Issues with static stability / expiration in IMDS client #2687

rcoh · 2023-05-09T20:28:11Z

(created from customer comment)

We are seeing some errors in production following the addition of the logic here

    fn maybe_extend_expiration(&self, expiration: SystemTime) -> SystemTime {
        // [ ... ]
        // calculate credentials' refresh offset with jitter
        let refresh_offset =
            CREDENTIAL_EXPIRATION_INTERVAL + Duration::from_secs(rng.u64(120..=600));
        let new_expiry = self.time_source.now() + refresh_offset;

        if new_expiry < expiration {
            return expiration;
        }

        tracing::warn!(
            "Attempting credential expiration extension due to a credential service availability issue. \
            A refresh of these credentials will be attempted again within the next {:.2} minutes.",
            refresh_offset.as_secs_f64() / 60.0,
        );

        new_expiry
    }

The error we are seeing happening infrequently and when it happens, it lasts for 10/15mins.

Error { code: \"ExpiredTokenException\", message: \"The security token included in the request is expired\", aws_request_id: \"U9LKTDURCE8893LKBN5R1Q4ASFVV4KQNSO5AEMVJF66Q9ASUAAJG\" }

In our setup the credentials are coming from kube2iam and the expiry is set to maximum 30 mins. We are wondering if this is conflicting with any of the assumptions made here? Of course this could entrely be a bug in kube2iam but I wanted to ask here first since this is an ongoing effort to change how the SDK threats expired credentials.

Looking at the notes in #2117

Per internal AWS guidelines, SDKs must not "fail fast" and attempt to refresh expired IMDS credentials without first receiving a service exception. This is because a service may begin accepting expired credentials due to a credential service availability issue.

Is it possible the sdk has been updated to allow the usage of expired tokens without updating the upstream services to relax the validation?

Originally posted by @mustakimali in #2258 (comment)

The text was updated successfully, but these errors were encountered:

## Motivation and Context Fixes #2687 ## Description The implementation for IMDS static stability support introduced a bug where returned credentials from IMDS are extended unconditionally, even though the credentials are not stale. The amount by which credentials are extended is randomized and it can incorrectly extend the expiry beyond what's originally set. IMDS produces credentials that last 6 hours, and extending them by at most 25 minutes usually won't be an issue but when other tools such as Kube2iam and AWSVault are used, the expiry can be set much shorter than that, causing the issue to occur. This PR will conditionally extend the credentials' expiry only when the returned credentials have been expired with respect to the current wall clock time. Also, the constant values have been adjusted according to our internal spec. ## Testing - Added a new unit test for the IMDS credentials provider ## Checklist  - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: Yuki Saito <awsaito@amazon.com>

…#2694) ## Motivation and Context Fixes smithy-lang/smithy-rs#2687 ## Description The implementation for IMDS static stability support introduced a bug where returned credentials from IMDS are extended unconditionally, even though the credentials are not stale. The amount by which credentials are extended is randomized and it can incorrectly extend the expiry beyond what's originally set. IMDS produces credentials that last 6 hours, and extending them by at most 25 minutes usually won't be an issue but when other tools such as Kube2iam and AWSVault are used, the expiry can be set much shorter than that, causing the issue to occur. This PR will conditionally extend the credentials' expiry only when the returned credentials have been expired with respect to the current wall clock time. Also, the constant values have been adjusted according to our internal spec. ## Testing - Added a new unit test for the IMDS credentials provider ## Checklist  - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: Yuki Saito <awsaito@amazon.com>

rcoh assigned ysaito1001 May 9, 2023

ysaito1001 mentioned this issue May 10, 2023

Avoid extending IMDS credentials expiry unconditionally #2694

Merged

1 task

ysaito1001 closed this as completed in 91194e7 May 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issues with static stability / expiration in IMDS client #2687

Issues with static stability / expiration in IMDS client #2687

rcoh commented May 9, 2023 •

edited

Loading

Issues with static stability / expiration in IMDS client #2687

Issues with static stability / expiration in IMDS client #2687

Comments

rcoh commented May 9, 2023 • edited Loading

rcoh commented May 9, 2023 •

edited

Loading