IICS Amazon S3 Connection – Temporary Credentials Duration

Spread the love

1. Introduction

While working with Amazon S3 v2 Connector in IICS, there are chances that you might have faced ExpiredToken error as shown below for long running jobs.

The provided token has expired. Service: Amazon S3; Status Code: 400; Error Code: ExpiredToken;

Let us understand the reason for the error and how it can be fixed.

2. Temporary Security Credentials in AWS

If you have configured the S3 connection in IICS using Basic Authentication Method configuring the Access Key and Secret Key directly in the connection, you will not face this error as these keys never expire.

But if your secure agent runs on an EC2 instance, it is recommended to configure the S3 connection using the IAM Authentication Method or via AssumeRole. In both cases we need not configure any permanent keys in the connection and temporary access is provided to S3 through roles using temporary security credentials.

These temporary security credentials include an access key ID and a secret access key, but they also include a security token that expires after a certain time duration. After it expires, the credentials are no longer valid.

So, if you have a long running Informatica Job which tries to access the S3 bucket after the defined “session duration” of the security token, the job fails with the error mentioned in the beginning of the article.

3. Default Session Duration in AWS vs IICS

The default session duration of the temporary credentials in AWS is 1hour whereas the default temporary credentials duration in Informatica is 900 seconds (15 minutes). Note that the temporary credentials duration in Informatica should be mentioned in seconds.

Even if you have defined the required session duration time in AWS, it is also important to modify the value in Informatica transformations to the required value.

The default session duration time in AWS can be modified. The minimum session duration required is 15 minutes and the maximum session duration allowed is 12 hours.

4. How to update Session Duration of a Role from AWS Management Console?

Follow the steps below to update Session Duration of a Role from AWS Management Console

1. Go to IAM > Roles and click on the role for which you want to update the Session Duration.

Image showing the Maximum session duration of a role
Image showing the Maximum session duration of a role

2. Click on the Edit button present against the Summary section.

3. From the drop-down menu select the Maximum session duration.

You will find options to update the session duration to 1, 2, 4, 8 and 12 hours directly from the drop-down menu.

Set Maximum Session Duration of a Role
Set Maximum Session Duration of a Role

4. You can also set a Custom duration between 3,600-43,200 seconds (1-12 hours).

5. Once the Maximum session duration is set, click on Save changes.

5. How to update Session Duration of a Role from AWS CLI?

To update the Session Duration of a Role from AWS CLI, execute below command in the AWS CLI.

aws iam update-role --role-name <role-name> --max-session-duration <duration in seconds>

Example:

The below AWS CLI command increases the session duration of the role Infarole to 4 hours.

aws iam update-role --role-name InfaRole --max-session-duration 7200

6. How to set Temporary Credentials Duration in IICS S3 Sources and Targets?

By default, the temporary credentials duration in IICS for S3 Sources and Targets is 15 minutes (900 Seconds). If you require more than 15 minutes, you need to first set the session duration of the role as explained in earlier sections and then enter the same time duration in the transformation property.

Follow the steps below to set the temporary credentials duration in IICS for S3 Sources and Targets

1. Go to the Source/Target transformation configured with Amazon S3 v2 connection.

2. Go to the Advanced properties section of the transformation.

3. Go to Temporary Credentials Duration property in the advanced section and enter the time duration in seconds.

IICS S3 Source Transformation Advanced properties
IICS S3 Source Transformation Advanced properties

7. Conclusion

If you have faced the ExpiredToken error while working with S3 connections in Informatica, remember that by default you can increase the Temporary Credentials Duration value to 3600 (1hour) under the advanced section of the transformations (Assuming that your AWS administrator created the role with default session duration).

If your job is expected to run more than an hour, request your AWS administrator to increase the session duration of the role configured in IICS connection to a higher required value and then update the temporary credentials duration value in transformations accordingly.

Subscribe to our Newsletter !!

Related Articles:

  • IICS Amazon S3 v2 Connector – Basic Authentication

    Learn how to create Amazon S3 v2 Connection in Informatica Cloud with Basic Authentication method using Access Keys.

    READ MORE

  • IICS Amazon S3 v2 Connector – IAM Authentication

    Learn how to create Amazon S3 v2 Connection in Informatica Cloud with IAM Authentication method using IAM Roles.

    READ MORE

  • IICS Amazon S3 v2 Connector – Authenticate via AssumeRole

    Learn how to create Amazon S3 v2 Connection in Informatica Cloud using Temporary security credentials via AssumeRole

    READ MORE

2 thoughts on “IICS Amazon S3 Connection – Temporary Credentials Duration”

  1. getting this error ,the test connection for TEST-AWS-S3 failed. Failed to fetch Temporary Credentials on EC2 using EC2 Role AssumeRole, with error: The security token included in the request is expired (Service: AWSSecurityTokenService; Status Code: 403; Error Code: ExpiredToken; Request ID: 0c00ecd1-796b-4947-88aa-e5bd721252c8; Proxy: )

    Reply

Leave a Comment

Related Posts