You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTTP client version. IE for hackney do mix deps | grep hackney: hackney 1.20.1
Current behavior
When using SSO credentials e.g. config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}], ex_aws reads the cached OIDC token from ~/.aws/sso/cache/ and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat the aws sso login workflow.
ex_aws could try to reconstruct the hash algo for that part of awscli to do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g. ~/.ex_aws/cache/credentials/PROFILE_HASH.json. Then CredentialsIni.File could look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.
Let me know if this is a change you're open to making. Happy to contribute a PR if so.
The text was updated successfully, but these errors were encountered:
Environment
mix deps |grep ex_aws: ex_aws 2.5.5mix deps | grep hackney: hackney 1.20.1Current behavior
When using SSO credentials e.g.
config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}],ex_awsreads the cached OIDC token from~/.aws/sso/cache/and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat theaws sso loginworkflow.Expected behavior
Suggestion: The credentials returned by
request_sso_role_credentialscan have an expiration of >1h (in my setup it's 6h), soex_awscould cache those creds in the local filesystem. This is effectively whataws clidoes: https://github.com/boto/botocore/blob/287fb2bbe32f11d449826344d4c6a21da6b1c9c5/botocore/credentials.py#L687 pulls from~/.aws/cli/cache/HASH.jsonex_awscould try to reconstruct the hash algo for that part ofawsclito do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g.~/.ex_aws/cache/credentials/PROFILE_HASH.json. ThenCredentialsIni.Filecould look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.Let me know if this is a change you're open to making. Happy to contribute a PR if so.
The text was updated successfully, but these errors were encountered: