Closed yankovs closed 7 months ago
It seems like the second bullet might be the easiest, actually. Both InstanceMetadataProvider
and ContainerProvider
return a RefreshableCredentials
object when calling load
. So what we want should be already achievable as is. It is just that we throw away this object and statically use the creds it provides once
Instead, I believe this creds
object should just be used to construct a session and then use self.s3 = session.client("s3")
and then use the current codebase as is :). I'll experiment with this when I can.
Second options sounds good! Do you maybe know if this happens only with AWS or are other possible backends are affected as well?
Second options sounds good! Do you maybe know if this happens only with AWS or are other possible backends are affected as well?
Hey :)
I didn't test this with any other backend than ours, which is basically AWS ECS Fargate. I don't think I have the tools to test any other backend right now but if someone is willing to I'll be happy to help
Hey!
I noticed an issue in the IAM auth feature I made a PR for a while back. Real world kartons are supposed to be long-running services and shouldn't crash, so essentially
KartonBackend
should be initialized once in their startup process. This means that the s3 client will use the samesession_token
and eventually it will expire and cause the karton to fail processing tasks 100% of the time.There are a couple of ways to deal with it I think are worth discussion:
Make s3 client on each request: In mwdb, when a file object's
get_or_create
is called, a new temporary client is made every time. This solves the problem because the session token doesn't have time to expire. Similarly, we can move the s3 client creation to a separate method:However, this can potentially create overhead and reduce the performance because of the constant creation of the client.
Implement credential refresh mechanism: Tools to do this should already exist in botocore, but this is more complicated overall. One thing that comes to mind is to use botocore's existing codebase to check if credentials need a refresh before every call to
process
method of any karton. So essentially: