Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

instance profile credentials expiring #58

Closed
chrono opened this issue Mar 27, 2016 · 8 comments
Closed

instance profile credentials expiring #58

chrono opened this issue Mar 27, 2016 · 8 comments
Labels
bug
Milestone
v1.0.1

Comments

@chrono
Copy link

chrono commented Mar 27, 2016
edited
Loading

The plugin (I'm using kinesis_producer) does not seem fetch fresh tokens from the metadata service regularly.

2016-03-27 05:20:10 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2016-03-27 05:29:17 +0000 error_class="StandardError" error="{:attempts=>[{:delay=>112, :dura
tion=>6, :success=>false, :error_code=>\"400\", :error_message=>\"{\\\"__type\\\":\\\"ExpiredTokenException\\\",\\\"message\\\":\\\"The security token included in the request is
expired\\\"}\"}], :success=>false}" plugin_id="object:3ff76076a31c"

The credentials seem to be fetched once at plugin startup in https://github.com/awslabs/aws-fluent-plugin-kinesis/blob/v1.0.0/lib/fluent/plugin/kinesis_helper/credentials.rb#L47. The name of the method default_credentials_provider is suggesting that it returns a provider, instead it returns credentials.

The credentials are then passed in to the client which has a loop to refresh the credentials https://github.com/awslabs/aws-fluent-plugin-kinesis/blob/v1.0.0/lib/kinesis_producer/daemon.rb#L183-L192. After ~6 hours, the credentials are no longer valid and the producer stalls.

Shouldn't this use the provider instead and dereference the credentials property regularly?

[edited to replace master with v1.0.0 in the file links]
@riywo
Copy link
Contributor

riywo commented Mar 27, 2016

Hi @chrono ,

I'll look into this issue. KPL itself has credentials_refresh_delay option, so I think it should refresh credentials automatically. But I'll double check it.

@riywo riywo added the bug label Mar 27, 2016
@riywo
Copy link
Contributor

riywo commented Mar 27, 2016

OK, I think it'll be a bug. I'll fix it.

@riywo riywo added this to the v1.0.1 milestone Mar 29, 2016
@riywo riywo mentioned this issue Mar 29, 2016
Merged
@riywo riywo closed this as completed in #62 Mar 29, 2016
@riywo
Copy link
Contributor

riywo commented Mar 29, 2016

Hi @chrono ,

I released v1.0.1 which fixes this problem. Please try this version. Thank you for reporting!

After confirming your situation is resolved, I'll yank v1.0.0 from rubygems since this is a huge bug.

@josqu4red
Copy link

I had the same problem, but using kinesis_streams output.
No more ExpiredTokenExceptions since upgraded to 1.0.1 yesterday.
Thanks!

@chrono
Copy link
Author

chrono commented Apr 2, 2016

Yup it has been working for me for the last few days on 1.0.1. So I can ditch my custom patched 1.0.0 now :)

@chrono
Copy link
Author

chrono commented Apr 2, 2016

Thanks for the quick turnaround!

@riywo
Copy link
Contributor

riywo commented Apr 4, 2016

@josqu4red @chrono

Great to hear from you! I'm so sorry for inconvenience. If you have any issue, feel free to submit an issue on this repository.

@tatsu-yam tatsu-yam mentioned this issue Feb 23, 2017
Closed
@vishalmamidi
Copy link

fluent/fluent-plugin-opensearch#24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.0.1
Development

No branches or pull requests
4 participants
@riywo @chrono @josqu4red @vishalmamidi