I am migrating some services to aws SDK V3, and I need to use web identity token for the credentials, but I am facing a strange problem where it works for an hour and the first request after this hour throws an exception. ExpiredTokenException: The security token included in the request is expired After this failed request to dynamo it starts working again, but I can't have this error. I have tried fixing this, but everywhere I look just tells that the sdk V3 should refresh the token automatically. The web identity token expires in 24h and the session in 1h. So the session expiring makes sense, but it is never refreshed.
The AWS config seems to be correct, as the web_identity_token_file environment variable is set up correctly.
const proxyOpts = this.configService.get("proxyOptions");
const requireProxy = this.dynamoConfig.options?.require_proxy || false;
const credentials = this.dynamoConfig.tokenEnabled ? fromTokenFile() : fromEnv()
this.dynamoClient = new DynamoDB({
credentials: credentials,
endpoint: this.dynamoConfig.endpoint,
region: this.awsConfig.sdkOptions.region,
tls: !!this.dynamoConfig.sslEnabled,
requestHandler: new NodeHttpHandler({
httpsAgent: requireProxy
? new Agent({ proxy: { host: proxyOpts.host, port: +proxyOpts.port }})
: undefined,
}),
});
fromTokenFile()returns a non-refreshable credentials provider by default, so after the 1-hour session expires, your first call fails, then on retry the SDK creates a new session, too late. so, instead, usedefaultProvider from "@aws-sdk/credential-provider-node".