Configure renewal threshold for leased secrets

[smlgbl]

We're using vault-agent as a sidecar to get credentials for an approle on AWS with a template for /.aws/credentials like this:

[default]
{{- with secret "aws/logging/sts/vector" }}
aws_access_key_id = {{ .Data.access_key }}
aws_secret_access_key = {{ .Data.secret_key }}
aws_session_token = {{ .Data.security_token }}
{{- end }}

It works :)
The problem is with the update interval: the default ttl for this secret from vault is 60m, so vault-agent updates the template after about 53 minutes (which is neither 2/3 nor 85%? - see here). The app "consuming" the credentials file checks for new credentials every 15 minutes. Now because these intervals overlap, there's a regular timeframe where the app will get credentials valid for less than 15 minutes (remaining), so the credentials will expire before the next check. I can get the app to check every 5 minutes (minimum, it seems), which makes the window smaller, but it's still there. Also changing the TTL on the leased secret only moves the expired-creds window around, but never eliminates it.

Describe the solution you'd like
If I could tell vault-agent e.g. in the template, when it should renew the leased secret, in my scenario after 44 minutes, the consuming app would always get credentials that are still valid until the next check (>15m). In my scenario, if the leased secret where to be updated after 2/3 of the TTL, so 40m, it would solve my specific problem, but having it completely configurable would probably be better.
Something like:
{{- with secret "aws/logging/sts/vector" "renew-after:40m" }}
or
{{- with secret "aws/logging/sts/vector" "renew-after-percent-of-ttl:60" }}

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Requesting a specific ttl for the lease only moves the window around.

Explain any additional use-cases
If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context
Add any other context or screenshots about the feature request here.

[smlgbl]

I found something else that might be relevant, but doesn't seem to be adhered to. Here it speaks of lease_renewal_threshold = 0.90, so 90% of the lease time, but the log entries don't give me values matching that. At least it varies a great deal - see the following log entries:

2022-05-09T07:58:04.867Z [INFO] (runner) rendered "/etc/vault/aws_credentials.tpl" => "/.aws/credentials"
2022-05-09T08:03:16.075Z [INFO]  auth.handler: renewed auth token
2022-05-09T08:46:54.063Z [INFO]  auth.handler: renewed auth token
2022-05-09T09:30:32.044Z [INFO]  auth.handler: renewed auth token
2022-05-09T10:14:10.092Z [INFO]  auth.handler: renewed auth token
2022-05-09T10:57:48.037Z [INFO]  auth.handler: renewed auth token
2022-05-09T11:26:40.345Z [INFO] (runner) rendered "/etc/vault/aws_credentials.tpl" => "/.aws/credentials"
2022-05-09T11:41:25.982Z [INFO]  auth.handler: renewed auth token
2022-05-09T12:25:03.934Z [INFO]  auth.handler: renewed auth token
2022-05-09T13:08:41.871Z [INFO]  auth.handler: renewed auth token
2022-05-09T13:52:19.948Z [INFO]  auth.handler: renewed auth token
2022-05-09T14:35:57.979Z [INFO]  auth.handler: renewed auth token
2022-05-09T15:14:35.361Z [INFO] (runner) rendered "/etc/vault/aws_credentials.tpl" => "/.aws/credentials"
2022-05-09T15:19:36.028Z [INFO]  auth.handler: renewed auth token
2022-05-09T16:03:14.069Z [INFO]  auth.handler: renewed auth token
2022-05-09T16:46:52.074Z [INFO]  auth.handler: renewed auth token
2022-05-09T17:30:30.076Z [INFO]  auth.handler: renewed auth token
2022-05-09T18:14:08.030Z [INFO]  auth.handler: renewed auth token
2022-05-09T18:57:45.977Z [INFO]  auth.handler: renewed auth token
2022-05-09T19:00:34.798Z [INFO] (runner) rendered "/etc/vault/aws_credentials.tpl" => "/.aws/credentials"
2022-05-09T19:41:23.913Z [INFO]  auth.handler: renewed auth token
2022-05-09T20:25:01.846Z [INFO]  auth.handler: renewed auth token
2022-05-09T21:08:39.883Z [INFO]  auth.handler: renewed auth token
2022-05-09T21:52:17.935Z [INFO]  auth.handler: renewed auth token
2022-05-09T22:35:55.881Z [INFO]  auth.handler: renewed auth token
2022-05-09T22:48:10.664Z [INFO] (runner) rendered "/etc/vault/aws_credentials.tpl" => "/.aws/credentials"

The time differences are, respectively (h:m):
3:28 (208 mins)
3:48 (228 mins)
3:46 (226 mins)
3:48 (228 mins)

If the interval was 90%, I'd expect to get the template rendered every 216 minutes -> 4h=240mins-10%

Now my question is: why is the interval fluctuating so much? And how can I change that?