Skip to content

Add configurable token expiry to DSQL#4352

Open
amaksimo wants to merge 3 commits intoaws:developmentfrom
amaksimo:dsql-configurable-token-expiry
Open

Add configurable token expiry to DSQL#4352
amaksimo wants to merge 3 commits intoaws:developmentfrom
amaksimo:dsql-configurable-token-expiry

Conversation

@amaksimo
Copy link

@amaksimo amaksimo commented Mar 12, 2026

Summary

  • Add optional TimeSpan expiresIn parameter to DSQL auth token generation methods
  • Other AWS SDKs (Go, Java, Ruby) already allow configuring the token expiry duration; this brings parity to .NET
  • Default remains 15 minutes for backwards compatibility
  • Validates that expiresIn is between 0 (exclusive) and 7 days (inclusive)

Test plan

  • Added unit tests for custom expiry (450s) on both DbConnect and DbConnectAdmin (sync + async)
  • Added unit tests for validation: zero, negative, and >7 day values
  • Existing tests pass unchanged (backwards compatible)
  • Source and test projects build with 0 warnings, 0 errors

@amaksimo
Add configurable token expiry to DSQL
b656ead 
Other AWS SDKs (Go, Java, Ruby) allow configuring
the auth token expiry duration up to 7 days. Add
the same capability to the .NET SDK with a default
of 15 minutes for backwards compatibility.
@amaksimo amaksimo marked this pull request as ready for review March 12, 2026 21:08
@dscpinheiro dscpinheiro changed the base branch from main to development March 12, 2026 21:13
@dscpinheiro dscpinheiro requested a review from Copilot March 16, 2026 00:27
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds configurable expiry support to DSQL IAM auth token generation to align with other AWS SDKs, while keeping the existing 15-minute default for backward compatibility.

Changes:

  • Added new DSQL auth token generator overloads that accept an expiresIn TimeSpan and validate the allowed range.
  • Updated token generation to emit X-Amz-Expires based on the requested expiry.
  • Expanded unit tests to cover custom expiry and basic validation scenarios.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
sdk/src/Services/DSQL/Custom/Util/DSQLAuthTokenGenerator.cs Adds expiresIn overloads, enforces range checks, and uses the provided expiry when building the presigned token.
sdk/test/Services/DSQL/UnitTests/Custom/DSQLAuthTokenGeneratorTest.cs Adds tests for custom expiry and invalid expiry inputs; updates assertions to parameterize expected X-Amz-Expires.

amaksimo added 2 commits March 16, 2026 11:08
@amaksimo
Address PR review feedback
faab74b 
Cast expiresIn to int before serializing to X-Amz-Expires
to ensure whole-second values. Remove unnecessary
#if ASYNC_AWAIT guards from new test methods. Add DevConfig
file for changelog generation.
@amaksimo
Add expiresIn to all convenience overloads
3c032cb 
Add TimeSpan expiresIn parameter to all convenience
overloads (hostname-only, region+hostname, credentials
+hostname) for both sync and async, DbConnect and
DbConnectAdmin. Each delegates to the full overload.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dscpinheiro dscpinheiro dscpinheiro left review comments

Copilot code review Copilot Copilot left review comments

@muhammad-othman muhammad-othman Awaiting requested review from muhammad-othman

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amaksimo @dscpinheiro