search

aws / aws-sdk-go-v2

AWS SDK for the Go programming language.
https://aws.github.io/aws-sdk-go-v2/docs/
Apache License 2.0
2.63k stars 634 forks source link

ExpiredToken: The provided token has expired. when using local config #1449

Closed youngpm closed 2 years ago

youngpm commented 3 years ago

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug My credentials are not refreshing for a long running S3 upload when they come from a profile that assumes a role. After starting the upload, I get an error of the form:

2021/10/06 08:51:43 upload multipart failed, upload id: ..., cause: operation error S3: UploadPart, https response error StatusCode: 400, RequestID: ..., HostID: ..., api error ExpiredToken: The provided token has expired. exit status 1

and the time corresponds to the expiry of the role's credentials; it appears the credential cache doesn't refresh them.

I'm running on my local development machine and initializing the config via

    cfg, err := config.LoadDefaultConfig(context.TODO())
    if err != nil {
        log.Fatal(err)
    }

with AWS_PROFILE=myprofile and where the profile's ~.aws/config is grabbing its credentials via the a profile that assumes a role like below:

[profile myprofile]
region = us-east-1
role_arn = arn:aws:iam::<some acct>:role/<some name>
source_profile = default

Version of AWS SDK for Go? v1.9.1

Version of Go (go version)? 1.17.1

To Reproduce (observed behavior) See the snippet in the description above; get creds from a profile that assumes a role, and use them until you hit the expiry.

Expected behavior The credentials should automatically refresh before expiring.

Additional context Running

fmt.Printf("%+v\n", cfg.Credentials)

yields

&{provider:0xc000626f00 options:{ExpiryWindow:0 ExpiryWindowJitterFrac:0} creds:{v:} sf:{mu:{state:0 sema:0} m:map[]}}

which makes me think the expiry is set to never refresh.

vudh1 commented 2 years ago

Hi, can you confirm if this is still persisting with the latest version of SDK?

github-actions[bot] commented 2 years ago

This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

wave2 commented 1 year ago

I recently observed this behaviour while using the Telegraf Agent to send metrics to CloudWatch.

When using the amazon-ssm-agent to write credentials to /var/lib/amazon/ssm/credentials the Telegraf agent will run until the aws_session_token is refreshed (Usually 1 hour) and then start to generate the error api error ExpiredToken: The security token included in the request is expired on subsequent PutMetricData requests.

Can the SDK refresh the shared credentials periodically when using a session token and in response to an ExpiredToken error?

Tested with Go version 1.20.4 and AWS SDK version 1.18.0