AmazonClientException: {“message“:“The security token included in the request is expired“}

最近部署在AWS Elasticbeanstalk EC2 Instance的服务调用某个第三方服务提供的接口（该服务基于AWS API Gateway和AWS Lambda实现）时出现了token过期的问题。

com.amazonaws.AmazonClientException: {"message":"The security token included in the request is expired"} 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632) 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304) 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743) 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)

这个问题一开始我还是很不解的，在使用其他服务的时候并没有出现这个问题，只有这个服务提供的接口会有这个问题，于是自己开始调研。之前看过aws的很多开发文档，记得里面有提到说token的更新在aws sdk里面都会自动进行，不需要开发者主动进行更新。于是便去官方文档查询，查到以下内容：
IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud

Retrieve security credentials from instance metadata An application on the instance retrieves the security credentials provided by the role from the instance metadata item iam/security-credentials/role-name. The application is granted the permissions for the actions and resources that you've defined for the role through the security credentials associated with the role. These security credentials are temporary and we rotate them automatically. We make new credentials available at least five minutes before the expiration of the old credentials.

意思就是EC2的token信息保存在metadata中，并且会自动进行更新。可以通过登录到ec2上执行以下命令进行查询：

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${ec2_role_name}

${ec2_role_name}需要替换为你给EC2分配的role。

远程登录Elasticbeanstalk EC2 instance

Step1：创建 key pair

点击这里创建key pair：

1. 输入key pair名称
2. Key pair type选择RSA
3. Private key file format选择pem，因为我们是要ssh到ec2用的

创建成功后自动下载key文件，这个文件一定要保存好，ssh的时候要用

Step2：为EC2 instance指定key pair

1. 点击这里打开beanstalk的环境列表，
2. 选择instance所属的environment，
3. 点击左侧菜单栏的Configuration选项