StsAssumeRoleSessionCredentialsProvider is not using the session_duration attribute & is calling assume role with each request. #1179
Comments
|
|
Thanks for the bug report and the writeup on how you found it. I wish it was discovered in a less expensive way, though. 😭 At the very least we should get a PR for point three: update the documentation to explain current behavior. I really want to keep others from getting a surprise bill like that! On a more general note, our STS testing is lackluster and should be improved. |
|
@matthewkmayer I'm working on the fix, will be ready in a week hopefully, will update the documentation as well & make a pull request. |
|
@matthewkmayer I made a pull request for the documentation update. Thanks! |
|
Is it likely that the STS provider will eventually include the auto refreshing behavior itself? It seems pretty counterintuitive to have to wrap it before getting sensible behavior, but I could see some argument for the current behavior. |
|
Yes, the STS provider should get auto refreshing and caching behavior. Nobody's gotten around to doing that yet. 😄 I think it could be done by using the re-exported |
There is a bug in the StsAssumeRoleSessionCredentialsProvider that a new request to assume role is done with each request of AWS resource & the session_duration parameter is not used for caching.
This cause a huge load on performance & throttling the Assume role API if you have a high load.
This value is valid for one hour, so it should be used till it expires as it blocks the cross account usage of Rusoto.
Example: Kinesis stream get records API is calling Assume Role with each request which shouldn't be the case.
The text was updated successfully, but these errors were encountered: