aws-sdk-cpp icon indicating copy to clipboard operation
aws-sdk-cpp copied to clipboard

Published 20 hours ago verified publisher icon aws

STSAssumeRoleWebIdentityCredentialsProvider should refresh its token before expiry

Open igorcanadi opened this issue 4 years ago • 0 comments

Is your feature request related to a problem? Please describe. We run a production system that uses STS tokens to communicate with AWS. Couple of times daily we get an error message The provided token has expired. on AWS access. Our theory is that the token expires after the client-side expiry check and before the server-side check. TaskRoleCredentialsProvider has implemented an expiry grace period where it refreshes the token if it's going to expire in next 5 seconds: https://github.com/aws/aws-sdk-cpp/blob/926a8c3ea264344ae290be6400d4a3050d68d616/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp#L344

No such mechanism exists in STSAssumeRoleWebIdentityCredentialsProvider, which only refreshes the token once it's expired: https://github.com/aws/aws-sdk-cpp/blob/93b3adc3674568f4474b3181adf1d121e5fdd644/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp#L151

Describe the solution you'd like Add expiry grace period to STSAssumeRoleWebIdentityCredentialsProvider.

Describe alternatives you've considered Retrying AWS call on access denied, but that feels hacky.

igorcanadi avatar Feb 08 '21 12:02 igorcanadi