search

NASA-PDS / harvest

Standalone Harvest client application providing the functionality for capturing and indexing product metadata into the PDS Registry system (https://github.com/nasa-pds/registry).
https://nasa-pds.github.io/registry
Other
4 stars 3 forks source link

When harvest lasts more that one hour AWS credentials need to be renewed #172

Closed tloubrieu-jpl closed 2 months ago

tloubrieu-jpl commented 3 months ago

💡 Description

When the credentials expire, an exception management will allow:

  1. to renew the cognito token using the refresh token
  2. to renew the AWS credentials.

⚔️ Parent Epic / Related Tickets

No response

al-niessner commented 3 months ago

@tloubrieu-jpl @sarabond

Did this happen finally or are you just predicting it will happen? Can I get an account that has a 2 minute certificate time to build this fix/upgrade please? Something like mini-niessner would work well. I just do not want this to haunt me all the time when doing other development.

tloubrieu-jpl commented 3 months ago

@al-niessner , @alexdunnjpl , that could be an interesting use case for unit tests, especially if we cannot reduce the expiration period in dev. Al you could see if you can mock the opensearch response to return 403 to trigger the renewable of the credentials. However, you would also need to mock the cognito and /credentials interfaces, which will be more pain...

alexdunnjpl commented 3 months ago

@al-niessner @tloubrieu-jpl the AWS SDK should have automatic refresh handling as a built-in somewhere (AwsCredentialsProvider, looks like)

If it doesn't, build a wrapper for the credentials, whose getCredentials()

Then test it manually by temporarily setting that 5min value to "validity duration minus five seconds" and check that it's refreshing every five seconds.

The unit-testable component of this feature is vanishingly-small.