ExpiredToken is retryable, but should not be

[pwrmiller]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow for answers
• I've searched for previous similar issues and didn't find any solution

Describe the bug
Using expired tokens results in retries. I've seen long runtimes of sts.getCallerIdentity, for example, retrying with an expired credential.

Is the issue in the browser/Node.js?
Node.js

If on Node.js, are you running this on AWS Lambda?
No.

Details of the browser/Node.js version
v15.3.0

SDK version number
aws-sdk@2.601

To Reproduce (observed behavior)
Use an expired credential, call sts.getCallerIdentity, observe that it retries using the expired credential

Expected behavior
Expired credentials should not be retried (since presumably they can never become un-expired). Or, if this is to account for clock skew or something nuanced like that, perhaps a sensible number of retries should be used (maybe just one?)

Additional context
This was observed in AWS CDK, on which I raised a bug here. There, @rix0rrr asserts that retrying retryable requests is appropriate, but that a request using an expired credential should not be retryable.

The offending code seems to be here.

Can you explain the logic of having expired tokens be explicitly retryable if this is intentional?

[ajredniwja]

Hey @pwrmiller, thanks for opening this and apologies for delayed response, I am quite confused myself here with the logic, I have taken this up with the team, will discuss and let you know the logic behind it.

[ajredniwja]

The change was made addressing this: #80

[ajredniwja]

As a workaround can you manually provide the retry count?

[ajredniwja]

aws-sdk-js/lib/credentials.js

Lines 16 to 19 in 5c14d6b

	* Occasionally credentials can expire in the middle of a long-running
	* application. In this case, the SDK will automatically attempt to
	* refresh the credentials from the storage location if the Credentials
	* class implements the {refresh} method.

If the credentials are expired, the SDK tries to refresh them from the source if they can be refreshed.

[rix0rrr]

Right, but if the credentials are from environment variables for example, they cannot be refreshed (yet some loop somewhere still assumes they have been and retries the API call)

[pwrmiller]

Agreed that credentials are used on EC2 instances as in #80 are retryable - but it seems to be that desktop users on mac using credentials from environment variables (here, AWS_PROFILE, but also AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY as noted by @rix0rrr), are not retryable - they are static. It seems that the SDK considers these static credentials as retryable?

[ajredniwja]

I do understand what you mean, I can bring this up with the team but not sure if this will be prioritized soon.

[AllanZhengYP]

Hi @rix0rrr @pwrmiller

This is a valid feature request. As @ajredniwja has pointed out, at ExpiredToken SDK will reload the credentials and retry the request. However, some credentials should not be retried, like credentials file, and environmental variable. I think I can add a logic in these providers that compare the expired credentials and newly loaded credentials, if they are the same, SDK should stop retrying.