Have access_key_id , secret_access_key, and session_token share their lifecycle

[chiefbiiko]

currently, sessionToken is updateable as the module calls conf.sessionToken anytime it sets it in a request. Nonetheless, key id and access key are still static and not updateable during runtime. Using temporary credentials in a long running process is thus not really possible at the moment.. A fix could fx put a credentials getter on client config:

/** Credentials. */
export interface Credentials {
    accessKeyId: string; // AKIAIOSFODNN7EXAMPLE
    secretAccessKey: string; // wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    sessionToken: string; // somesessiontoken
}

/** Client configuration. */
export interface ClientConfig {
  credentials(): Credentials | Promise<Credentials>;
  region: string; // us-west-2
  canonicalUri?: string; // fx /path/to/somewhere
  port?: number; // 80
}

[hayd]

I thought it was only the session token which is updated (in roles)? Perhaps I am mistaken.

In a case where this was cached how long would you we know how to cache it for / invalidate?

Perhaps then it's simpler for these all be string | () => (string | Promise<string>) ?

---

Usually these will be ENV variables, given by roles. Therefore these could be the default: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

For example:

accessKeyId : string | () => (string | Promise<string>)

and if accessKeyId is undefined then use default of looking up AWS_ACCESS_KEY_ID. (potentially look up in AWS_SHARED_CREDENTIALS_FILE || ~/.aws/credentials if not an ENV).

same for secretAccessKey, region, and sessionToken.

[chiefbiiko]

when calling sts AssumeRole or similar you also get a new key pair along with the session token AFAIK 2 handle refreshing temporary credentials we can just retry once when getting a 403 thanks for the link

[chiefbiiko]

addressed in dae8da2e9839b5e6559abd19aab9f8dc8b60320e and 2a69237ba91c2c7e7e75e0b4af18f12dc9bd8cc5