Allow aws-vault to safely be run in parallel #1275
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.31.7 to 1.31.8. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@config/v1.31.7...config/v1.31.8) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.31.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…github.com/aws/aws-sdk-go-v2/config-1.31.8 chore(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.31.7 to 1.31.8
Bumps [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) from 1.47.4 to 1.47.5. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.47.4...service/s3/v1.47.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/iam dependency-version: 1.47.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…github.com/aws/aws-sdk-go-v2/service/iam-1.47.5 chore(deps): Bump github.com/aws/aws-sdk-go-v2/service/iam from 1.47.4 to 1.47.5
chore: Enable linux-ppc64le build
chore: Test new conventional commit action
Bumps [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://github.com/aws/aws-sdk-go-v2) from 1.34.4 to 1.34.5. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@service/iot/v1.34.4...service/sfn/v1.34.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ssooidc dependency-version: 1.34.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.31.8 to 1.31.9. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@config/v1.31.8...config/v1.31.9) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.31.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…github.com/aws/aws-sdk-go-v2/config-1.31.9 chore(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.31.8 to 1.31.9
…github.com/aws/aws-sdk-go-v2/service/ssooidc-1.34.5 chore(deps): Bump github.com/aws/aws-sdk-go-v2/service/ssooidc from 1.34.4 to 1.34.5
chore: Fix GHA PR checks
chore: Fix GHA PR checks perms
…golang.org/x/term-0.39.0 chore(deps): Bump golang.org/x/term from 0.38.0 to 0.39.0
…github.com/aws/aws-sdk-go-v2/config-1.32.7 chore(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.32.6 to 1.32.7
…github.com/aws/aws-sdk-go-v2/service/iam-1.53.2 chore(deps): Bump github.com/aws/aws-sdk-go-v2/service/iam from 1.53.1 to 1.53.2
refactor: GHA OS builds
Bumps [webiny/action-conventional-commits](https://github.com/webiny/action-conventional-commits) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/webiny/action-conventional-commits/releases) - [Commits](webiny/action-conventional-commits@8bc41ff...faccb24) --- updated-dependencies: - dependency-name: webiny/action-conventional-commits dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/byteness/keyring](https://github.com/byteness/keyring) from 1.6.1 to 1.7.0. - [Release notes](https://github.com/byteness/keyring/releases) - [Commits](ByteNess/keyring@v1.6.1...v1.7.0) --- updated-dependencies: - dependency-name: github.com/byteness/keyring dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ons/webiny/action-conventional-commits-1.3.1 chore(deps): Bump webiny/action-conventional-commits from 1.3.0 to 1.3.1
…ons/actions/upload-artifact-6 chore(deps): Bump actions/upload-artifact from 4 to 6
…github.com/byteness/keyring-1.7.0 chore(deps): Bump github.com/byteness/keyring from 1.6.1 to 1.7.0
docs: Update README and add Passage backend
docs: Accurately reflect status of upstream
feat: Add support for EUSC partition
fix: Enable FreeBSD builds
…esktop-integration feat: 1password desktop integration
timvisher-dd
force-pushed
the
sso-browser-lock
branch
2 times, most recently
from
0d6718f to
b4be5e4
Compare
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
timvisher-dd
force-pushed
the
sso-browser-lock
branch
from
b4be5e4 to
96a6c03
Compare
Contributor
|
No need to open a PR here, since it has been abandoned. Thanks for opening ByteNess#291 |
Author
Yep! Didn't notice that somehow until after I created this PR. It'll close once the other PR merges. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I run aws-vault as a credentials_provider for SSO backed AWS profiles. This is often in parallel contexts of dozens to hundreds of invocations at once.
In that context when credentials needed to be refreshed, aws-vault would open an unconstrained amount of browser tabs in parallel, usually triggering HTTP 500 responses on the AWS side and failing to acquire creds.
To mitigate this I developed a small wrapper around aws-vault that would use a Bash dir lock (Wooledge BashFAQ 45) when there was a possibility that the credentials would need to be refreshed. This worked but it was also quite slow as it would lock the entire aws-vault execution rather than just the step that might launch a browser tab. The dir locking strategy was also sensitive to being killed by process managers like terraform and so had to do things like die voluntarily after magic amounts of seconds to avoid being SIGKILLed and leaving a stale lock around.
This changeset introduces that locking mechanism directly into aws-vault in a cross-platform manner using a library that is tolerant of all forms of process death (even SIGKILL). I've been testing it extensively and not only does it out perform my bash wrapper by at least an order of magnitude or two but it so far has not had any stale locking problems.
Because of how much more performant the locking mechanism is I also found that OIDC cred retrieval can 429 so this changeset also handles the Retry-After headers with jitter. In a stress test across 646 AWS profiles in 9 SSO Directories I'm able to retrieve creds successfully in 36 seconds on my box. This fails irrevocably on HEAD because the browser storm overwhelms the IAM/SSO APIs.
Testing
Unit tests have been added for this. I also used some local integration test scripts that clear out the creds and run
aws-vault export --format=jsonacross different sets of my profiles and assert that it succeeds. Finally I've converted my local tooling to use this fork of aws-vault and have been exercising it there without issue.Colofon
I did not write any of this code. Codex did. That said I have read through it in some detail and it looks reasonable to me.
Co-authored-by: Codex noreply@openai.com