Support duration_seconds on the web identity token provider

[pawalt]

Describe the feature

Right now, there's no way to provide DurationSeconds as an extra kwarg on the AssumeRoleWithWebIdentityCredentialFetcher. We'd like to be able to populate this from the profile config.

Use Case

We need our provider to have a longer lifetime so we can mint pre-signed URLs which won't expire after 1 hour, the default STS timeout.

Proposed Solution

Add a populate for duration_seconds here, the same way that already exists for the assume role provider.

botocore/botocore/credentials.py

Lines 1888 to 1899 in 728045e

	extra_args = {}
	role_session_name = self._get_config('role_session_name')
	if role_session_name is not None:
	extra_args['RoleSessionName'] = role_session_name
	fetcher = AssumeRoleWithWebIdentityCredentialFetcher(
	client_creator=self._client_creator,
	web_identity_token_loader=token_loader,
	role_arn=role_arn,
	extra_args=extra_args,
	cache=self.cache,
	)

Other Information

If this is a desired change, we'd be happy to put up the PR ourselves!

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

latest

Environment details (OS name and version, etc.)

EKS

[adev-code]

Hi @pawalt, thanks for bringing this up. After talking with the team, Support duration_seconds on the web identity token provider is definitely something we see value in. I don't have a timeline for implementation at this time, but I'll be leaving this feature request open for tracking purposes, and will let you know if I have any updates. Thanks again for this feature request.