cml icon indicating copy to clipboard operation
cml copied to clipboard
verified publisher icon iterative

`runner` OIDC credential management

Open dacbd opened this issue 4 years ago • 1 comments

  • [ ] Document warning about using "short-term" credentials
  • [ ] Document/Show possible ways to extend credential life?
  • [ ] Document/provide examples for "refreshing" credentials used by the cml runner created instance.

Why? By default, these OIDC credentials expire after 1hr which is likely to be surpassed by ML workflows. After which time cml will fail to self-delete.

Other notes:

on AWS code wise the credential format is the exact same and essentially no changes are required on GCP credentials format was different requiring custom parsing to determine the ProjectID see: https://github.com/iterative/terraform-provider-iterative/pull/506 on az/azure 🙈 I have done zero testing

/CC https://github.com/iterative/cml.dev/pull/208 Follow up of #862

dacbd avatar Apr 24 '22 02:04 dacbd

For aws-actions/configure-aws-credentials: https://github.com/aws-actions/configure-aws-credentials/blob/67fbcbb121271f7775d2e7715933280b06314838/index.js#L10 https://github.com/aws-actions/configure-aws-credentials/blob/67fbcbb121271f7775d2e7715933280b06314838/index.js#L315

the default session time is 1hr

dacbd avatar Aug 22 '22 21:08 dacbd