credential-provider-web-identity don't load the latest version of AWS_WEB_IDENTITY_TOKEN_FILE after the previous version is expired

[cma-skedulo]

Describe the bug

We are using EKS to grant permission for our pod. So we depend on #2177 to make it work with new aws sdk version.
AWS_WEB_IDENTITY_TOKEN_FILE is read only one time. But the content of that file will be expire after 24 hours and EKS will update new content to that same path.

Your environment

SDK version number

@aws-sdk/credential-provider-web-identity@3.13.1

Is the issue in the browser/Node.js/ReactNative?

Node.js

Details of the browser/Node.js/ReactNative version

node v14.15.0

Steps to reproduce

Run service with EKS's IAM roles for service accounts setup.
The following code is for create the Provider that will be use by other client

import {
  STSClient,
  AssumeRoleWithWebIdentityCommand,
} from '@aws-sdk/client-sts'
import {
  AssumeRoleWithWebIdentityParams,
  fromTokenFile,
} from '@aws-sdk/credential-provider-web-identity'
import { Credentials, Provider } from '@aws-sdk/types'

const stsClient = new STSClient({})

const roleAssumerWithWebIdentity = async (
  params: AssumeRoleWithWebIdentityParams,
) => {
  const { Credentials } = await stsClient.send(
    new AssumeRoleWithWebIdentityCommand(params),
  )
  if (
    !Credentials ||
    !Credentials.AccessKeyId ||
    !Credentials.SecretAccessKey
  ) {
    throw new Error(
      `Invalid response from STS.assumeRole call with role ${params.RoleArn}`,
    )
  }
  return {
    accessKeyId: Credentials.AccessKeyId,
    secretAccessKey: Credentials.SecretAccessKey,
    sessionToken: Credentials.SessionToken,
    expiration: Credentials.Expiration,
  }
}

export const awsCredentials: Provider<Credentials>  =fromTokenFile({
  roleAssumerWithWebIdentity,
})


const sqs = new SQS({credentials: awsCredentials})

the above roleAssumerWithWebIdentity implementation is similar to getDefaultRoleAssumer in @aws-sdk/client-sts so it could have the same isssue
The token from AWS_WEB_IDENTITY_TOKEN_FILE will be expired after 24 hours so it take time to re-produce this issue.
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html

Observed behavior

After 24 hour, the consumer client (in our case it sqs) begin to throw ExpiredTokenException error.

Expected behavior

AWS SDK should pick-up the latest file content from AWS_WEB_IDENTITY_TOKEN_FILE after it is updated.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

My main concern is this line here
https://github.com/aws/aws-sdk-js-v3/pull/2177/files#diff-cbd992ccb3e9cb17b4557f156169a365838ccaab9335b808e2a956678b8231f3R74
I can try to modify my code to read from Token file like this

const roleAssumerWithWebIdentity = async (
  params: AssumeRoleWithWebIdentityParams,
) => {
  const { Credentials } = await stsClient.send(
    new AssumeRoleWithWebIdentityCommand({
      ...params,
      WebIdentityToken: readFileSync(process.env.AWS_WEB_IDENTITY_TOKEN_FILE, { encoding: "ascii" }),
    }),
  )

[cuyl]

I'm using this lazyCredentialProvider to solve the issue, hope it can help you.

export const lazyCredentialProvider : Provider<Credentials> = () => fromTokenFile({
  roleAssumerWithWebIdentity,
})()

[AllanZhengYP]

This issue has been fixed in #2260 where fromTokenFile returns a provider that loads AWS_WEB_IDENTITY_TOKEN_FILE every invocation:

aws-sdk-js-v3/packages/credential-provider-web-identity/src/fromTokenFile.ts

Line 21 in 3dd31c4

export const fromTokenFile = (init: FromTokenFileInit = {}): CredentialProvider => async () => {

The change will be released in next release3.15.0. Please reopen the issue if the bug persists.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.