Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve caching for SSO credentials workflow #1100

Open
alexkuang opened this issue Nov 20, 2024 · 0 comments
Open

Improve caching for SSO credentials workflow #1100

alexkuang opened this issue Nov 20, 2024 · 0 comments

Comments

@alexkuang
Copy link

alexkuang commented Nov 20, 2024

Environment

  • Elixir & Erlang versions (elixir --version): Elixir 1.17.3 (compiled with Erlang/OTP 27)
  • ExAws version mix deps |grep ex_aws: ex_aws 2.5.5
  • HTTP client version. IE for hackney do mix deps | grep hackney: hackney 1.20.1

Current behavior

When using SSO credentials e.g. config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}], ex_aws reads the cached OIDC token from ~/.aws/sso/cache/ and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat the aws sso login workflow.

Expected behavior

Suggestion: The credentials returned by request_sso_role_credentials can have an expiration of >1h (in my setup it's 6h), so ex_aws could cache those creds in the local filesystem. This is effectively what aws cli does: https://github.com/boto/botocore/blob/287fb2bbe32f11d449826344d4c6a21da6b1c9c5/botocore/credentials.py#L687 pulls from ~/.aws/cli/cache/HASH.json

ex_aws could try to reconstruct the hash algo for that part of awscli to do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g. ~/.ex_aws/cache/credentials/PROFILE_HASH.json. Then CredentialsIni.File could look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.

Let me know if this is a change you're open to making. Happy to contribute a PR if so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant