-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for AWS temporary credentials #2573
Conversation
Add support for AWS temporary credentials by allowing session tokens to be specified. Assuming Secrets are kept up-to-date with valid session tokens, scalers using temporary credentials will error once after token expiration. The scaler cache for the corresponding ScaledObject will be cleared, the scaler will be rebuilt using the updated temporary credentials, and the scaler will resume operation. Signed-off-by: Jacob Henner <[email protected]>
I am looking for feedback on whether waiting for an error is an acceptable way to trigger a credential refresh (i.e. reread the contents of the k8s Secret, which has presumably been updated with an unexpired session token). This approach worked in my testing, but I do realize there are at least a few potentially unwanted effects:
Lines 122 to 132 in 6b72e85
|
Are you able to distinguish the error caused by expired credentials? We might want to add a check in here to not include that in the metric or maybe better would be to introduce a new type of metrics for credentials expiration? |
The logs reflect a 403 "ExpiredToken", but I haven't explored if the library that interacts with AWS parses the specifics of the error (or if it's just returning error text from the API), or how the specifics could be propagated back to KEDA. Assuming the error can be propagated back, how would we prefer to handle it? We could:
|
Those are all good questions, I think we can go ahead with this change as it is now and open an issue for the follow up? |
Yep, that's fine by me. I'll make the changelog addition in a bit. Thanks! |
Signed-off-by: Jacob Henner <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@JacobHenner could you please open follow up issue with the concerns we raised here? |
|
Add support for AWS temporary credentials by allowing session tokens to
be specified.
Assuming Secrets are kept up-to-date with valid session tokens, scalers
using temporary credentials will error once after token expiration. The
scaler cache for the corresponding ScaledObject will be cleared, the
scaler will be rebuilt using the updated temporary credentials, and the
scaler will resume operation.
Signed-off-by: Jacob Henner [email protected]
Checklist
Fixes #2495