goamz icon indicating copy to clipboard operation
goamz copied to clipboard
verified publisher icon AdRoll

IAM credential refresh

Open crxpandion opened this issue 11 years ago • 3 comments

I first noticed this in the sqs package, though it seems to be an issue in other packages as well. When using an SQS struct in a long running process while relying on IAM roles to provide authentication credentials, the sqs module will eventually fail to authenticate.

It seems that the original idea is that when calling sqs.sign the aws.Auth credentials should be refreshed with the call to aws.Auth.Token(). However, due to the auth struct not being passed by reference, the calling function will maintain the outdated credentials. In addition, the token call comes after the secret key is placed in the http request headers (https://github.com/crowdmob/goamz/blob/master/sqs/sign.go#L15). These problems combined cause long running processes to fail after sufficient uptime.

I have made a temporary patch in github.com/crxpandion/goamz that solves the immediate issue of the credentials being outdated by solving the latter problem, but it does not fully solve the issue of the calling function's auth struct maintaining outdated credentials.

Do you guys have ideas to solve this issue? The easiest solution seems to be to pass the auth struct to the sqs.sign function by reference, but I can understand how it might not be ideal for the function to have side effects.

crxpandion avatar Mar 12 '14 03:03 crxpandion

It is fixed for S3 and dynamodb, already

alimoeeny avatar Mar 12 '14 04:03 alimoeeny

Happy to take a PR

moorage avatar Mar 12 '14 04:03 moorage

good stuff. I like the solution taken in the s3 package.

crxpandion avatar Mar 12 '14 04:03 crxpandion