Add expiration to public interface for Credentials (and ReadOnlyCredentials)
See original GitHub issueRe-opening #2391
I have a utility aws-export-credentials
to allow AWS credentials to be retrieved in a variety of formats, like as environment variables. Adding this functionality to the AWS CLI is open as https://github.com/aws/aws-cli/issues/4668. The CLI caches credentials from, for example, assume role profiles. This would be nice for the “export credentials” functionality, but the Credentials
class and ReadOnlyCredentials
do not expose expiration as a public field.
I propose adding expiration
as a public field to both Credentials
and ReadOnlyCredentials
, of type datetime.datetime
, with None
if there is no known expiration (the default implementation in the base Credentials
class). RefreshableCredentials
would return its existing _expiry_time
.
Acknowledgements
- I may be able to implement this feature request
SDK version used
N/A
Environment details (OS name and version, etc.)
N/A
Issue Analytics
- State:
- Created a year ago
- Comments:7 (4 by maintainers)
Top GitHub Comments
Hi @benkehoe thanks for the feature request. I think further discussion is still needed to determine how your utility could be integrated into botocore. We actively mutate the expiry time in some of our providers so we’d need to think through how that could work with what you’re proposing here.
I think moving the logic makes the most sense. Given that’s a big change, I might propose having an private
_fuzzy_expiry
that means theexpiry_time
on theReadOnlyCredentials
will not be set. What would users do with an expiration if they knew it was fuzzy? Better just to leave it asNone
, I think. Then if/when the logic gets moved, that gets removed and the expiration gets set. I don’t think it’s a problem to leave the expiration off; there’s no expiration for IAM User creds that will be rotated, for example.