rust-s3 icon indicating copy to clipboard operation
rust-s3 copied to clipboard

Published 20 hours ago verified publisher icon durch

aws-creds's `Credentials` initilaized with `from_instance_metadata` are broken after 6 hours.

Open Ten0 opened this issue 4 years ago • 8 comments

Describe the bug aws-creds's Credentials initilaized with from_instance_metadata are broken after 6 hours, because they expire, as explained here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

To Reproduce Initialize Credentials with from_instance_metadata. Wait 6 hours. Attempt an action that requires these credentials to be valid.

Expected behavior still works

Environment

  • Rust version: latest stable (1.49)
  • lib version: aws-creds 0.26.0

Solving Credentials should probably be an structure containing either:

  • constant credentials
  • that they should be fetched from the instance, that the current are these, and that they expire at Expiration. (Expiration is one of the keys returned by the call to 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).

In the second case, they should be automatically re-fetched whenever they expire.

Ten0 avatar Jan 13 '21 21:01 Ten0

@Ten0 another great catch, I'll look into automatically refreshing these, that is the expected behavior for sure.

durch avatar Jan 14 '21 10:01 durch

@Ten0 sorry for going AWOL on this, work/life asserted themselves, will try and pick it up next week

durch avatar Jan 29 '21 21:01 durch

No worries, thanks for your dedication :) In the meantime I've got a disgusting workaround rebuilding the Bucket every 6 hours.

Ten0 avatar Jan 29 '21 22:01 Ten0

Question, does this mean accessing buckets after 6 hours will not work and you will need to re-create and populate the bucket every 6 hours?

kennetpostigo avatar Mar 16 '21 18:03 kennetpostigo

Question, does this mean accessing buckets after 6 hours will not work and you will need to re-create and populate the bucket every 6 hours?

Not "bucket" in the sense of "AWS bucket", but Bucket in the sense aws_s3::Bucket. The struct has to be rebuilt, because the credentials stored inside become invalid after 6 hours so it just stops working.

Ten0 avatar Mar 16 '21 21:03 Ten0

So we're actually having issues with this because in fact credentials duration isn't always 6 hours, it's sometimes less (and specified by the Expiration key). So it would be great to have a fix for this, that relies on the Expiration key, or at least to have access to the expiration on the credentials.

I have https://github.com/Ten0/rust-s3/tree/FIX-AllowAccessToCredentialsExpiration for that and would open a PR, but it's based on #200 which is still not merged.

Ten0 avatar Aug 27 '21 19:08 Ten0

What is this fixed by?

Ten0 avatar Jul 22 '22 16:07 Ten0

It wasn't, I have no idea how this got closed, I probably fat fingered it :/

durch avatar Jul 22 '22 17:07 durch