Credentials expiration using InstanceProvider and SQS

[pgrimaud]

Hello,

Thank you for your great packages! 😄

I'm using Symfony 5.4 along with the Messenger component, which includes the async-aws/core and async-aws/sqs packages. Our integration is configured to connect using the AWS Identity and Access Management (IAM) instance profile, which is valid for up to six hours.

My workers are managed by supervisord with a 3600-second time limit, after which the workers are automatically restarted.

Credentials are loaded when the worker starts, but if the credentials expire before the end of the worker's time limit, I encounter this error:

HTTP 403 returned for "https://sqs.eu-west-3.amazonaws.com/

Message: Signature expired: 20231227T074304Z is now earlier than 20231227T074415Z (20231227T075915Z - 15 min.)

I checked the AWS documentation and found this:

These security credentials are temporary and we rotate them automatically.
We make new credentials available at least five minutes before the expiration of the old credentials.

Is there a way to automatically rerun the authentication if the Expiration time plus 5 minutes is greater than the current datetime, without having to restart my workers?

[pgrimaud]

Hi,

Just checking in on this. Any updates?

Thanks!

Pierre

[pgrimaud]

Up

[pgrimaud]

I wanted to kindly follow up on this issue. Is there any update or further information needed to move forward?

Thank you for your time and support!

[jderusse]

I can't reproduce the issue, from the source code, we are using the expiration date provided by AWS to evict the cached (30 seconds before the expiration).

Could you add logs in your application to assert the Credentials::expireDate property is defined and credentials are re-regenerated when expired?

[callmewind]

Hello,
I'm having this issue too.
In my case happens every now and then when reading some items from a dynamodb table:

{
  "message": "HTTP 400 returned for \"https://dynamodb.us-east-1.amazonaws.com/\".",
  "context": {
    "exception": {
      "class": "AsyncAws\\Core\\Exception\\Http\\ClientException",
      "message": "HTTP 400 returned for \"https://dynamodb.us-east-1.amazonaws.com/\".\n\nCode:    InvalidSignatureException\nMessage: Signature expired: 20250110T032928Z is now earlier than 20250110T033544Z (20250110T035044Z - 15 min.)\nType:    \nDetail:  \n",
      "code": 400,
      "file": "/app/vendor/async-aws/core/src/Response.php:432",
      "trace": [
        "/app/vendor/async-aws/core/src/Response.php:448",
        "/app/vendor/async-aws/core/src/Response.php:179",
        "/app/vendor/async-aws/core/src/Result.php:69",
        "/app/vendor/async-aws/core/src/Result.php:137",
        "/app/vendor/async-aws/dynamo-db/src/Result/QueryOutput.php:89",
        "/app/src/Redacted.php:59",
        "/app/vendor/symfony/http-kernel/HttpKernel.php:183",
        "/app/vendor/symfony/http-kernel/HttpKernel.php:76",
        "/app/vendor/symfony/http-kernel/Kernel.php:182",
        "/app/vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35",
        "/app/vendor/autoload_runtime.php:29",
        "/app/public/index.php:5"
      ]
    },
    "aws_code": "InvalidSignatureException",
    "aws_message": "Signature expired: 20250110T032928Z is now earlier than 20250110T033544Z (20250110T035044Z - 15 min.)",
    "aws_type": null,
    "aws_detail": null
  },
  "level": 400,
  "level_name": "ERROR",
  "channel": "app",
  "datetime": "2025-01-10T03:29:28.855454+00:00",
  "extra": {
    "file": "/app/vendor/async-aws/core/src/Response.php",
    "line": 467,
    "class": "AsyncAws\\Core\\Response",
    "callType": "->",
    "function": "getResolveStatus"
  }
}