AWS error making upstream request: received error code 403 from STS: The security token included in the request is expired

[sebastianreloaded]

Hello,
i use vault v1.17.5 and org.springframework.cloud:spring-cloud-vault-dependencies:4.0.1 with org.springframework.vault:spring-vault-core:3.1.2

When using kv_v1 secrets i get an error after 6 hours and i don’t know why.
Until the 6 hour mark the kv-secrets are refreshed regularly and auth/token/renew-self
and auth/aws-iam/login are called successfully every 1 hour.

But after 6 hours i get “error making upstream request: received error code 403 from STS: The security token included in the request is expired”:

{
    "auth": {
        "policy_results": {
            "allowed": true
        },
        "token_type": "default"
    },
    "request": {
        "data": {
            "iam_http_request_method": "POST",
            "iam_request_body": "QWNwNi0xNQ==",
            "iam_request_headers": "eyJBdJdfQ==",
            "iam_request_url": "aHR0vbS8=",
            "role": "studiomiddleware-api-dev"
        },
        "id": "1bf4dec9-203d-64b7-faa7-72abdcd5316f",
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_version": "v1.17.5+builtin.vault",
        "mount_type": "aws",
        "namespace": {
            "id": "root"
        },
        "operation": "update",
        "path": "auth/aws-iam/login",
        "remote_address": "10.61.72.126",
        "remote_port": 57848
    },
    "response": {
        "data": {
            "error": "error making upstream request: received error code 403 from STS: <ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>ExpiredToken</Code>\n    <Message>The security token included in the request is expired</Message>\n  </Error>\n  <RequestId>52673536-1adc-4942-b253-7e09ed4d24aa</RequestId>\n</ErrorResponse>\n"
        },
        "mount_accessor": "auth_aws_ec607cf2",
        "mount_class": "auth",
        "mount_point": "auth/aws-iam/",
        "mount_running_plugin_version": "v1.17.5+builtin.vault",
        "mount_type": "aws"
    },
    "time": "2024-09-20T17:47:55.325205678Z",
    "type": "response"
}

This doesnt correspond to the ttl of the “aws-iam” auth backend which is set to 3 hours and also not to the roles STS 1 hour maximum ttl.

I don’t understand where this 6 hour expiration comes from.
Anybody have an idea?

spring boot config:

# General
spring:
  cloud:
    vault:
      enabled: true
      host: vault.dev.local
      port: 8200
      scheme: https
      authentication: AWS_IAM
      aws-iam:
        role: studiomiddleware-api-dev
        aws-path: aws-iam
      kv:
        enabled: true
      session:
        lifecycle:
          enabled: true
          refresh-before-expiry: 2m
          expiry-threshold: 4m
      config:
        lifecycle:
          enabled: true
          min-renewal: 30s # does not refresh more frequently than this
          expiry-threshold: 2m # attempts to renew the secrets this much time before they expire
  config:
    import: vault://secret/studiomiddleware-api/dev