Support env var credential expiry

[JordonPhillips]

This adds support for environment credential expiration via the AWS_CREDENTIAL_EXPIRATION environment variable.

[codecov-io]

Codecov Report

Merging #1187 into develop will increase coverage by 0.04%.
The diff coverage is 100%.

@@             Coverage Diff             @@
##           develop    #1187      +/-   ##
===========================================
+ Coverage       98%   98.05%   +0.04%     
===========================================
  Files           45       45              
  Lines         7277     7306      +29     
===========================================
+ Hits          7132     7164      +32     
+ Misses         145      142       -3

Impacted Files	Coverage Δ
botocore/credentials.py	98.29% <100%> (+0.69%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8bde611...725ebd8. Read the comment docs.

[kyleknap]

Looks good. Just had a question and a comment.

[kyleknap]

One more test that might be good to add is one that checks that it does not refresh the credentials when it is not going to expire any time soon.

[kyleknap]

So for the very first time you load credentials and you do not have an expiry time set, it will not ever try to refresh if it you add the expiry time variable later on? I'm just curious about the behavior. Have not really thought out what should be desired.

[JordonPhillips]

Correct. I'm not sure how else we would do it without hacks

[kyleknap]

Yeah I cannot think of other ways to do this. I guess another question I have is it possible to transition from refershable environment credentials to non-refreshable? So say I had an expiry time set and then unset the expiry time variable before the next refresh what would happen?

[JordonPhillips]

It would fail as it expects it to be there upon refresh

[kyleknap]

Ok cool. That at least ensures the behavior is consistent for both directions (i.e. you can't do it).

[jamesls]

I think it would good to have tests for these cases (fixed->refreshable, refreshable->fixed are not allowed). Unlike other refreshable providers were it was unlikely to have missing keys across subsequent responses, this is the first refreshable provider that seems more prone to refresh errors.

[JordonPhillips]

Updated

[kyleknap]

🚢

[jamesls]

I don't think we should rely on no expiry time meaning non-refreshable credentials. I would prefer we're explicit. If we get expiry time use RefreshableCredentials, otherwise use Credentials.

I'm guessing that code was put in place to protect against malformed responses and not necessarily as part of its contract. It's always confusing to have RefreshableCredentials not actually refresh if you don't provide expiry.

[JordonPhillips]

👍 updated

[jamesls]

Looks good to me.

[koreno]

How should this feature be used? how would boto refresh the credentials once it finds they've expired?