = SlimeUtils.optionalString(cursor.field("expiry")).map(Instant::parse).orElse(defaultExpiry);
+            } catch (Exception e) {
+                expiry = defaultExpiry;
+                logger.warning("Unable to read expiry from credentials");
+            }
+            return new Credentials(accessKey, secretKey, sessionToken, expiry);
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
+
+    record Credentials (String awsAccessKey, String awsSecretKey, String sessionToken, Instant expiry) implements AWSSessionCredentials {
+        @Override
+        public String getSessionToken() {
+            return sessionToken;
+        }
+
+        @Override
+        public String getAWSAccessKeyId() {
+            return awsAccessKey;
+        }
+
+        @Override
+        public String getAWSSecretKey() {
+            return awsSecretKey;
+        }
+    }
 }
diff --git a/jdisc-cloud-aws/src/test/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProviderTest.java b/jdisc-cloud-aws/src/test/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProviderTest.java
new file mode 100644
index 00000000000..63cfd2f1eeb
--- /dev/null
+++ b/jdisc-cloud-aws/src/test/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProviderTest.java
@@ -0,0 +1,66 @@
+package com.yahoo.jdisc.cloud.aws;
+
+import com.amazonaws.auth.AWSCredentials;
+import com.yahoo.test.ManualClock;
+import com.yahoo.vespa.test.file.TestFileSystem;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.time.Duration;
+import java.time.Instant;
+
+
+public class VespaAwsCredentialsProviderTest {
+    Path credentialsPath = TestFileSystem.create().getPath("/credentials.json");
+    ManualClock clock = new ManualClock(Instant.now());
+
+    @Test
+    void refreshes_credentials() throws IOException {
+        Instant originalExpiry = clock.instant().plus(Duration.ofHours(12));
+        writeCredentials(credentialsPath, originalExpiry);
+        VespaAwsCredentialsProvider credentialsProvider = new VespaAwsCredentialsProvider(credentialsPath, clock);
+        AWSCredentials credentials = credentialsProvider.getCredentials();
+        assertExpiryEquals(originalExpiry, credentials);
+
+        Instant updatedExpiry = clock.instant().plus(Duration.ofHours(24));
+        writeCredentials(credentialsPath, updatedExpiry);
+        // File updated, but old credentials still valid
+        credentials = credentialsProvider.getCredentials();
+        assertExpiryEquals(originalExpiry, credentials);
+
+        // Credentials refreshes when it is < 30 minutes left until expiry
+        clock.advance(Duration.ofHours(11).plus(Duration.ofMinutes(31)));
+        credentials = credentialsProvider.getCredentials();
+        assertExpiryEquals(updatedExpiry, credentials);
+    }
+
+    @Test
+    void deserializes_credentials() throws IOException {
+        Instant originalExpiry = clock.instant().plus(Duration.ofHours(12));
+        writeCredentials(credentialsPath, originalExpiry);
+        VespaAwsCredentialsProvider credentialsProvider = new VespaAwsCredentialsProvider(credentialsPath, clock);
+        AWSCredentials credentials = credentialsProvider.getCredentials();
+        assertExpiryEquals(originalExpiry, credentials);
+        Assertions.assertEquals("awsAccessKey", credentials.getAWSAccessKeyId());
+        Assertions.assertEquals("awsSecretKey", credentials.getAWSSecretKey());
+        Assertions.assertEquals("sessionToken", ((VespaAwsCredentialsProvider.Credentials)credentials).getSessionToken());
+    }
+
+    private void writeCredentials(Path path, Instant expiry) throws IOException {
+        String content = """
+                {
+                   "awsAccessKey": "awsAccessKey",
+                   "awsSecretKey": "awsSecretKey",
+                   "sessionToken": "sessionToken",
+                   "expiry": "%s"
+                 }""".formatted(expiry.toString());
+        Files.writeString(path, content);
+    }
+
+    private void assertExpiryEquals(Instant expiry, AWSCredentials credentials) {
+        Assertions.assertEquals(expiry, ((VespaAwsCredentialsProvider.Credentials)credentials).expiry());
+    }
+}