Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 #2766
Conversation
This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE. The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK. Signed-off-by: Ryan Turner <[email protected]>
rturner3
requested review from
amartinezfayo,
azdagron and
evan2645
as code owners
Signed-off-by: Ryan Turner <[email protected]>
|
Keeping in draft state until I get a chance to test this in AWS. |
Signed-off-by: Ryan Turner <[email protected]>
| } | ||
|
|
||
| func newCertificateIssuedWaiter(client acmpca.GetCertificateAPIClient, optFns ...func(*acmpca.CertificateIssuedWaiterOptions)) certificateIssuedWaiter { | ||
| return acmpca.NewCertificateIssuedWaiter(client, optFns...) |
There was a problem hiding this comment.
I wonder if we shouldn't set our own custom Retryable option until aws/aws-sdk-go-v2#1585 is fixed...
There was a problem hiding this comment.
Maybe? It is also something that we need to maintain over time though. I think I'd rather see the fix go into the AWS SDK and pick it up from there so we don't have a Retryable that gets stale and out of sync with AWS API call patterns.
I'm trying to think about the worst that will happen with the existing Retryable behavior. It seems like it will just take longer to fail an operation than is necessary? With an upstream CA, rotation windows should in practice be much larger than this retry window, so we might be technically ok.
There was a problem hiding this comment.
It would probably be good to get confirmation from the AWS SDK maintainers that the behavior is actually a bug as well. It seems like it is, but I'm not so familiar with these APIs.
Signed-off-by: Ryan Turner <[email protected]>
|
Hey @bcelenza, I hope you are doing well 🤗 We have had a really hard time trying to get access to an AWS account so that we can test these changes (and others). We're nearly out of options, so thought we would ping you (as the original contributor of this plugin) to see if you or anyone you know may be able to help out? |
|
Hey @evan2645, absolutely! I'm no longer with AWS, but can hopefully connect you to the right folks there. Can you send me an email (bcelenza at gmail) from your preferred address? |
|
Amazing, thank you @bcelenza! Email incoming |
Signed-off-by: Marcos Yacob <[email protected]>
Update sts configuration on aws pca upstream authority
Signed-off-by: Ryan Turner <[email protected]>
Signed-off-by: Ryan Turner <[email protected]>
Signed-off-by: Ryan Turner <[email protected]>
…iffe#2766) * Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE. The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK. Signed-off-by: Ryan Turner <[email protected]> Co-authored-by: Marcos Yacob <[email protected]>
…iffe#2766) * Update usage of AWS SDK in aws_pca UpstreamAuthority plugin to v2 This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE. The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK. Signed-off-by: Ryan Turner <[email protected]> Co-authored-by: Marcos Yacob <[email protected]>
This is primarily motivated by trying to consolidate to a single AWS SDK dependency in SPIRE.
The max wait time for certificate issuance introduced in this change matches the default behavior used in the v1 SDK.