Error handling in periodic credential update

[ynishinaka]

The fromWebIdentity passes to fetchAuthInBackground the action that performs the AssumeRoleWithWebIdentity [1]. AssumeRoleWithWebIdentity may throw ServiceError (as exception Amazonka.Types.Error), not just HTTPException. However, fetchAuthInBackground catches and throws only HTTPException to the original thread by throwTo, leaving other exceptions to the default handler [2]. Thus, if a ServiceError is thrown, the temporary credential update will be interrupted without the original thread being aware of it.

So, I believe that fetchAuthInBackground should either re-throw other exceptions raised by the action to the original thread or have some error recovery method.

---

[1]

amazonka/lib/amazonka/src/Amazonka/Auth/STS.hs

Lines 80 to 94 in ea86794

	let getCredentials = do
	token <- Text.readFile tokenFile
	let assumeRoleWithWebIdentity =
	STS.newAssumeRoleWithWebIdentity
	roleArn
	sessionName
	token
	resp <- runResourceT $ sendUnsigned env assumeRoleWithWebIdentity
	pure $ resp ^. STS.assumeRoleWithWebIdentityResponse_credentials
	-- As the credentials from STS are temporary, we start a thread that is able
	-- to fetch new ones automatically on expiry.
	keys <- liftIO $ fetchAuthInBackground getCredentials

[2] Because the RetrievalError constructor accepts an argument of type HTTPException, e must be of the same type:

amazonka/lib/amazonka/src/Amazonka/Auth/Background.hs

Lines 63 to 65 in ea86794

	env <- Exception.try ma
	case env of
	Left e -> Exception.throwTo p (RetrievalError e)