This app is depending on an AWS access key under the IAM user next-search-read-development

[simonplend]

The issue: In the course of regular key rotation, the existing AWS access key for the IAM user next-search-read-development was made inactive and a new one was created. Within the following 24 hours we discovered that the Onward Journey app for IG pages was using the key that had been made inactive and the app was no longer working.

User impact: At some point after the existing AWS access key was made inactive, the following error message was displayed directly to users in place of the Onward Journey block on IG pages (presumably once the app responses had fallen out of the Fastly cache and the Onward Journey service in-memory cache):

{"message":"The security token included in the request is invalid."}

Proposed solutions:

• This app should have its own appropriately named IAM user (e.g. next-search-read-ft-interactive-onwardjourney) and associated access key as we have no way of tracking what applications are using an access key.
• Put appropriate error handling in place so that users do not see a raw error message on FT.com IG pages if the Onward Journey app can't talk to Next ElasticSearch and all cached responses have expired (not sure where exactly this error handling would go).