Skip to content

Investigate excessive AWS Secrets Manager Secret Creation #445

New issue
New issue
Open
Open
Investigate excessive AWS Secrets Manager Secret Creation#445
Assignees
Hermann-Core
@Hermann-Core

Description

@Hermann-Core
Hermann-Core
opened on Dec 10, 2025

Bug Description

A vast number of secrets are being created in AWS Secrets Manager, far exceeding the expected count for a single application instance.

Suspected Culprit

In the DID generation and initialization logic within the did-endpoint plugin:

  1. Key Generation on Every Call: The didgen() function in crates/web-plugins/did-endpoint/src/didgen.rs generates new cryptographic keys (Ed25519 and X25519) every time it is invoked.
  2. Unreliable Validation Trigger: The plugin's mount() function in crates/web-plugins/did-endpoint/src/plugin.rs calls didgen() if validate_diddoc() fails.
  3. Transient Failure Handling: The validate_diddoc() function can fail for reasons other than a missing DID document, such as transient network errors when communicating with the keystore or the repository. When this happens during application startup, a new DID document and new keys are generated, leading to new secrets being stored in AWS Secrets Manager.

Proposed Solution

Modify the initialization logic in crates/web-plugins/did-endpoint/src/plugin.rs to only generate a new DID document if one does not already exist in the persistent storage (MongoDB).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions