Improving CredentialsCache ExpiryWindow and ExpiryWindowJitterFrac Behaviors

[skmcgrail]

CredentialsCache allows users to artificially adjust the expiration of credentials by adjusting them to be marked as expired by some duration value prior to their original date/time. Additionally this window duration can be randomized by some amount by providing a percentage value for ExpiryWindowJitterFrac. This allows for some randomness to the artificial refresh window.

A downside to this behavior, which has always been present in the SDKs support for expiration windows, is that it has the potential to attempt to refresh the credentials each time until the underlying provider returns a new credential pair with a new expiration window, or an error occurs from the underlying provider.

A more desirable behavior would be for credentials object to not have its expiration time artificially adjusted, but instead have the CredentialsCache to store this information internally. When credentials are retrieved from the cache and are found to be in the ExpirationWindow, the still valid credentials would be returned to the caller immediately, and background goroutine would be spun off to attempt to refresh the credentials. There would only ever be a single refresh occurring at one time, and could be enforced via the singleflight group. Additionally, the window would be adjusted appropriately to prevent situations where the background refresh received the same credentials from the underlying provider. This "backoff" strategy would still allow for more proactive refreshing within the window, but would provide a cool-down period to avoid a continual stream of requests to the underlying provider.

Related: #946

[github-actions]

We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.