Automatically refreshing credentials with STS AssumeRole for API Gateway request signing

[avandesa-fw]

Hello! We have a somewhat odd use case and I'm looking into ways to leverage the SDK to make our lives easier.

Currently, we're calling AssumeRole to get temporary credentials, then using those to manually sign HTTP requests with aws_sigv4 to authenticate against an AWS API Gateway. This works great so far! However, we need some way to refresh those credentials since they only last a couple hours.

Our tentative plan is to keep the credentials behind a lock of some sort, then re-fetch them when requests start failing with 403 Forbidden errors. However, this synchronization is going to be tough to get right. I was wondering if there's any existing tools in the SDK or smithy to make this process easier.

One possibility I see is giving an SDK client a ProvideCredentials impl that internally calls AssumeRole, then getting the SharedHttpClient and using that to perform requests, but it's not immediately clear to me if

• the client would only call ProvideCredentials::provide_credentials when the creds expire
• the SharedHttpClient or SharedHttpConnector would have access to those creds, or
• we'd be able to configure the other signing parameters, like the region and service.

Again, we can do the synchronization ourselves, but I want to make sure I'm not missing some other SDK feature that would make this easier. Thanks!

[ysaito1001]

Thanks for posting! Normally, you'd reach out something like AssumeRoleProvider, create an instance of it, and pass it to the credentials_provider method on ConfigLoader. Once you constructed a service client from ConfigLoader, then that AssumeRoleProvider would be backed by an identity cache (ex. lazy identity cache). This cache keeps track of credentials' expiry and it automatically refreshes credentials when they're about to expire.

Do you use ConfigLoader to create a service client? If not, how do you construct a service client currently?

[jmklix]

Marking above as the answer, please open a new discussion if you have any questions