Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latency issues w/ STS credentials #4385

Closed
yulius-take2 opened this issue May 3, 2022 · 5 comments
Closed

Latency issues w/ STS credentials #4385

yulius-take2 opened this issue May 3, 2022 · 5 comments
Assignees
@RanVaknin
Labels
bug This issue is a bug. p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@yulius-take2
Copy link

Describe the bug

EKS uses the token based credentials to exchange the token w/ the key/secret pair. We were seeing random high latency of up to 5 seconds when calling dyanmodb.

We found the solution here.
https://www.rokt.com/engineering-blog/improving-app-latency-eks/

Summary of issues.

  1. The sdk uses sts.amazonaws.com instead of the region specific url (sts.us-east-1.amazonaws.com). The DNS sometimes returns ips that are far away for some reason and the queries can take a couple of seconds.
  2. When a token expires and a refresh happens, it is done in the current request's goroutine. The fix in the blog creates another go routine to periodically refresh the key/secret from the token to prevent slow queries.

Expected Behavior

STS should use a goroutine to refresh credentials in the background so queries don't pay for the latency caused by a refresh.
STS should use the region in the hostname. e.g sts.us-east-1.amazonaws.com instead of sts.amazonaws.com.

Current Behavior

STS token refresh happens inline w/ the request
STS uses sts.amazonaws.com to refresh the token without regard to the region.

Reproduction Steps

Use STS enable EKS. Do a poll request to dynamo or some other service. During refreshes, there will be latency issues.

Possible Solution

https://www.rokt.com/engineering-blog/improving-app-latency-eks/

Additional Information/Context

No response

SDK version used

v1.40.54

Environment details (Version of Go (go version)? OS name and version, etc.)

go version go1.17.9 linux/amd64/Linux social-service-api-develop-7f4f4bd4cb-lhjfg 5.4.181-99.354.amzn2.x86_64 #1 SMP Wed Mar 2 18:50:46 UTC 2022 x86_64 Linux
@yulius-take2 yulius-take2 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 3, 2022
@rittneje
Copy link
Contributor

rittneje commented May 9, 2022

The sdk uses sts.amazonaws.com instead of the region specific url (sts.us-east-1.amazonaws.com). The DNS sometimes returns ips that are far away for some reason and the queries can take a couple of seconds.

This can be addressed in one of three ways:

  1. Set the eks.amazonaws.com/sts-regional-endpoints annotation on your ServiceAccount. https://github.com/aws/amazon-eks-pod-identity-webhook#eks-walkthrough
  2. Set the AWS_STS_REGIONAL_ENDPOINTS environment variable in your pod spec.
  3. Set the STSRegionalEndpoint field in your aws.Config.

@vudh1 vudh1 self-assigned this May 24, 2022
@marselester
Copy link

I've put together some code based on Rokt's post https://github.com/marselester/awscreds. Maybe it will be useful to someone as a starting point.

@vudh1 vudh1 added needs-review This issue or pull request needs review from a core team member. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 1, 2022
@vudh1 vudh1 removed their assignment Aug 25, 2022
@RanVaknin RanVaknin added the p3 This is a minor priority issue label Mar 27, 2023
@RanVaknin
Copy link
Contributor

Hi all,

This is a pretty old issue ,and I see that there are number of suggestions / workaround on the thread.
If this still persists can you please give v2 a try and if it persists please open a separate issue on the v2 repo?

Thanks,
Ran~

@RanVaknin RanVaknin self-assigned this Apr 11, 2024
@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-review This issue or pull request needs review from a core team member. labels Apr 11, 2024
@marselester
Copy link

Hi Ran, unfortunately I no longer can check if the issue persists.

@RanVaknin RanVaknin closed this as not planned Won't fix, can't repro, duplicate, stale Apr 11, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RanVaknin RanVaknin

Labels
bug This issue is a bug. p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@marselester @rittneje @vudh1 @RanVaknin @yulius-take2