This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2019-02-28
Channels
- # aleph (50)
- # announcements (3)
- # aws (35)
- # beginners (74)
- # boot (25)
- # calva (39)
- # cider (18)
- # clara (2)
- # cljdoc (18)
- # cljs-dev (24)
- # cljsrn (11)
- # clojure (166)
- # clojure-europe (13)
- # clojure-italy (5)
- # clojure-nl (6)
- # clojure-spec (35)
- # clojure-uk (263)
- # clojurescript (22)
- # clojutre (1)
- # code-reviews (34)
- # cursive (58)
- # data-science (2)
- # datascript (4)
- # datomic (4)
- # duct (6)
- # emacs (7)
- # figwheel-main (9)
- # fulcro (2)
- # graphql (3)
- # hoplon (22)
- # hyperfiddle (2)
- # juxt (5)
- # kaocha (6)
- # leiningen (33)
- # luminus (15)
- # off-topic (1)
- # pedestal (5)
- # reagent (18)
- # reitit (12)
- # shadow-cljs (171)
- # vim (5)
i think the answer here is no, but:
I saw cognitect.aws.credentials/auto-refreshing-credentials
and wondered if there was anything I might reuse in there to have an atom containing up-to-date temporary credentials.
I wrote a little (future (while true (reset! credentials (fetch-credentials ...)) (Thread/sleep ...)))
thing, but having retry, backoff, etc. managed by the lib would be nice, since some of the sauce is already in the client API.
yeah, for STS temporary creds, there needs to be a refresh, on some interval or maybe even a HTTP lib middleware, which would check against the expiration time (given some buffer to cover cock drift)
AWS Java libs encompass this via a refresh()
method that the user is required to call on the background: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentialsProvider.html#refresh--
on the AWS Java libs: > Forces this credentials provider to refresh its credentials. For many implementations of credentials provider, this method may simply be a no-op, such as any credentials provider implementation that vends static/non-changing credentials. For other implementations that vend different credentials through out their lifetime, this method should force the credentials provider to refresh its credentials.
@ghadi nice, but this wouldn't really apply to the get-cluster-credentials call, right? it retrieves a DbPassword and DbUser, but maybe I'm missing something
@ghadi yessir, which is why i assume it's not a covered case, but i wondered if there were enough versions of same floating around that something could be provided to handle autorefresh for me
hum, the Redshift jdbc driver is able to fetch credentials when establishing a connection
sure https://docs.aws.amazon.com/redshift/latest/mgmt/generating-iam-credentials-configure-jdbc-odbc.html
user name and groups to join and whether to create the user while connecting can be specified options in the jdbc url https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc-and-odbc-options-for-database-credentials.html
user creation and joining groups needs permissions that can be specified via policies attached to the role/user using the jdbc driver
one could call the redshift get-cluster-credentials api, but at least in our case, it's been easier to let the aws provided jdbc driver do so
although the driver seems to have a bug which prevents this working in a lambda (tried filing a support ticket but this never got fixed)