Skip to content

Commit

Permalink
Avoid retries on expired credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
@YakDriver
YakDriver committed Feb 15, 2023
1 parent 87c729d commit c1018eb
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 1 deletion.
14 changes: 14 additions & 0 deletions awsauth_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,20 @@ func TestGetAccountIDAndPartitionFromSTSGetCallerIdentity(t *testing.T) {
},
ErrCount: 1,
},
{
Description: "sts:GetCallerIdentity expired token with invalid response",
MockEndpoints: []*servicemocks.MockEndpoint{
servicemocks.MockStsGetCallerIdentityInvalidBodyExpiredToken,
},
ErrCount: 1,
},
{
Description: "sts:GetCallerIdentity expired token with valid response",
MockEndpoints: []*servicemocks.MockEndpoint{
servicemocks.MockStsGetCallerIdentityValidBodyExpiredToken,
},
ErrCount: 1,
},
{
Description: "sts:GetCallerIdentity success",
MockEndpoints: []*servicemocks.MockEndpoint{
Expand Down
48 changes: 48 additions & 0 deletions servicemocks/mock.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,24 @@ const (
<Message>User: arn:aws:iam::123456789012:user/Bob is not authorized to perform: sts:GetCallerIdentity</Message>
</Error>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ErrorResponse>`
MockStsGetCallerIdentityValidResponseBodyExpiredToken = `<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>ExpiredToken</Code>
<Message>The security token included in the request is expired</Message>
</Error>
<ResponseMetadata>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</ErrorResponse>`
MockStsGetCallerIdentityInvalidResponseBodyExpiredToken = `<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>ExpiredToken</Code>
<Message>The security token included in the request is expired</Message>
</Error>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ErrorResponse>`
MockStsGetCallerIdentityPartition = `aws`
MockStsGetCallerIdentityValidResponseBody = `<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
Expand Down Expand Up @@ -211,6 +229,36 @@ var (
StatusCode: http.StatusForbidden,
},
}
MockStsGetCallerIdentityInvalidBodyExpiredToken = &MockEndpoint{
Request: &MockRequest{
Body: url.Values{
"Action": []string{"GetCallerIdentity"},
"Version": []string{"2011-06-15"},
}.Encode(),
Method: http.MethodPost,
Uri: "/",
},
Response: &MockResponse{
Body: MockStsGetCallerIdentityInvalidResponseBodyExpiredToken,
ContentType: "text/xml",
StatusCode: http.StatusForbidden,
},
}
MockStsGetCallerIdentityValidBodyExpiredToken = &MockEndpoint{
Request: &MockRequest{
Body: url.Values{
"Action": []string{"GetCallerIdentity"},
"Version": []string{"2011-06-15"},
}.Encode(),
Method: http.MethodPost,
Uri: "/",
},
Response: &MockResponse{
Body: MockStsGetCallerIdentityValidResponseBodyExpiredToken,
ContentType: "text/xml",
StatusCode: http.StatusForbidden,
},
}
MockStsGetCallerIdentityValidEndpoint = &MockEndpoint{
Request: &MockRequest{
Body: url.Values{
Expand Down
7 changes: 7 additions & 0 deletions v2/awsv1shim/session.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,13 @@ func GetSession(ctx context.Context, awsC *awsv2.Config, c *awsbase.Config) (*se
})
r.Retryable = aws.Bool(false)
}

if r.IsErrorExpired() {
logger.Warn(ctx, "Disabling retries after next request due to expired credentials", map[string]any{
"error": r.Error,
})
r.Retryable = aws.Bool(false)
}
})

return sess, nil
Expand Down
18 changes: 17 additions & 1 deletion v2/awsv1shim/session_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -561,7 +561,7 @@ aws_secret_access_key = DefaultSharedCredentialsSecretKey
[default]
aws_access_key_id = DefaultSharedCredentialsAccessKey
aws_secret_access_key = DefaultSharedCredentialsSecretKey
`,
`,
},
{
Config: &awsbase.Config{
Expand Down Expand Up @@ -872,6 +872,22 @@ region = us-east-1
servicemocks.MockStsGetCallerIdentityValidEndpoint,
},
},
{
Config: &awsbase.Config{
AccessKey: servicemocks.MockStaticAccessKey,
Region: "us-east-1",
SecretKey: servicemocks.MockStaticSecretKey,
},
Description: "expired token error",
ExpectedError: func(err error) bool {
return strings.Contains(err.Error(), "ExpiredToken")
//return tfawserr.ErrCodeEquals(err, "ExpiredToken")
},
MockStsEndpoints: []*servicemocks.MockEndpoint{
servicemocks.MockStsGetCallerIdentityInvalidBodyExpiredToken,
},
},

// {
// Config: &awsbase.Config{
// AccessKey: servicemocks.MockStaticAccessKey,
Expand Down

0 comments on commit c1018eb

Please sign in to comment.