Describe the bug
We get sporadically the following failure on assumeRoleWithWebIdentity():
[WebIdentityToken] must be a string or an object that implements __toString(). Found bool(false) (0)
Method: Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider->__invoke()
file_get_contents() return's bool(false).
It seems that the AWS_WEB_IDENTITY_TOKEN_FILE is locked or missing during loading of the file content. I don't know exactly what happens, when the token-file is updated with a new token but there seems to be a kind of race condition.
Version of AWS SDK for PHP?
v3.166.0
Version of PHP (php -v)?
PHP 7.3.25
To Reproduce (observed behavior)
I was able to reproduce it with an empty token, which leads to a similar problem:
First create an empty token file and set needed ENV's:
touch /tmp/token.file
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/token.file
export AWS_ROLE_ARN=arn:aws:iam::123456789123:policy/AnyPolicy
Code:
use Aws\Credentials\CredentialProvider;
use GuzzleHttp\Promise\Coroutine;
$provider = CredentialProvider::assumeRoleWithWebIdentityCredentialProvider([]);
/** @var Coroutine $coroutine */
$coroutine = $provider();
$coroutine->then(function () {
echo 'success';
})->otherwise(function (\RuntimeException $e) {
echo sprintf('%s: %s', $e->getCode(), $e->getMessage());
});
Failure:
[WebIdentityToken] expected string length to be >= 4, but found string length of 1 (0)
Expected behavior
My guess is that the token file is sporadically locked or missing when it is in exchange.
I think this should lead to an AwsException with code "InvalidIdentityToken" to trigger the retry mechanism.
hi @tobiashaase,
Thank you for bringing this to our attention- we can definitely create a PR to check the type and length of the contents :)
I will close this issue when it is merged
-Sam
Hi @tobiashaase,
Just wanted to give you an update. I discussed it with some of the other SDKs, and determined the best solution is to implement retries in a way similar to the retries for using the credential file, but with a separate retry counter. I will make the changes and update the PR ASAP.
OK - thank you SamRemis.
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
Most helpful comment
Hi @tobiashaase,
Just wanted to give you an update. I discussed it with some of the other SDKs, and determined the best solution is to implement retries in a way similar to the retries for using the credential file, but with a separate retry counter. I will make the changes and update the PR ASAP.