You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Having thought a bit more about #1282, it just occurred to me that if aiobotocore loads credentials when the client is created, it stores the static values of aws_access_key_id, aws_secret_access_key, aws_session_token resolved at that time somewhere in the client object and never refreshes them, right?
I'm rather unexperienced with Python and boto yet, but I know JS and Rust SDKs don't do that. They load credentials lazily on the first API call and their client constructors are pure, infallible and synchronous. This credentials lazy loading model makes a lot of sense to me. I don't understand why [aio]botocore operates with static credential values, since they can expire pretty quickly and an auto-refreshing credentials provider must be used directly in the client.
Maybe I'm missing something, because I saw the answer #1119 (reply in thread) to a similar discussion where @thehesiod wrote a comment that using the client indefinitely is safe. Then why is it safe? Maybe I'm reading the code wrong? I can't unsee the fact that credentials are loaded eagerly, and they are cached indefinitely here:
I also don't see that the credentials track the expiration timestamp at all. For example, the credentials object in Rust SDK has an expires_after property (code link), while in botocore the Credentials object doesn't seem to have that property at all (code link). Maybe that method property somehow does the magic?
Also boto3 docs mention that credentials refreshing should be done automatically in the AssumeRole provider section, but the current eager credentials loading behaviour somehow contradicts this statement.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Having thought a bit more about #1282, it just occurred to me that if
aiobotocoreloads credentials when the client is created, it stores the static values ofaws_access_key_id,aws_secret_access_key,aws_session_tokenresolved at that time somewhere in the client object and never refreshes them, right?I'm rather unexperienced with Python and boto yet, but I know JS and Rust SDKs don't do that. They load credentials lazily on the first API call and their client constructors are pure, infallible and synchronous. This credentials lazy loading model makes a lot of sense to me. I don't understand why
[aio]botocoreoperates with static credential values, since they can expire pretty quickly and an auto-refreshing credentials provider must be used directly in the client.Maybe I'm missing something, because I saw the answer #1119 (reply in thread) to a similar discussion where @thehesiod wrote a comment that using the client indefinitely is safe. Then why is it safe? Maybe I'm reading the code wrong? I can't unsee the fact that credentials are loaded eagerly, and they are cached indefinitely here:
aiobotocore/aiobotocore/session.py
Lines 89 to 93 in f13f103
I also don't see that the credentials track the expiration timestamp at all. For example, the credentials object in Rust SDK has an
expires_afterproperty (code link), while inbotocoretheCredentialsobject doesn't seem to have that property at all (code link). Maybe thatmethodproperty somehow does the magic?Also boto3 docs mention that credentials refreshing should be done automatically in the AssumeRole provider section, but the current eager credentials loading behaviour somehow contradicts this statement.
Beta Was this translation helpful? Give feedback.
All reactions