RanVaknin
commented
10 months ago Hi @JamesGAWS,
Thanks for reaching out.
I think this is a reasonable feature request, however extending / changing the functionality of a credential provider would be a cross-SDK effort. Since cross-SDK feature requests require multi team coordination and are time consuming, they are weighed based on customer impact and engagement (upvotes, comments, duplicate requests). I just want to set your expectations that this will likely not get implemented in the near future.
In terms of immediate resolution, you can implement your own credential provider that extends the credential provider interface and implement your own retrieval logic with the desired 1-hour window and potentially cache the previous set of credentials in-memory.
Thanks again, Ran~
Describe the feature
Add a feature that would permit credentials.Credentials to return the last successful retrieved tokens if the configured credentials provider is unable to assume new credentials.
Use Case
This feature provides resiliency to TMDS, IMDS and STS service disruptions. The intended usage would be to set the max session duration on a role for 4-8 hours, set the session duration to that length, and for credentials to rotate more frequently (every hour for example). In the event of an outage in creds vending infrastructure, credentials would persist for 3-7 hours providing time for service to be restored without impacting clients.
Proposed Solution
This feature could be implemented at the credentials.Credentials.Get() method, or in the AssumeRoleProviderProvider.Retrieve() method.
Other Information
No response
Acknowledgements
SDK version used
v1.44.315
Environment details (Version of Go (
go version)? OS name and version, etc.)macOX Monterey 12.6.5 (21G531)