kube2iam icon indicating copy to clipboard operation
kube2iam copied to clipboard

Published 20 hours ago verified publisher icon jtblin

Add AssumeRole error cache

Open schleyfox opened this issue 6 years ago • 2 comments

When AssumeRole is successful, the success is cached for (by default) 15 minutes. On failure, there is no cache. In cases of misconfiguration, this can result in a large number of AssumeRole calls against the AWS API, which, in extreme cases, can result in API rate limiting, causing other applications in the AWS account to experience failures.

This adds a negative cache on AssumeRole to prevent error cases from spamming the API. This is set to 0 by default to preserve existing behavior, but a value of 30 seconds to 1 minute would be reasonable.

schleyfox avatar Feb 26 '19 17:02 schleyfox

Coverage Status

Coverage decreased (-0.3%) to 19.474% when pulling 46bce9d042450725143364e209d66814cced58d3 on schleyfox:add-negative-cache into 80efbb12e3650ab35de87230a0a300ffdc5cbe84 on jtblin:master.

coveralls avatar Feb 26 '19 18:02 coveralls

@jrnt30 can you look at this?

schleyfox avatar Apr 18 '19 01:04 schleyfox