AWS Credentials cache should be configurable and flexible instead of hard coded to 1 hour #36769
Comments
aabchoo
added
enhancement
mattklein123
added
area/aws
and removed
enhancement
|
The two ways that I've thought about implementing desired behavior number 2 is:
In the event of a update, a flag Would appreciate opinions on this! |
|
i think this request sounds reasonable |
|
this seems reasonable. i will take a look at implementing something along these lines after i've finished curl deprecation patch. |
|
@aabchoo would item 2 in your list be sufficient - ie we would reread credentials regardless of the current expiration time if the underlying credentials file has been modified? I have a PR for item 2 ready. However item 1 requires an API change and will need some more thinking as to the best place to implement. |
|
@aabchoo ping |
|
Hi @nbaws, apologies for the delayed response 🙇 I completely missed this. Resolving item 2 will solve the problem! The plan was to have an external service refresh the credentials just prior to the credential expiration. I can live without item 1. Thank you for the help and apologies again for missing the previous tags! |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
nostale |
github-actions
bot
removed
the
stale
…oad (#37834) Commit Message: aws: update credential provider proto and support credential file reload Additional Description: Allows for customisation of the credential provider settings, using the credential provider proto added in #36217 Risk Level: Low Testing: Unit Docs Changes: Updated Release Notes: Updated Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] Addresses #36769 and partially addresses #37432 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain <[email protected]>
|
@aabchoo Please see the last example here https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/aws_request_signing_filter#example-configuration to see how you can implement file based reload for your credentials. Note that the envoy file watching implementation will require you to move the file into the watched directory, not just modify it inline. Let me know if this addresses your use case. |
|
We have pivoted off using the credential files recently, but this does address what we were intending to do. Thanks you for taking the time to implement this! |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
Title: AWS Credentials cache should be configurable and flexible instead of hard coded to 1 hour
Description:
AWS access id, secret key, and session tokens read from AWS credential file are cached for 1 hour. This can result in stale credentials due to caching happening before session tokens are refreshed, or when an invalid token is cached.
The desired behavior is split into two parts:
Behaviour #1 allows us to shorten/extend the cache TTL to match the timeframe our tokens are valid for
Behaviour #2 allows us to update credential file adhoc and have those credentials be used by EnvoyProxy without needing to restart the application or wait for the cache TTL
[optional Relevant Links:]
Code where TTL is hardcoded
The text was updated successfully, but these errors were encountered: