Skip to content

feat: Support snapstart's vended credentials #532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
astuyve merged 5 commits into from
Jan 30, 2025
Merged

feat: Support snapstart's vended credentials #532

astuyve merged 5 commits into from
Jan 30, 2025

Conversation

@astuyve
Copy link
Contributor

@astuyve astuyve commented Jan 29, 2025
edited
Loading

Lambda SnapStart doesn't provide AWS access credentials to prevent them from being cached during the snapshot creation process.
We have two options, we can delay resolving credentials into the invoke phase (probably don't wanna do that for performance reasons where users rely on the additional vCPU power during init), or we can use the credential API to grab creds during init and use them.

Since we never re-use credentials, this works fine for us. It should only incur overhead during snapshot creation, which is a control plane operation anyway.

Screenshot of the decrypted secrets w/ snapshot (long since expired):
image
(can't wait for a bot to try these old expired creds)

@astuyve astuyve requested a review from a team as a code owner January 29, 2025 19:08
duncanista
duncanista reviewed Jan 29, 2025
View reviewed changes
duncanista
duncanista reviewed Jan 30, 2025
View reviewed changes
bottlecap/src/telemetry/events.rs
Comment on lines +131 to +146
PlatformRestoreStart {
// function name and function version are here
// but we don't care about those
// https://docs.aws.amazon.com/lambda/latest/dg/telemetry-schema-reference.html#platform-restoreStart
// runtime version may be nice
},

#[serde(rename = "platform.restoreReport", rename_all = "camelCase")]
PlatformRestoreReport {
/// Status of the invocation
status: Status,
/// When unsuccessful, the `error_type` describes what kind of error occurred
error_type: Option<String>,
},
#[serde(rename = "platform.restoreRuntimeDone", rename_all = "camelCase")]
PlatformRestoreRuntimeDone {
Copy link
Contributor

@duncanista duncanista Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could provide some snapstart visibility eventually? seems easy enough

Copy link
Contributor Author

@astuyve astuyve Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could report the metric, yeah

Copy link
Contributor

@duncanista duncanista Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even create a span

Copy link
Contributor Author

@astuyve astuyve Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? It happens up to 2 weeks before an invocation occurs

@duncanista
Copy link
Contributor

duncanista commented Jan 30, 2025

Looks good! Fix clippy and :shipit:

@astuyve astuyve merged commit e5c5a45 into main Jan 30, 2025
23 checks passed
@astuyve astuyve deleted the aj/support-snapstart branch January 30, 2025 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duncanista duncanista duncanista approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@astuyve @duncanista