java - SQS 过期 token : The security token included in the request is expired status code: 403

Question

我有一个在 EC2 上运行的长时间运行的工作进程，它使用 SQS 队列中的项目。一段时间后(我估计是 8-12 小时)，我开始收到过期的安全 token 错误。我希望 aws 库自动处理凭据的刷新，但事实并非如此。它无论如何都在客户端处理吗？仅当我使用 DefaultCredentialsProviderChain 生成访问权限时才会发生这种情况。与 key 和 secret 一起使用时不会发生此错误。堆栈跟踪如下:

com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonSQS; Status Code: 403; Error Code: ExpiredToken; Request ID: 6ff6e1a0-d668-5ac5-bcd7-ae30058f25c0)
    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
    at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
    at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
    at com.amazonaws.services.sqs.AmazonSQSClient.invoke(AmazonSQSClient.java:2419)
    at com.amazonaws.services.sqs.AmazonSQSClient.receiveMessage(AmazonSQSClient.java:1130)
    at com.amazonaws.services.sqs.AmazonSQSAsyncClient$24.call(AmazonSQSAsyncClient.java:1783)
    at com.amazonaws.services.sqs.AmazonSQSAsyncClient$24.call(AmazonSQSAsyncClient.java:1779)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

我找到的解决方法是每次遇到 token 过期错误时更新 awsCredentials 并重置 sqs 客户端。

awsCredentials = (new DefaultAWSCredentialsProviderChain).getCredentials
sqs = SimpleSQSClient(awsCredentials, Regions.US_EAST_1)
queueSQS = sqs.simple(QueueName(queueName), true)

注意:我正在使用包装器 kifi/franz

Answer 1

AWS SDK 确实能够循环从实例配置文件继承的临时凭证，但是通过在 SimpleSQSClient 的构造函数中传递一个显式 AWSCredentials 对象，我相信您会拒绝它这样做的机会。

您没有明确声明您的应用程序正在继承实例角色，但您的帖子中有足够的证据可以推断是这种情况:

• 您的应用程序正在 EC2 上运行。
• DefaultAWSCredentialsProviderChain 的行为是查找“通过 Amazon EC2 元数据服务提供的实例配置文件凭证”(如果找不到其他凭证)。
• 只有在未明确传递您自己已知的访问/ secret key 时，您才会看到此行为。

文档中描述了自动凭据刷新的具体行为:

The automatic credentials refresh happens only when you use the default client constructor, which creates its own InstanceProfileCredentialsProvider as part of the default provider chain, or when you pass an InstanceProfileCredentialsProvider instance directly to the client constructor. If you use another method to obtain or pass instance profile credentials, you are responsible for checking for and refreshing expired credentials.

通过直接传递 AWSCredentials 而不是 AWSCredentialsProvider，您将负责检查和刷新过期的凭证。从好的方面来说，如果您想继续明确传递凭据，您的解决方法就可以了。

SimpleSQSClient 有一个构造函数，可以更好地满足您的用例:

new SimpleSQSClient(
    credentialProvider: com.amazonaws.auth.AWSCredentialsProvider,
    region: com.amazonaws.regions.Regions,
    buffered: Boolean
)

例子:

SimpleSQSClient sqs = SimpleSQSClient(new DefaultAWSCredentialsProviderChain(), Regions.US_EAST_1, false)

示例，明确使用 InstanceProfileCredentialsProvider :

SimpleSQSClient sqs = SimpleSQSClient(new InstanceProfileCredentialsProvider(), Regions.US_EAST_1, false)

进一步阅读:

• AWS SDK for Java > DefaultAWSCredentialsProviderChain - 更详细地描述默认供应商链
• kini/franz - Initialization - SimpleSQSClient 构造函数引用
• AWS SDK for Java >Developer Guide > Using IAM Roles to Grant Access to AWS Resources on Amazon EC2 - 正确使用临时凭证的重要资源
• 2017 年 11 月 6 日更新:DefaultAWSCredentialsProviderChain 在 AWS SDK for Java 2.0 预览期间重命名为 DefaultCredentialsProvider。预览文档 here .