amazon-dynamodbcredential-providersaws-sdk-go-v2

GoLang DynamoDB client performance


To authenticated with DynamoDB we use IAM roles - our persistence is in a different AWS Service Account to compute - however on developer machines running DynamoDB-local containers we override the behaviour with environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), for which we also provide a custom endpoint resolver.

We see jitter when credentials expire: I believe this is because fresh IAM tokens are being obtained by the SDK only after expiry, they are not pre-authenticated prior to expiry.

I would like to hook into the default GoLang credentials.Provider chain to pre-cache valid credentials ahead of expiry to reduce expired token refresh time. The docs talk about about different providers, but it isn't clear to me how I can use the existing chain/behaviour and just replace the token refresh with a goroutine to rotate credentials ahead of expiry.

Can this be done, or do I need to provide a complete custom chain? I'd like to avoid this if at all possible because the environment variables in aws-sdk-go-v2/config@v1.18.21/env_config.go are mostly private.


Solution

  • There are load options for lazy-refresh prior to expiry, although this won't be used if the system is quiet (meaning test environments won't benefit from this if they have been left to go cold):

        
        optFns := []func(options *awsconfig.LoadOptions) error {
            awsconfig.WithBearerAuthTokenCacheOptions(func(options *bearer.TokenCacheOptions) {
                options.RefreshBeforeExpires = 90 * time.Second
                options.RetrieveBearerTokenTimeout = 5 * time.Second
                options.AsyncRefreshMinimumDelay = 100 * time.Millisecond
            }),
            awsconfig.WithCredentialsCacheOptions(func(options *aws.CredentialsCacheOptions) {
                options.ExpiryWindow = 30 * time.Second
                options.ExpiryWindowJitterFrac = 0.5
            })
    
        dynamodb.NewFromConfig(cfg, optFns...)