As per Vault documentation, once an API call to rotate root IAM credentials is made, subsequent calls from vault to AWS may fail for a few seconds. What will be the Vault behavior during this window to client requests? Vault will retry before responding to client with dynamic credentials or throws an immediate error to client?