Refresh IAM Role When Using Assume Role + S3 Presign

I have setup the AWS config for IAM role using GitHub - ex-aws/ex_aws_sts and pre signing S3 URLs with expiration time of 7 days.

The pre signed URLs are getting expired way before the expiration time set for them, I get tokenExpired error which means that the IAM role credentials are getting expired, and URLs are being pre signed with an expired token.

How can I manage refreshing these credentials? I was not able to find example using the elixir SDK for AWS.

You need to make a fountain that releases and replenishes fresh tokens on demand.

Example GitHub - duomark/epocxy: Erlang Patterns of Concurrency

You need to have a pool of one-shot processes that expire and you need to dynamically populate them / expire them based on load

Alternatively if you can eat the latency then only make them when you need.

Also note once you have created STS credentials they will expire, if this is not appropriate then change your design.

For S3 link signing purposes, for displaying images in a browser, it is not necessary to sign the URL with STS tokens.

I speculate you will find it useful to use browser cache in the normal way e.g. GET /images/1 → GET signed s3 link (HTTP 302 redirect) with 24h cache expiry.