extproc: retrieve AWS credentials for every request#185
extproc: retrieve AWS credentials for every request#185wengyao04 wants to merge 1 commit intoenvoyproxy:mainfrom
Conversation
Signed-off-by: yweng14 <[email protected]>
✅ Deploy Preview for envoy-ai-gateway canceled.
|
wengyao04
changed the title
wengyao04
changed the title
|
@yuzisun, @aabchoo and @mathetake , do you think if we can retrieve the AWS credentials for every request in first release and optimize it later with |
We can implement a secret watcher and update the credential in cache which is orthogonal to AssumeRoleWithWebIdentity, it is still a useful feature for user who rotates the aws credential manually. |
|
yes, secret watcher is definitely the way to go and this reading-file-on-request-path is unacceptable (see #169). That's exactly what I suggested to @aabchoo in #125 : #125 (comment) |
|
Btw you can already emulate the refreshing behavior by using a unique secret resource name in your refresher. Anyways this is exactly the opposite of whwre we should go and I don't see any reason to have this now. |
**Commit Message**: This adds a secret watcher controller that enables the hot reload of any secret referenced by backendTrafficPolicy. **Related Issues/PRs (if applicable)**: Follow up on #43 #106 #161 Supersede #185 --------- Signed-off-by: Takeshi Yoneda <[email protected]>
4 participants
Commit Message:
Instead of retrieving AWS credentials in
newAWSHandler, could we get the AWS credentials for every request in first release and optimize it later withAssumeRoleWithWebIdentityAPI ?I propose this change because we have temporary AWS credentials in the credential secrets, and we have our own token-refresher to refresh the credentials.
Retrieve credentials for each request
Related Issues/PRs (if applicable):
Special notes for reviewers (if applicable):