Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage with SSO / Identity Center breaks caching #8

Open
hreeder opened this issue Jan 28, 2025 · 2 comments
Open

Usage with SSO / Identity Center breaks caching #8

hreeder opened this issue Jan 28, 2025 · 2 comments

Comments

@hreeder
Copy link

hreeder commented Jan 28, 2025

I've observed that when using identity center, the access key for a given session is new each time - meaning we have a unique hash key each time I run my script.

I broke out the client into my project to inject the access key into my logs to verify this.

INFO:botocore.tokens:Loading cached SSO token for my-sso-session
INFO:cache_client:API Call Logger: Access Key - ASIA.............3HS, Region - eu-west-1, Service - sso-admin, Action - DescribeInstance, API Params - {'InstanceArn': 'arn:aws:sso:::instance/ssoins-abc123'}
INFO:botocore.tokens:Loading cached SSO token for my-sso-session
INFO:cache_client:API Call Logger: Access Key - ASIA.............OF7, Region - eu-west-1, Service - sso-admin, Action - DescribeInstance, API Params - {'InstanceArn': 'arn:aws:sso:::instance/ssoins-abc123'}

I can also confirm that constructing the cache key using the following makes caching work in this scenario too:

cache_key = "{service}_{action}_{region}_{api_params}".format(
    # Service for identifying which service is being queried
    service=self._service_model.service_name,
    # Action of the service
    action=operation_name,
    # Region where the call is being made
    region=self.meta.region_name,
    # Api Parameters. This takes care of pagination token, marker and other params.
    # The API Params dictionary is sorted before hashing
    api_params=str(OrderedDict(sorted(api_params.items()))),
)

I'm going to take a look and see if there's something more suitable to use - at least if we can detect that we're running under an SSO session.
@rams3sh
Copy link
Owner

rams3sh commented Jan 29, 2025

Hey @hreeder

I havent tested this case with botocache so this is new to me.

In my opinion instead of botocache changing it's behaviour based on the type of credentials being used by it, it will be better if the cache key generation can be provided as an optional feature for the user to customise. This way botocache can be agnostic of the underlying mechanism.

@hreeder
Copy link
Author

hreeder commented Jan 29, 2025

That makes sense. I can see about popping together a PR to enable that as a possibility in that case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hreeder @rams3sh