Skip to content

feat: adding expiration time for secret cache in secret manager plugin #906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 23, 2025
Merged

feat: adding expiration time for secret cache in secret manager plugin #906

merged 1 commit into from
Jun 23, 2025

Conversation

@JuanLeee
Copy link
Contributor

@JuanLeee JuanLeee commented Jun 17, 2025
edited
Loading

Description

The secrets manager plugin currently stores secrets with no expiry time. Users should be able to specify the amount of time a secret stays in the wrapper's cache.

Manually tested with secret cache.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@JuanLeee JuanLeee force-pushed the refactor/expirationToken branch 7 times, most recently from bf31ec5 to 928d4e0 Compare June 19, 2025 11:12
@JuanLeee JuanLeee force-pushed the refactor/expirationToken branch from 928d4e0 to ca99cc4 Compare June 19, 2025 22:19
karenc-bq
karenc-bq reviewed Jun 19, 2025
View reviewed changes
@JuanLeee JuanLeee force-pushed the refactor/expirationToken branch 2 times, most recently from 9961ade to 59dfd8b Compare June 19, 2025 22:38
karenc-bq
karenc-bq reviewed Jun 19, 2025
View reviewed changes
karenc-bq
karenc-bq reviewed Jun 19, 2025
View reviewed changes
aws_advanced_python_wrapper/aws_secrets_manager_plugin.py
self._secret = self._fetch_latest_credentials()
if self._secret:
AwsSecretsManagerPlugin._secrets_cache[self._secret_key] = self._secret
AwsSecretsManagerPlugin._secrets_cache.put(self._secret_key, self._secret, token_expiration_ns)
Copy link
Contributor

@karenc-bq karenc-bq Jun 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the way CacheMap checks for expiration:

    def is_expired(self) -> bool:
        return time.perf_counter_ns() > self._expiration_time_ns

This should be

Suggested change
AwsSecretsManagerPlugin._secrets_cache.put(self._secret_key, self._secret, token_expiration_ns)
AwsSecretsManagerPlugin._secrets_cache.put(self._secret_key, self._secret, time.perf_counter_ns() + token_expiration_ns)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put already adds the time.perf_counter_ns()

def put(self, key: K, item: V, item_expiration_ns: int): self._cache[key] = CacheItem(item, time.perf_counter_ns() + item_expiration_ns) self._cleanup()

@JuanLeee JuanLeee force-pushed the refactor/expirationToken branch from 59dfd8b to 06c9894 Compare June 20, 2025 02:18
@JuanLeee
feat: adding expiration time for secret cache in secret manager plugin
2df14d5 
# Conflicts:
#	docs/using-the-python-driver/using-plugins/UsingTheAwsSecretsManagerPlugin.md
@JuanLeee JuanLeee force-pushed the refactor/expirationToken branch from 06c9894 to 2df14d5 Compare June 23, 2025 17:13
@karenc-bq karenc-bq merged commit 400f826 into aws:main Jun 23, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karenc-bq karenc-bq karenc-bq approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JuanLeee @karenc-bq