Provide better caching logic for Credentials

[JamesGAWS]

Describe the feature

Add a feature that would permit credentials.Credentials to return the last successful retrieved tokens if the configured credentials provider is unable to assume new credentials.

Use Case

This feature provides resiliency to TMDS, IMDS and STS service disruptions. The intended usage would be to set the max session duration on a role for 4-8 hours, set the session duration to that length, and for credentials to rotate more frequently (every hour for example). In the event of an outage in creds vending infrastructure, credentials would persist for 3-7 hours providing time for service to be restored without impacting clients.

Proposed Solution

This feature could be implemented at the credentials.Credentials.Get() method, or in the AssumeRoleProviderProvider.Retrieve() method.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

v1.44.315

Environment details (Version of Go (go version)? OS name and version, etc.)

macOX Monterey 12.6.5 (21G531)

[RanVaknin]

Hi @JamesGAWS,

Thanks for reaching out.

I think this is a reasonable feature request, however extending / changing the functionality of a credential provider would be a cross-SDK effort.
Since cross-SDK feature requests require multi team coordination and are time consuming, they are weighed based on customer impact and engagement (upvotes, comments, duplicate requests). I just want to set your expectations that this will likely not get implemented in the near future.

In terms of immediate resolution, you can implement your own credential provider that extends the credential provider interface and implement your own retrieval logic with the desired 1-hour window and potentially cache the previous set of credentials in-memory.

Thanks again,
Ran~