New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
StsAssumeRoleSessionCredentialsProvider is not using the session_duration attribute & is calling assume role with each request. #1179
Comments
|
Thanks for the bug report and the writeup on how you found it. I wish it was discovered in a less expensive way, though. 😭 At the very least we should get a PR for point three: update the documentation to explain current behavior. I really want to keep others from getting a surprise bill like that! On a more general note, our STS testing is lackluster and should be improved. |
@matthewkmayer I'm working on the fix, will be ready in a week hopefully, will update the documentation as well & make a pull request. |
@matthewkmayer I made a pull request for the documentation update. Thanks! |
Is it likely that the STS provider will eventually include the auto refreshing behavior itself? It seems pretty counterintuitive to have to wrap it before getting sensible behavior, but I could see some argument for the current behavior. |
Yes, the STS provider should get auto refreshing and caching behavior. Nobody's gotten around to doing that yet. 😄 I think it could be done by using the re-exported |
There is a bug in the StsAssumeRoleSessionCredentialsProvider that a new request to assume role is done with each request of AWS resource & the session_duration parameter is not used for caching.
This cause a huge load on performance & throttling the Assume role API if you have a high load.
This value is valid for one hour, so it should be used till it expires as it blocks the cross account usage of Rusoto.
Example: Kinesis stream get records API is calling Assume Role with each request which shouldn't be the case.
The text was updated successfully, but these errors were encountered: