Can't use on a long-lived requests.Session

[joshvazquez]

If you set the auth of a requests.Session to an AWSSigV4 object, after the token expires (e.g. 15 minutes), requests no longer succeed. The __call__ method should check whether the credentials are expired and refresh them before updating the request.

[andrewjroth]

Thanks for your comment. In concept, I agree, the token expiration should be tracked and expired credentials refreshed. Unfortunately, as it is currently implemented, credentials (key ID, secret, and optionally a token) are passed at the creation of the AWSSigV4 object. Since it does not dynamically generate credentials on the fly, it wouldn't know how to refresh them and also doesn't know when they expire.

I would recommend getting and tracking the expiration of credentials outside of the requests.Session and refreshing the session when it expires.

There are only a couple instances where credentials are provided from a dynamic source and would include an expiration:

1. Credentials are obtained from the instance metadata service (IMDS) on an EC2 instance (this is likely most common); or
2. A role is being assumed using primary credentials, possibly via an external program (AWS CLI does this a few different ways).

For this library, the only time it loads credentials dynamically is when boto3 is available and keys were not explicitly provided. In this case, yes, it could track expiration and fetch new credentials upon expiration, but the behavior would need to be very different than all of the other use cases.

I think this could be implemented, but would need to have a flag or option to identify when the setup uses a dynamic source (mentioned above) vs a static source (explicitly provided or using environment variables). It would also need to track what that dynamic source is.

If you have ideas on how this could be implemented, I'll be happy to entertain a PR that adds this functionality.