ensure credentials are regenerated on every connection

pkg/sessions/redis/aws-iam/auth.go

@@ -32,8 +32,8 @@ type AuthTokenGenerator struct {
 	region      string
 	req         *http.Request
 
-	credentials aws.Credentials
+	credentialsProvider aws.CredentialsProvider
-	signer      *v4.Signer
+	signer              *v4.Signer
 }
 
 func New(serviceName, clusterName, userName string) (*AuthTokenGenerator, error) {
@@ -44,17 +44,6 @@ func New(serviceName, clusterName, userName string) (*AuthTokenGenerator, error)
 	if err != nil {
 		return nil, err
 	}
-
-	credentials, err := cfg.Credentials.Retrieve(ctx)
-
-	if err != nil {
-		return nil, err
-	}
-
-	if credentials.AccessKeyID == "" || credentials.SecretAccessKey == "" {
-		return nil, fmt.Errorf("AccessKeyID or SecretAccessKey is empty")
-	}
-
 	queryParams := url.Values{
 		"Action":        {connectAction},
 		"User":          {userName},
@@ -75,19 +64,23 @@ func New(serviceName, clusterName, userName string) (*AuthTokenGenerator, error)
 	}
 
 	return &AuthTokenGenerator{
-		serviceName: serviceName,
+		serviceName:         serviceName,
-		region:      cfg.Region,
+		region:              cfg.Region,
-		req:         req,
+		req:                 req,
-		credentials: credentials,
+		credentialsProvider: cfg.Credentials,
-		signer:      v4.NewSigner(),
+		signer:              v4.NewSigner(),
 	}, nil
 }
 
 func (atg AuthTokenGenerator) Generate() (string, error) {
-
+	ctx := context.Background()
+	credentials, err := atg.credentialsProvider.Retrieve(ctx)
+	if err != nil {
+		return "", fmt.Errorf("AWS IAM credentials retrieval failed - %v", err)
+	}
 	signedURL, _, err := atg.signer.PresignHTTP(
-		context.Background(),
+		ctx,
-		atg.credentials,
+		credentials,
 		atg.req,
 		hexEncodedSHA256EmptyString,
 		atg.serviceName,