Adapter based AuthCache and including caches in project supervision tree #588
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm working on a project where we are continually harvesting infrastructure data from AWS across hundreds of accounts. This is certainly not the typical use case since most projects USE Amazon, we interrogate it. So part of making requests is fetching and decrypting credentials. If we only used standard access/secret credentials this wouldn't be as much of an issue because I can pass them to
ExAws.request
as options but AssumedRole and STSAssumed role are very much used.While my specific use case with lots of accounts is rare, I think there's some shared commonality with those fetching credentials from Vault, etcd or some other secret store. For me, I want to spin up a process for account under a dynamic supervisor with the child_spec matching the credential type of the technique I'm using. Then when calling
ExAws.request
I can pass in an option for the pid or MFA to call to retrieve and merge the credentials. The pid I would look up from my registry.I think this pattern has the added benefit of breaking up the current AuthCache into more specific modules. A user would add
ExAws.Config.ApiKeys
orExAws.Config.STSAssumedRole
orExAws.Config.CLIProfile
to their supervision tree depending on their credential type. The community could then contribute adapters for third party services. You could also get the same clean interface withExAws.request
if your cache is given a standard name viaGenServer.start_link
which would be implicitly called for the standard user. Having a user add the cache to their supervision tree would allow ExAws to eventually just ship as a library rather than an application. But I do think this can be done without breaking changes.I threw together a quick example of my idea for illustrative purposes. I'm not a big fan of the MFA call but I'm not sure of a better way at the moment since there's not a single module to act as an interface at the call site.
Thanks so much for your hard work on this great project and I look forward to your feedback!