Open lattwood opened 4 days ago
Hi @lattwood ,
Thanks for this report! We just delegate to the AWS Rust SDK for credentials loading, so it seems like there might be an issue upstream. I'm not seeing any reports there though 🤔 We are also behind on aws-config
(ref: https://github.com/vectordotdev/vector/pull/20663) so it could be a bug that they've fixed.
Oh, actually, I missed that this was the Prometheus Remote Write sink which does somewhat manual request signing. It does seem like we might not be using the cached credential provider there and instead, as you observed, loading them on each request.
A note for the community
Problem
When using the
credential_process
feature of the AWS SDK, I would expect it to cache the credentials until it gets closer to the expiration time.This does not appear to be the case, and it is running the process every time it does a remote write to AWS, creating a lot of INFO level logs as you can see in this issue.
We need to use this functionality because there's no support for passing a session token in the vector config, and we're running it on all our Nomad agents. We use Nomad & Vault to provide access to IAM roles as required via the attached shell scripts (once they've been templated through Nomad).
Configuration
Version
0.42.0
Debug Output
Example Data
This is the contents of the file located at the value of the
AWS_CONFIG
environment variable, or "~/.aws/config"This is the contents of the file referred to by
{{ env "NOMAD_SECRETS_DIR" }}/aws/credential_process
Additional Context
No response
References
No response