Java – SQS expiredtoken: the security token contained in the request is expired status code: 403
I have a long - running worker process running on EC2 that uses items from the SQS queue After some time (8-12 hours, I estimate) I began to get expired security token errors I hope AWS lib can automatically process credential refresh, but it doesn't seem so In any case, within the client?
com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonSQS; Status Code: 403; Error Code: ExpiredToken; Request ID: 6ff6e1a0-d668-5ac5-bcd7-ae30058f25c0)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
at com.amazonaws.services.sqs.AmazonSQSClient.invoke(AmazonSQSClient.java:2419)
at com.amazonaws.services.sqs.AmazonSQSClient.receiveMessage(AmazonSQSClient.java:1130)
at com.amazonaws.services.sqs.AmazonSQSAsyncClient$24.call(AmazonSQSAsyncClient.java:1783)
at com.amazonaws.services.sqs.AmazonSQSAsyncClient$24.call(AmazonSQSAsyncClient.java:1779)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
The solution I found is to update awscredentials and reset the SQS client every time an expired token error is encountered
awsCredentials = (new DefaultAWSCredentialsProviderChain).getCredentials sqs = SimpleSQSClient(awsCredentials,Regions.US_EAST_1) queueSQS = sqs.simple(QueueName(queueName),true)
Note: I use the wrapper KIFI / Franz
Solution
The AWS development kit can indeed cycle the temporary credentials inherited from the instance configuration file, but I believe you refuse the opportunity to do so by passing an explicit awscredents object in the constructor of simplesqsclient
You have not explicitly stated that your application inherits the instance role, but there is enough evidence in your post to infer this situation:
>Your application is running on EC2. > The behavior of defaultawscredentiasproviderchain is to find "instance profile credentials provided through Amazon EC2 metadata service". If it cannot find other credentials. > You will only see this behavior if you do not explicitly pass your own known access / key
The specific behavior of automatic credential refresh is described in the document:
By passing AWS credentials directly instead of AWS credentials provider, you will be responsible for checking and refreshing expired credentials On the bright side, if you want to pass credentials explicitly, your solution is fine
Simplesqsclient has a constructor that works better for your use case:
new SimpleSQSClient(
credentialProvider: com.amazonaws.auth.AWSCredentialsProvider,region: com.amazonaws.regions.Regions,buffered: Boolean
)
Example:
SimpleSQSClient sqs = SimpleSQSClient(new DefaultAWSCredentialsProviderChain(),Regions.US_EAST_1,false)
For example, explicitly use instanceprofilecredentialsprovider:
SimpleSQSClient sqs = SimpleSQSClient(new InstanceProfileCredentialsProvider(),false)
Further reading:
>AWS SDK for Java > defaultawscredentiasproviderchain – describe the default provider chain in more detail > Kini / Franz – initialization – simplesqsclient constructor reference > AWS SDK for Java > Developer Guide > using Iam roles to grant access to AWS resources on Amazon EC2 – great resources for the correct use of temporary credentials > Update 2017 / 11 / 06: in AWS SDK for J During AVA 2.0 preview, defaultawscredentialproviderchain was renamed defaultcredentialsprovider Preview document here