Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Credentials expiration using InstanceProvider and SQS #1634

Open
pgrimaud opened this issue Dec 27, 2023 · 4 comments
Open

Credentials expiration using InstanceProvider and SQS #1634

pgrimaud opened this issue Dec 27, 2023 · 4 comments

Comments

@pgrimaud
Copy link
Contributor

Hello,

Thank you for your great packages! 😄

I'm using Symfony 5.4 along with the Messenger component, which includes the async-aws/core and async-aws/sqs packages. Our integration is configured to connect using the AWS Identity and Access Management (IAM) instance profile, which is valid for up to six hours.

My workers are managed by supervisord with a 3600-second time limit, after which the workers are automatically restarted.

Credentials are loaded when the worker starts, but if the credentials expire before the end of the worker's time limit, I encounter this error:

HTTP 403 returned for "https://sqs.eu-west-3.amazonaws.com/

Message: Signature expired: 20231227T074304Z is now earlier than 20231227T074415Z (20231227T075915Z - 15 min.)

I checked the AWS documentation and found this:

These security credentials are temporary and we rotate them automatically.
We make new credentials available at least five minutes before the expiration of the old credentials.

Is there a way to automatically rerun the authentication if the Expiration time plus 5 minutes is greater than the current datetime, without having to restart my workers?

@pgrimaud
Copy link
Contributor Author

Hi,

Just checking in on this. Any updates?

Thanks!

Pierre

@pgrimaud
Copy link
Contributor Author

Up

@pgrimaud
Copy link
Contributor Author

I wanted to kindly follow up on this issue. Is there any update or further information needed to move forward?

Thank you for your time and support!

@jderusse
Copy link
Member

I can't reproduce the issue, from the source code, we are using the expiration date provided by AWS to evict the cached (30 seconds before the expiration).

Could you add logs in your application to assert the Credentials::expireDate property is defined and credentials are re-regenerated when expired?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants