Is your feature request related to a problem?
When nix cannot find a file on a substituter (404), or does not have permissions (403), it does not cause the nix program to fail - instead the error is ignored.
However, in scenarios where AWS (or similar) returns an "ExpiredToken" message, the nix program exits with an error.
This problem arises at my workplace. We have a binary cache that is not public, and requires authentication with AWS to use.
We use SSO for signing into AWS, with a very short timeout (about 4 hours). Due to reasons I don't quite understand, we use a wrapper around aws sso get-role-credentials to get a temporary access key and secret, which is written to ~/.aws/credentials. Those keys are then used by nix to access the cache.
However, if the credentials have expired (which happens at least once a day), nix recieves a response it doesn't recognize and exits with an error like:
error: AWS error fetching '3kj21wmgvmg7siryq7w2qxrmdjmi5klf.narinfo': Unable to parse ExceptionName: ExpiredToken Message: The provided token has expired. (request id: MKXA4ZVHRQTBZ6BS)
I don't think this is really an error, as if nix received a 404 or 403 from the substituter, it would just continue looking.
Proposed solution
Treat this exception similar to a 403 or 404, and behave exactly the same way.
Additional context
Add 👍 to issues you find important.
Is your feature request related to a problem?
When nix cannot find a file on a substituter (404), or does not have permissions (403), it does not cause the nix program to fail - instead the error is ignored.
However, in scenarios where AWS (or similar) returns an "ExpiredToken" message, the nix program exits with an error.
This problem arises at my workplace. We have a binary cache that is not public, and requires authentication with AWS to use.
We use SSO for signing into AWS, with a very short timeout (about 4 hours). Due to reasons I don't quite understand, we use a wrapper around
aws sso get-role-credentialsto get a temporary access key and secret, which is written to~/.aws/credentials. Those keys are then used by nix to access the cache.However, if the credentials have expired (which happens at least once a day), nix recieves a response it doesn't recognize and exits with an error like:
I don't think this is really an error, as if nix received a 404 or 403 from the substituter, it would just continue looking.
Proposed solution
Treat this exception similar to a 403 or 404, and behave exactly the same way.
Additional context
Add 👍 to issues you find important.