Issue with refresh of non-leased secret via vault agent side car

Vault version: 1.16

I’m using vault agent sidecar template listed below to authenticate to vault using approle and then generating temporary AWS creds via the AWS secrets engine. This all works fine as expected and I can see the temporary creds getting injected in the specified file in pod under /vault/secrets/aws-config.txt.

The issue I’m seeing is related to the refresh of the temporary credentials based on the TTL I’m specifying. As listed below, I’m specifying a TTL of 12h which is the max we have configured on the backend.

Based on the documentation link below, since this is a leased non-renewable secret, I would expect the secret to be refreshed when TTL reaches the 85% mark. But instead what I’m seeing from testing is that it seems to not get refreshed until TTL reaches approx. the 92% mark.

vault.hashicorp.com/agent-extra-secret: app-creds
vault.hashicorp.com/agent-init-first: true
vault.hashicorp.com/agent-inject: true
vault.hashicorp.com/agent-inject-secret-aws-config.txt: aws-testdc/sts/test-role
vault.hashicorp.com/agent-inject-template-aws-config.txt: |
  {{- with secret "aws-testdc/sts/test-role" "ttl=12h" -}}
  accesskey={{ .Data.access_key }}
  secret_key={{ .Data.secret_key }}
  security_token={{ .Data.security_token }}
  {{- end -}}
vault.hashicorp.com/auth-config-role-id-file-path: /vault/custom/role-id
vault.hashicorp.com/auth-config-secret-id-file-path: /vault/custom/secret-id
vault.hashicorp.com/auth-path: auth/testdc/approle
vault.hashicorp.com/auth-type: approle
vault.hashicorp.com/namespace: testdc

Appreciate any pointers on whether this is expected behavior or if this sounds like a defect. Thanks.