Merge pull request #361 from hashicorp/b-authentication-retry

Removes no-op retryer for authentication

Author: gdavison

aws_config.go

@@ -65,19 +65,31 @@ func GetAwsConfig(ctx context.Context, c *Config) (context.Context, aws.Config,
 	if err != nil {
 		return ctx, aws.Config{}, err
 	}
+
+	// The providers set `MaxRetries` to a very large value.
+	// Add retries here so that authentication has a reasonable number of retries
+	if c.MaxRetries != 0 {
+		loadOptions = append(
+			loadOptions,
+			config.WithRetryMaxAttempts(c.MaxRetries),
+		)
+	}
+
 	loadOptions = append(
 		loadOptions,
 		config.WithCredentialsProvider(credentialsProvider),
 	)
+
 	if initialSource == ec2rolecreds.ProviderName {
 		loadOptions = append(
 			loadOptions,
 			config.WithEC2IMDSRegion(),
 		)
 	}
+
 	awsConfig, err := config.LoadDefaultConfig(baseCtx, loadOptions...)
 	if err != nil {
-		return ctx, awsConfig, fmt.Errorf("loading configuration: %w", err)
+		return ctx, aws.Config{}, fmt.Errorf("loading configuration: %w", err)
 	}
 
 	resolveRetryer(baseCtx, &awsConfig)
@@ -225,13 +237,6 @@ func commonLoadOptions(ctx context.Context, c *Config) ([]func(*config.LoadOptio
 		config.WithEC2IMDSClientEnableState(c.EC2MetadataServiceEnableState),
 	}
 
-	if c.MaxRetries != 0 {
-		loadOptions = append(
-			loadOptions,
-			config.WithRetryMaxAttempts(c.MaxRetries),
-		)
-	}
-
 	if !c.SuppressDebugLog {
 		loadOptions = append(
 			loadOptions,

credentials.go

@@ -26,10 +26,6 @@ func getCredentialsProvider(ctx context.Context, c *Config) (aws.CredentialsProv
 	}
 	loadOptions = append(
 		loadOptions,
-		// Bypass retries when validating authentication
-		config.WithRetryer(func() aws.Retryer {
-			return aws.NopRetryer{}
-		}),
 		// The endpoint resolver is added here instead of in commonLoadOptions() so that it
 		// is not included in the aws.Config returned to the caller
 		config.WithEndpointResolverWithOptions(credentialsEndpointResolver(ctx, c)),