Skip to content

Refresh credentials atomically #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: master
Choose a base branch
from
Open

Refresh credentials atomically #444

wants to merge 26 commits into from

Conversation

@keithduncan
Copy link

@keithduncan keithduncan commented Apr 29, 2025

I have implemented a draft fix for #443. This changes the Paws::Credential API contract to have a refresh method to retrieve the providers' credentials rather than exposing access_key, secret_key, and session_token directly.

Pushing all accesses though a method which returns a single product type means field retrieval cannot be sheared by a refresh between reads.

I have reused the Paws::Credential::Explicit type as the return value from refresh as it is already a product type of these three fields. I did and still do consider creating a new type which includes an expiration field so that the fields carry their expiration with them rather than it being a property of the provider.

There is more work that can be done on the providers' error handling. When we have a cached credential and are pre-emptively refreshing we can return the cached credential instead of failing to refresh.

I think we could also refactor some of the common refresh code, cache and expiration handling out of the providers and into the Paws::Credential role.

@keithduncan
Change the contract on credential to return a single field
f03b83f
@keithduncan
None returns undef
dedba06
@keithduncan
Environment credentials returns atomically
1e89e28
@keithduncan
Explicit returns itself from credential resolution
b271239
@keithduncan
Implement AssumeRole atomically
98669bf
@keithduncan
Implement AssumeRoleWithSAML atomically
7278643
@keithduncan
Make CredProcess atomic
bae45b0
@keithduncan
Make ECSContainerProfile atomic
8b0edbe
@keithduncan
Make file atomic
a7c3dbf
@keithduncan
Make InstanceProfile atomic
0e8dd75
@keithduncan
Make InstanceProfileV2 atomic
c9b8e2a
@keithduncan
Make provider chain atomic
f8a3138
@keithduncan
Make STS atomic
431c387
@keithduncan
Make the credentials contract that they implement refresh
e90f75a
@keithduncan
Update tests for the refresh method
bec875b
@keithduncan
Remove handles forwarding of the credential methods, these aren't imp…
cc05f3c 
…lemented on Paws::Credential any more
@keithduncan
Update the signers to use ->refresh to get their fields
d62e2c5
@keithduncan
handles doesn't allow with requirements to be satisfied
84a8d21
@keithduncan
Fix JSONCaller retriving the access_key
08bf923
@keithduncan
Add creds as an argument to sign
1a0a076 
This needs to be passed through in cases where the creds have already been retrieved to avoid shearing
@keithduncan
Allow explicit to have an undef session token
67bfd50
@keithduncan
Fix the file provider when returning credentials from the profile
66aa01d
@keithduncan
Fix refreshing creds for credprocess
731fb02
@keithduncan
Remove comma creating void context for string rather than argument
7998ea9
@keithduncan
Fix warning in test about comparing numeric to undefined
6160fbc
@keithduncan
Replace implementation of refresh with handles and move with to the e…
d463e28 
…nd of the file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@keithduncan