-
Notifications
You must be signed in to change notification settings - Fork 816
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add credential caching for AssumeRole #569
Conversation
Hi @mtibben!
The two levels of caching was there because the
Not 100% sure why you removed the existing tests? With reference to the above; the tests were deliberately written to break if a code-change also broke caching, because the caching was a key aspect of the desired behaviour for the SSO Provider. Not sure what you would want the tests to cover if not the behaviour of the code? 🤷♂️ |
We should be able to separate those concerns now @itsdalmo - caching is orthogonal to the credential creation code and tested separately |
I'm more interested in the behaviour of the interface, testing the internal code behaviour leads to brittle tests and makes refactoring difficult |
@mtibben This (possibly) breaks 5.5.0-beta2 for me with the
I was using 5.5.0-beta1 successfully in order to test out the YubiKey support which worked well. I can work around the panic by removing the session file from the backend manually and at least start up a session that way, but it's painful. I'm using MFA via YubiKey which is what led me to believe this change is the culprit. |
This implements caching for AssumeRole calls.
This has been a long time coming, and fixes #552, #532 and probably other issues too.
Approach
The approach to this was to
CachedSessionProvider
) so that it could cater for any type of sts.Credentials.As anticipated, I hit a snag with the new SSO provider, and needed to simplify it to move this forward. The SSO provider was using 2 layers of caching - one for the OIDC token and one for the SSO credentials. The SSO credentials was straightforward to use with the generalised
CachedSessionProvider
, but the OIDC was not, so the OIDC caching was removed. Apologies @rickardl @itsdalmo, I'd like to follow up with another PR to resolve this. Additionally the tests were a little brittle as it seemed to test the codepath rather than the behaviour. Perhaps with this simplification the tests are not necessary. Again lets follow up in another issue to address this @rickardl @itsdalmoHow it works
The role caching kicks in when an MFA device is used. This is the same behaviour as GetSessionToken, the rationale being that we only really want to store credentials when it's "useful" to do so. When there's no MFA device to worry about, the credential can be generated on demand without any friction.
Additionally, the new
SessionKeyring
makes more metadata available, so the list command can show the session expiryYou can test this out with v5.5.0-beta2