You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTTP client version. IE for hackney do mix deps | grep hackney: hackney 1.20.1
Current behavior
When using SSO credentials e.g. config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}], ex_aws reads the cached OIDC token from ~/.aws/sso/cache/ and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat the aws sso login workflow.
ex_aws could try to reconstruct the hash algo for that part of awscli to do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g. ~/.ex_aws/cache/credentials/PROFILE_HASH.json. Then CredentialsIni.File could look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.
Let me know if this is a change you're open to making. Happy to contribute a PR if so.
The text was updated successfully, but these errors were encountered:
Environment
mix deps |grep ex_aws
: ex_aws 2.5.5mix deps | grep hackney
: hackney 1.20.1Current behavior
When using SSO credentials e.g.
config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}]
,ex_aws
reads the cached OIDC token from~/.aws/sso/cache/
and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat theaws sso login
workflow.Expected behavior
Suggestion: The credentials returned by
request_sso_role_credentials
can have an expiration of >1h (in my setup it's 6h), soex_aws
could cache those creds in the local filesystem. This is effectively whataws cli
does: https://github.com/boto/botocore/blob/287fb2bbe32f11d449826344d4c6a21da6b1c9c5/botocore/credentials.py#L687 pulls from~/.aws/cli/cache/HASH.json
ex_aws
could try to reconstruct the hash algo for that part ofawscli
to do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g.~/.ex_aws/cache/credentials/PROFILE_HASH.json
. ThenCredentialsIni.File
could look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.Let me know if this is a change you're open to making. Happy to contribute a PR if so.
The text was updated successfully, but these errors were encountered: