Refreshing credentials used by already instantiated clients #124

archevel · 2023-06-21T06:48:27Z

archevel
Jun 21, 2023

I am using credentials from Cognito with a few different AWS services (eg. CloudWatch, SQS and SecretsManager). The processen are long running and as such eventually the tokens expire and I need to use the refresh token to get new credentials. However, when this happens I will already have instantiated the clients with the cognito credentials. Using the cloudwatch client as an example:

private static void ConfigureSerilogLogger(LoggerConfiguration configuration, CognitoAWSCredentials credentials, RegionEndpoint region)
{
    var client = new AmazonCloudWatchLogsClient(credentials, region);
    configuration
        // ... some additional log config
        .WriteTo.AmazonCloudWatch(
            cloudWatchClient: client,
            logGroup: "SomeLogGroup",
            logStreamPrefix: "SomeStream", 
            createLogGroup: false,
            appendUniqueInstanceGuid: false,
            appendHostName: false,
            textFormatter: new ExpressionTemplate(logOutputTemplate))
}

Here the client is passed to Serilog and it is a bit cumbersome to reinitialize the logger with new credentials. Ideally the code using the cloudwatch client shouldn't need to care about the state of the credentials, but as is I would need to introduce a mechanism for recreating each client when I use the refresh token to get new credentials. Is there a way around this? I noticed that CognitoAWSCredentials inherit from RefreshingAWSCredentials and as a developer I would expect them to have some support for using a refresh token to generate new credentials before the expiry of id/access tokens. Maybe the SDK already have a mechanism for handling this gracefully?

Answered by ashishdhingra

Sep 7, 2023

@archevel The tokens received via Cognito have the ExpirationTime. The logic to refresh the tokens and reinitialize existing clients should be build within the application, may be using timer to be triggered based on value of expiration time. The StackOverflow post https://stackoverflow.com/questions/54938342/how-to-update-token-using-refresh-token-in-mvc-client-application throws some idea for ASP.NET MVC application, there might be better solutions available though. This library would not refresh token automatically.

View full answer

ashishdhingra · 2023-09-07T18:02:23Z

ashishdhingra
Sep 7, 2023
Maintainer

@archevel The tokens received via Cognito have the ExpirationTime. The logic to refresh the tokens and reinitialize existing clients should be build within the application, may be using timer to be triggered based on value of expiration time. The StackOverflow post https://stackoverflow.com/questions/54938342/how-to-update-token-using-refresh-token-in-mvc-client-application throws some idea for ASP.NET MVC application, there might be better solutions available though. This library would not refresh token automatically.

0 replies

2023-12-01T20:06:56Z

github-actions[bot]
bot Dec 1, 2023

Hello! Reopening this discussion to make it searchable.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Refreshing credentials used by already instantiated clients #124

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Refreshing credentials used by already instantiated clients #124

Uh oh!

Uh oh!

archevel Jun 21, 2023

Replies: 2 comments

Uh oh!

ashishdhingra Sep 7, 2023 Maintainer

Uh oh!

github-actions[bot] bot Dec 1, 2023

archevel
Jun 21, 2023

ashishdhingra
Sep 7, 2023
Maintainer

github-actions[bot]
bot Dec 1, 2023