Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

retry InvalidIdentityToken errors #1858

Merged
merged 8 commits into from
Aug 8, 2019
Merged

retry InvalidIdentityToken errors #1858

merged 8 commits into from
Aug 8, 2019

Conversation

srchase
Copy link
Contributor

@srchase srchase commented Jul 30, 2019

Retry InvalidIdentityToken errors. Used by AssumeRoleWithWebIdentityCredentialProvider when StsClient makes call to asssume role.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@codecov-io
Copy link

codecov-io commented Jul 30, 2019
edited
Loading

Codecov Report

Merging #1858 into master will decrease coverage by 0.02%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master    #1858      +/-   ##
============================================
- Coverage     93.77%   93.75%   -0.03%     
- Complexity     3278     3282       +4     
============================================
  Files           184      184              
  Lines          8713     8652      -61     
============================================
- Hits           8171     8112      -59     
+ Misses          542      540       -2
Impacted Files Coverage Δ Complexity Δ
...ls/AssumeRoleWithWebIdentityCredentialProvider.php 100% <100%> (ø) 13 <6> (+4) ⬆️
src/RetryMiddleware.php 95.45% <0%> (-3.04%) 68% <0%> (ø)
src/functions.php 85.96% <0%> (-0.88%) 0% <0%> (ø)
src/Multipart/AbstractUploadManager.php 79.51% <0%> (-0.25%) 30% <0%> (ø)
src/Middleware.php 98.23% <0%> (-0.19%) 38% <0%> (ø)
src/CloudTrail/LogFileIterator.php 94.73% <0%> (-0.11%) 40% <0%> (ø)
src/Glacier/GlacierClient.php 96.07% <0%> (-0.08%) 17% <0%> (ø)
src/S3/S3MultiRegionClient.php 94.8% <0%> (-0.07%) 26% <0%> (ø)
src/Credentials/InstanceProfileProvider.php 98.43% <0%> (-0.05%) 22% <0%> (ø)
src/Credentials/CredentialProvider.php 95.68% <0%> (-0.05%) 137% <0%> (ø)
... and 20 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8e6a853...c71b6ec. Read the comment docs.

@srchase srchase requested a review from howardlopez July 30, 2019 20:23
howardlopez
howardlopez reviewed Jul 30, 2019
View reviewed changes
src/RetryMiddleware.php Outdated
@@ -31,6 +31,7 @@ class RetryMiddleware
'RequestThrottledException' => true,
'TooManyRequestsException' => true,
'IDPCommunicationError' => true,
'InvalidIdentityToken' => true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want this error code to be retried for all services?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AssumeRoleWithSAML also returns InvalidIdentityToken. Other services shouldn't return this error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally retrying InvalidIdentityToken would only be limited in scope to STS (as it's a special use case), as it's not inherently a throttling or retryable error, and we should allow for the possibility of other services using that exception name at some point.

howardlopez
howardlopez reviewed Aug 7, 2019
View reviewed changes
src/Credentials/AssumeRoleWithWebIdentityCredentialProvider.php
} catch (\Exception $e) {
if ($e->getAwsErrorCode() == 'InvalidIdentityToken') {
if ($this->attempts < $this->retries) {
sleep(pow(1.2, $this->attempts));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this retry strategy enough for the cold start scenario we're covering for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A single retry may not succeed when encountering cold starts. Bumping the default retries to 3 should be sufficient for that scenario.

@srchase srchase merged commit 2f0d5af into aws:master Aug 8, 2019
@srchase srchase deleted the invalid-identity-token-error-retry branch August 8, 2019 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardlopez howardlopez howardlopez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@srchase @codecov-io @howardlopez