Exit when credentials are not valid
sihil opened this issue · comments
cli53 version (cli53 --version)
cli53 version 0.8.6
OS / Platform
OSX
Expected behaviour
If the current set of credentials have expired then the application should exit with a helpful error
Actual behaviour
Application repeatedly attempts to use the expired credentials.
Steps to reproduce
Suspect this happens with any command, but I was using import
:
./cli53-mac-amd64 import --file myexample.com.zonefile --replace --profile <myprofile> myexample.com
In my case the profile was time limited and had expired. The result (when in debug mode) was that cli53 was trying again and again:
2016/11/02 10:21:21 DEBUG: Request route53/ListHostedZonesByName Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET http://route53.amazonaws.com/2013-04-01/hostedzonesbyname?dnsname=<mydomain> HTTP/1.1
Host: route53.amazonaws.com
User-Agent: aws-sdk-go/1.4.4 (go1.7; darwin; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=ASIAIKTL7PAZXATPSEDQ/20161102/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=baf84997fa1d467d2e994a3b9b75f62b13be10ba69762960ec160bdd1a3c4a81
X-Amz-Date: 20161102T102121Z
X-Amz-Security-Token: FQoDYXdzEID//////////wEaDJBvaK0/VLXceChILCLzAfFsCZJzkj++XyLnKyojTBerg8VnC/udi5hXIOn1MbPkR5bdC1OgK0pIbeLYswfkPOfqUeN2sbUVhr9iPjIc4LlCWLSSd9jNDPPFBllinmQGF/+BVBGvASTmm/vCgei9jKPTr810197lOs9pOcjr5gUTWghUSCgxmTU27tEeubWfgAo28n81Mu5m+AeiK7DHRhSys85D2/ChedD+c6f6FgUpKqJVddtynBEIZF+NExR/o9br0lK+8y6enUV3J0Lsbb887ooQ1GWU6CB+OS2pWU92Yln4fVPo4Xya8FVPoNV97G94UtUCJJvE3GT/Sb57p9FrRyi4xeTABQ==
Accept-Encoding: gzip
-----------------------------------------------------
2016/11/02 10:21:21 DEBUG: Response route53/ListHostedZonesByName Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Content-Length: 297
Content-Type: text/xml
Date: Wed, 02 Nov 2016 10:21:19 GMT
X-Amzn-Requestid: 1925f932-a0e6-11e6-8e24-23877832aba8
... repeated ...
Was the documentation missing information you required?
No
Could you contribute a fix or help testing with this issue?
Happy to test.
Hi, thanks for reporting this.
Looking into it - I believe it's happening because we set MaxRetries to 100 (in order to retry when there are rate limiting failures), so it should eventually exit.
If this doesn't explain what you're seeing, please file this as an upstream issue to https://github.com/aws/aws-sdk-go/
I suspect it would eventually fail, but it uses the exponential backoff so 100 retries is > 1 day in real time before it times out (this is a guess - I haven't checked 😄 but it's 15 minutes so far and on retry 15 with ~6min backoff and growing so at least 10 hours). You might want to tune that down a little - something under 10 might be more appropriate.
Having briefly dug through cli53 it looks like the auth failure is not correctly identified as such in the AWS GO SDK. I'm only really familiar with the Java SDK which handles this in much the same way as cli53 handles invalid credentials - i.e. it fails fast as retrying will make no difference to the outcome. In the GO SDK it catches the particular error code here and assumes it can automatically refresh the credentials. That's not the case for static credentials.
I've raised an issue there: aws/aws-sdk-go#925