Exit when credentials are not valid

Question

Exit when credentials are not valid

sihil opened this issue 8 years ago · comments

Simon Hildrew commented 8 years ago

cli53 version (cli53 --version)

cli53 version 0.8.6

OS / Platform

OSX

Expected behaviour

If the current set of credentials have expired then the application should exit with a helpful error

Actual behaviour

Application repeatedly attempts to use the expired credentials.

Steps to reproduce

Suspect this happens with any command, but I was using import:

./cli53-mac-amd64 import --file myexample.com.zonefile --replace --profile <myprofile> myexample.com

In my case the profile was time limited and had expired. The result (when in debug mode) was that cli53 was trying again and again:

2016/11/02 10:21:21 DEBUG: Request route53/ListHostedZonesByName Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET http://route53.amazonaws.com/2013-04-01/hostedzonesbyname?dnsname=<mydomain> HTTP/1.1
Host: route53.amazonaws.com
User-Agent: aws-sdk-go/1.4.4 (go1.7; darwin; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=ASIAIKTL7PAZXATPSEDQ/20161102/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=baf84997fa1d467d2e994a3b9b75f62b13be10ba69762960ec160bdd1a3c4a81
X-Amz-Date: 20161102T102121Z
X-Amz-Security-Token: FQoDYXdzEID//////////wEaDJBvaK0/VLXceChILCLzAfFsCZJzkj++XyLnKyojTBerg8VnC/udi5hXIOn1MbPkR5bdC1OgK0pIbeLYswfkPOfqUeN2sbUVhr9iPjIc4LlCWLSSd9jNDPPFBllinmQGF/+BVBGvASTmm/vCgei9jKPTr810197lOs9pOcjr5gUTWghUSCgxmTU27tEeubWfgAo28n81Mu5m+AeiK7DHRhSys85D2/ChedD+c6f6FgUpKqJVddtynBEIZF+NExR/o9br0lK+8y6enUV3J0Lsbb887ooQ1GWU6CB+OS2pWU92Yln4fVPo4Xya8FVPoNV97G94UtUCJJvE3GT/Sb57p9FrRyi4xeTABQ==
Accept-Encoding: gzip


-----------------------------------------------------
2016/11/02 10:21:21 DEBUG: Response route53/ListHostedZonesByName Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Content-Length: 297
Content-Type: text/xml
Date: Wed, 02 Nov 2016 10:21:19 GMT
X-Amzn-Requestid: 1925f932-a0e6-11e6-8e24-23877832aba8

... repeated ...

Was the documentation missing information you required?

No

Could you contribute a fix or help testing with this issue?

Happy to test.

Barnaby Gray · Answer 1 · Wed Nov 02 2016 23:51:45 GMT+0800 (China Standard Time)

Hi, thanks for reporting this.
Looking into it - I believe it's happening because we set MaxRetries to 100 (in order to retry when there are rate limiting failures), so it should eventually exit.
If this doesn't explain what you're seeing, please file this as an upstream issue to https://github.com/aws/aws-sdk-go/

Simon Hildrew · Answer 2 · Thu Nov 03 2016 09:01:52 GMT+0800 (China Standard Time)

I suspect it would eventually fail, but it uses the exponential backoff so 100 retries is > 1 day in real time before it times out (this is a guess - I haven't checked 😄 but it's 15 minutes so far and on retry 15 with ~6min backoff and growing so at least 10 hours). You might want to tune that down a little - something under 10 might be more appropriate.

Having briefly dug through cli53 it looks like the auth failure is not correctly identified as such in the AWS GO SDK. I'm only really familiar with the Java SDK which handles this in much the same way as cli53 handles invalid credentials - i.e. it fails fast as retrying will make no difference to the outcome. In the GO SDK it catches the particular error code here and assumes it can automatically refresh the credentials. That's not the case for static credentials.

I've raised an issue there: aws/aws-sdk-go#925