Avoid retries on expired credentials

[YakDriver]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

NOTE

Retrying 4xx errors was a bug that AWS fixed in AWS SDK for Go v2. Although this says it was fixed by #362, in reality the bulk of the problem was fixed when we moved to v2. Here, the only thing fixed involves the part of authentication that still takes place in v1, getting the session. Now, if you attempt to get a new session but receive an Expired Token error, it will not retry.

Closes: #23
Closes: #363

Closes: hashicorp/terraform-provider-aws#6992
See also: hashicorp/terraform-provider-aws#29612 (using version with these changes)

To avoid retry/backoff causing long or terminal delays in reporting the expired credentials error, stop retrying when this error is encountered.

Note: #23 and hashicorp/terraform-provider-aws#6992 take the approach of adding a flag to avoid this retrying behavior. However, after discussions with the AWS Provider team, security, and a former AWS Provider engineer, there appears to be no situation in which an expired credential would ever become unexpired. In other words, long retrying efforts are a bug that can be fixed without adding a new flag (e.g., stop_on_expired_creds).

[gdavison]

We should also add test cases in TestRetryHandlers and awsv1shim.TestSessionRetryHandlers to validate that the retries are cutting off when expected.

[gdavison]

There should be a corresponding update to networkErrorShortcutter.RetryDelay for calls using the AWS SDK for Go v2

[YakDriver]

Not needed since V2 won't retry 403 Forbidden with standard retryer (not retryable and not in the list of errors to be retried).

[gdavison]

Looks good! 🚀