Don't remove credentials during temporary issues

[LeonPatmore]

What feature do you want to see added?

Hello, I am using this Jenkins plugin to sync secrets from secretsmanager. Sometimes we get an temporary error when trying to sync the secrets, such as:

WARNING
i.j.p.c.s.AwsCredentialsProvider#getCredentials: Could not list credentials in Secrets Manager: 
message=[Rate exceeded (Service: AWSSecretsManager; Status Code: 400; Error Code: ThrottlingException; Proxy: null)]

When this happens, it seems like the secrets that should come from secret manager are no longer accessible by our jobs. They fail with:

ERROR: Could not find credentials entry with ID `<secret>`

Would it be possible to keep the cached secrets during a failed refresh event (assuming the refresh failed due to a temporary issue). This way temporary issues would not impact our jobs.

Cheers

Upstream changes

No response

Are you interested in contributing this feature?

No response

[chriskilding]

Hi Leon, a couple of details about how the caching works:

1. The list of credential names is looked up once, when a job first wants to get a credential, and then cached for 5 minutes. (Effectively the ListSecrets call in getCredentials is cached.)
2. The credential value itself is always looked up live (this is the GetSecretValue call), because the sensitive credential material must never be cached.

From what you posted it looks like you encountered the AWS API error when the list of credential names was fetched. Since there is already a caching strategy for that part, the only thing I can think of is that you should check that the cache has not been turned off in your plugin configuration.