Skip to content

Add distributed caching for GCP ID tokens #2278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Nov 27, 2025
Merged

Add distributed caching for GCP ID tokens #2278

merged 14 commits into from
Nov 27, 2025

Conversation

@reakaleek
Copy link
Member

@reakaleek reakaleek commented Nov 27, 2025
edited
Loading

Problem

Lambda containers were each generating GCP ID tokens independently.
When many containers start at once, they all call Google OAuth at the same time,
causing rate limit errors.

Solution

Implemented two-tier distributed cache to share tokens across all Lambda containers:

  • L1 (in-memory): Sub-millisecond access for warm Lambda invocations
  • L2 (DynamoDB): Cross-container sharing - first container generates token,
    others reuse it (prevents all containers calling Google at once)

Changes

  • New cache system: IDistributedCache, MultiLayerCache, DynamoDbDistributedCache
  • Updated GcpIdTokenProvider to use cache instead of static dictionary
  • Environment-aware: In-memory for dev, DynamoDB for prod/staging/edge
  • Token reused for 45 minutes (15-min safety buffer)
  • Added OTel tracing and structured logging

Infrastructure Required

DynamoDB table: docs-api-cache-${environment} with CacheKey partition key and TTL enabled.
Lambda IAM: dynamodb:GetItem + dynamodb:PutItem permissions.

@reakaleek reakaleek requested a review from a team as a code owner November 27, 2025 10:48
@reakaleek reakaleek requested review from Mpdreamz and cotti November 27, 2025 10:48
@reakaleek reakaleek self-assigned this Nov 27, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2025
View reviewed changes
@reakaleek reakaleek marked this pull request as draft November 27, 2025 11:41
reakaleek and others added 4 commits November 27, 2025 13:09
@reakaleek @github-code-quality
Potential fix for pull request finding 'Generic catch clause'
3ce7873 
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
@reakaleek
Fix formatting
db22e6d
@reakaleek
Fix syntax error and cleanup
64a172e
@reakaleek
Simplify
e3a2b17
@reakaleek reakaleek marked this pull request as ready for review November 27, 2025 12:56
@reakaleek @github-code-quality
Potential fix for pull request finding 'Missing Dispose call on local…
80f1766 
… IDisposable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
@reakaleek reakaleek merged commit 6cab771 into main Nov 27, 2025
28 checks passed
@reakaleek reakaleek deleted the feature/properly-cache-id-token branch November 27, 2025 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mpdreamz Mpdreamz Mpdreamz approved these changes

@cotti cotti Awaiting requested review from cotti cotti is a code owner automatically assigned from elastic/docs-engineering

+1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@reakaleek reakaleek

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reakaleek @Mpdreamz