-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dynamic aws credentials support #2135
dynamic aws credentials support #2135
Conversation
creds = credentials.NewChainCredentials(chain) | ||
|
||
// We will watch for credential changes for non-static credentials | ||
filename := os.Getenv("AWS_SHARED_CREDENTIALS_FILE") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably also get filename from config if we can. Then provide that to FileAWSCredentials. I really hate having to duplicate the FileAWSCredentials logic to determine filename here (I guess we would have to anyways if there's no filename provided in config).
} | ||
|
||
// Launch the watch which will expire the credentials when fired | ||
go func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to kill this go routine when thanos quit or dies. Is there a standard way thanos does this atm for other go routines?
Signed-off-by: Kush Patel <[email protected]>
Signed-off-by: Kush Patel <[email protected]>
Signed-off-by: Kush Patel <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! It's indeed not that much of code, but I would love to focus on specifying first if this is what we want.
This only fixes AWS, so might introduce some snowflake. I think there is quite easy long term solution. Proposed here
Thanks for taking a look! For our use case it is what we want. What we do is we have our service. Then we have a "Vault Sidecar" attached to our service which refreshes AWS credentials every x minutes and will write the refreshed credentials (an ~/.aws/credentials file to a directory). So we wouldn't be changing the Thanos config when this happens and would be a lot of work for us to do. So we would rely on this else block https://github.com/thanos-io/thanos/pull/2135/files#diff-bef8b149473cb313205c67f945d249ceR131 and reloadable thanos config would not help unless we reload ~/.aws/credentials (or the file path in the env var) as well. |
This issue/PR has been automatically marked as stale because it has not had recent activity. Please comment on status otherwise the issue will be closed in a week. Thank you for your contributions. |
closing |
DO NOT MERGE. This is a proposal design and needs work.
Changes
Will watch for aws credential changes
Verification
If we are good with this design then we can work on verification