baolsen opened a new issue #16770: URL: https://github.com/apache/airflow/issues/16770
**Apache Airflow version**: 1.10.8 (Patched with latest AWS Hook) **Environment**: - **Cloud provider or hardware configuration**: 4 VCPU 8GB RAM VM - **OS** (e.g. from /etc/os-release): RHEL 7.7 - **Kernel** (e.g. `uname -a`): Linux 3.10.0-957.el7.x86_64 - **Install tools**: - **Others**: The AWS Hook functionality for AssumeRoleWithSAML is not available in this version, we manually added it via patching the hook file. **What happened**: We've been using this hook for a while now with this issue, basically sts.assume_role and sts.assume_role_with_saml will return temporary credentials that are only valid for eg 1 hour by default. Eventually with long running operators / hooks / sensors some of them fail because the credentials have expired. Example error messages An error occurred (ExpiredTokenException) when calling the AssumeRole operation: Response has expired An error occurred (ExpiredTokenException) when calling the AssumeRoleWithSAML operation: Response has expired botocore.exceptions.ClientError: An error occurred (ExpiredTokenException) when calling the <any operation here> operation: The security token included in the request is expired **What you expected to happen**: AWS hook should be updated to use boto3 RefreshableCredentials when temporary credentials are in use. **How to reproduce it**: Use any of the assume role methods with the AWS Hook, create a session, wait 1 hour (or whatever expiry period applies to your role), and try and use the hook again. **Anything else we need to know**: I have a solution, please self-assign this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
