Operations that fail due to ExpiredTokenException should never be retried

[eriksw]

Instead of erroring out immediately, operations that fail due to ExpiredTokenException get retried over and over.

You can reproduce this by using credentials obtained with aws sts get-session-token --duration-seconds 900 instead of a long-lived API key, then waiting for them to expire.

The error response at the HTTP level looks like this (as logged by db := dynamo.New(awsSession, &aws.Config{Region: &region, LogLevel: aws.LogLevel(aws.LogDebugWithHTTPBody)})):

-----------------------------------------------------
2018/03/21 19:06:17 DEBUG: Response dynamodb/Scan Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Content-Length: 125
Connection: keep-alive
Content-Type: application/x-amz-json-1.0
Date: Thu, 22 Mar 2018 02:06:17 GMT
Server: Server
X-Amz-Crc32: 2167418451
X-Amzn-Requestid: RCI9REDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED


-----------------------------------------------------
2018/03/21 19:06:17 {"__type":"com.amazon.coral.service#ExpiredTokenException","message":"The security token included in the request is expired"}

[guregu]

Thanks for the detailed bug report, it helped a lot in debugging. I was able to narrow this down to the MaxRetries setting in the aws.Config struct. If you set it to 0, it will immediately error out. It seems like the official AWS library itself is doing all the retrying, not dynamo.