When harvest lasts more that one hour AWS credentials need to be renewed

[tloubrieu-jpl]

💡 Description

When the credentials expire, an exception management will allow:

1. to renew the cognito token using the refresh token
2. to renew the AWS credentials.

⚔️ Parent Epic / Related Tickets

No response

[al-niessner]

@tloubrieu-jpl @sarabond

Did this happen finally or are you just predicting it will happen? Can I get an account that has a 2 minute certificate time to build this fix/upgrade please? Something like mini-niessner would work well. I just do not want this to haunt me all the time when doing other development.

[tloubrieu-jpl]

@al-niessner , @alexdunnjpl , that could be an interesting use case for unit tests, especially if we cannot reduce the expiration period in dev. Al you could see if you can mock the opensearch response to return 403 to trigger the renewable of the credentials. However, you would also need to mock the cognito and /credentials interfaces, which will be more pain...

[alexdunnjpl]

@al-niessner @tloubrieu-jpl the AWS SDK should have automatic refresh handling as a built-in somewhere (AwsCredentialsProvider, looks like)

If it doesn't, build a wrapper for the credentials, whose getCredentials()

• checks the expiration time on the credentials
• if expiration >=5min away, return credentials
• if expiration <5min away, refresh credentials and return getCredentials()

Then test it manually by temporarily setting that 5min value to "validity duration minus five seconds" and check that it's refreshing every five seconds.

The unit-testable component of this feature is vanishingly-small.