[Catalog] S3CredentialsResolver: remove one second from session end (#…

…8703)

catalog/files/impl/src/main/java/org/projectnessie/catalog/files/s3/S3CredentialsResolver.java

@@ -43,7 +43,9 @@ public S3Credentials resolveSessionCredentials(S3BucketOptions bucketOptions) {
       Instant now = clock.instant();
       // Note: expiry instance accuracy in STS is seconds.
       Duration requiredDuration = bucketOptions.minSessionCredentialValidityPeriod();
-      Instant sessionEnd = now.plus(requiredDuration).truncatedTo(ChronoUnit.SECONDS);
+      // Remove one second from the session end to account for the truncation to seconds.
+      Instant sessionEnd =
+          now.plus(requiredDuration).truncatedTo(ChronoUnit.SECONDS).minus(1, ChronoUnit.SECONDS);
       checkArgument(
           !sessionEnd.isAfter(expirationInstant.get()),
           "Provided credentials expire (%s) before the expected session end (now: %s, duration: %s)",