AWS Credentials cache should be configurable and flexible instead of hard coded to 1 hour #36769
Comments
aabchoo
added
enhancement
mattklein123
added
area/aws
and removed
enhancement
|
The two ways that I've thought about implementing desired behavior number 2 is:
In the event of a update, a flag Would appreciate opinions on this! |
|
i think this request sounds reasonable |
|
this seems reasonable. i will take a look at implementing something along these lines after i've finished curl deprecation patch. |
|
@aabchoo would item 2 in your list be sufficient - ie we would reread credentials regardless of the current expiration time if the underlying credentials file has been modified? I have a PR for item 2 ready. However item 1 requires an API change and will need some more thinking as to the best place to implement. |
|
@aabchoo ping |
|
Hi @nbaws, apologies for the delayed response 🙇 I completely missed this. Resolving item 2 will solve the problem! The plan was to have an external service refresh the credentials just prior to the credential expiration. I can live without item 1. Thank you for the help and apologies again for missing the previous tags! |
Title: AWS Credentials cache should be configurable and flexible instead of hard coded to 1 hour
Description:
AWS access id, secret key, and session tokens read from AWS credential file are cached for 1 hour. This can result in stale credentials due to caching happening before session tokens are refreshed, or when an invalid token is cached.
The desired behavior is split into two parts:
Behaviour #1 allows us to shorten/extend the cache TTL to match the timeframe our tokens are valid for
Behaviour #2 allows us to update credential file adhoc and have those credentials be used by EnvoyProxy without needing to restart the application or wait for the cache TTL
[optional Relevant Links:]
Code where TTL is hardcoded
The text was updated successfully, but these errors were encountered: