projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
21720: added canwrite & canmanage to user.test
[arvados.git] / services / keepstore / s3_volume.go
diff --git a/services/keepstore/s3_volume.go b/services/keepstore/s3_volume.go
index d4b90540eac4aeb1e78f9ba0cb8ef4b0f7a2541a..2e2e97a974efa2ddbb7b5e60f67160da85181980 100644 (file)
--- a/services/keepstore/s3_volume.go
+++ b/services/keepstore/s3_volume.go
@@ -42,8 +42,8 @@ const (
        s3DefaultConnectTimeout     = arvados.Duration(time.Minute)
        maxClockSkew                = 600 * time.Second
        nearlyRFC1123               = "Mon, 2 Jan 2006 15:04:05 GMT"
-       s3downloaderPartSize        = 5 * 1024 * 1024
-       s3downloaderReadConcurrency = 13
+       s3downloaderPartSize        = 6 * 1024 * 1024
+       s3downloaderReadConcurrency = 11
        s3uploaderPartSize          = 5 * 1024 * 1024
        s3uploaderWriteConcurrency  = 5
 )
@@ -217,7 +217,23 @@ func (v *s3Volume) check(ec2metadataHostname string) error {
        creds := aws.NewChainProvider(
                []aws.CredentialsProvider{
                        aws.NewStaticCredentialsProvider(v.AccessKeyID, v.SecretAccessKey, v.AuthToken),
-                       ec2rolecreds.New(ec2metadata.New(cfg)),
+                       ec2rolecreds.New(ec2metadata.New(cfg), func(opts *ec2rolecreds.ProviderOptions) {
+                               // (from aws-sdk-go-v2 comments)
+                               // "allow the credentials to trigger
+                               // refreshing prior to the credentials
+                               // actually expiring. This is
+                               // beneficial so race conditions with
+                               // expiring credentials do not cause
+                               // request to fail unexpectedly due to
+                               // ExpiredTokenException exceptions."
+                               //
+                               // (from
+                               // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
+                               // "We make new credentials available
+                               // at least five minutes before the
+                               // expiration of the old credentials."
+                               opts.ExpiryWindow = 5 * time.Minute
+                       }),
                })
 
        cfg.Credentials = creds