Closed joelittlejohn closed 9 years ago
Thanks for the detailed report. There was previously an undocumented mechanism for refreshing IAM credentials, but it was brittle. I had another go at it for 0.6.0.
As you pointed it, It looks like credentials are incorrectly resolved in 0.6.0, leading to requests being signed with empty credentials. creds->credentials
was intended to dereference :current
.
I just pushed 0.6.1-SNAPSHOT, which ought to fix this - and seems to, in testing. Please let me know if this resolves your issue, and I'll promote the snapshot.
Thanks for looking at this so quickly. Apologies for the slow response, I've been busy with other things this afternoon but I'm deploying the new eulalie snapshot now. Will update you with the results :)
Fix appears to be working well here :+1:
Hi @moea I see that things have changed quite a bit in eulalie regarding expiring credentials. Originally we referred to nervous-systems/fink-nottle#4 and used the function suggested there, but we were finding that that our service was becoming broken after a few hours when credentials expired. It now looks like
eulalie.creds/iam
is the correct way to build expiring credentials, however on switching to this method we've found that we can no longer make successful requests.Using fink-nottle 0.4.2 we're declaring our creds like this:
However any attempt to receive a message from SQS results in the following exception:
Using a repl running on this instance I've tried to replicate what eulalie will be doing by running the following:
when I do this I see what looks like a valid set of credentials (I've truncated the sensitive values):
So I'm wondering if there is something wrong with the way that eulalie is attempting to sign requests.