Closed chiefbiiko closed 4 years ago
I thought it was only the session token which is updated (in roles)? Perhaps I am mistaken.
In a case where this was cached how long would you we know how to cache it for / invalidate?
Perhaps then it's simpler for these all be string | () => (string | Promise<string>)
?
Usually these will be ENV variables, given by roles. Therefore these could be the default: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
For example:
accessKeyId : string | () => (string | Promise<string>)
and if accessKeyId is undefined then use default of looking up AWS_ACCESS_KEY_ID. (potentially look up in AWS_SHARED_CREDENTIALS_FILE || ~/.aws/credentials if not an ENV).
same for secretAccessKey, region, and sessionToken.
when calling sts AssumeRole or similar you also get a new key pair along with the session token AFAIK 2 handle refreshing temporary credentials we can just retry once when getting a 403 thanks for the link
addressed in dae8da2e9839b5e6559abd19aab9f8dc8b60320e and 2a69237ba91c2c7e7e75e0b4af18f12dc9bd8cc5
currently, sessionToken is updateable as the module calls conf.sessionToken anytime it sets it in a request. Nonetheless, key id and access key are still static and not updateable during runtime. Using temporary credentials in a long running process is thus not really possible at the moment.. A fix could fx put a credentials getter on client config: