Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artificial delay for eventually consistent secrets #271

Open
adrianmoisey opened this issue Jun 19, 2023 · 1 comment · May be fixed by #477
Open

Artificial delay for eventually consistent secrets #271

adrianmoisey opened this issue Jun 19, 2023 · 1 comment · May be fixed by #477
Labels
enhancement New feature or request

Comments

@adrianmoisey
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Some secrets (ie, AWS IAM) are eventually consistent and require a delay before they can be used.

Describe the solution you'd like
A method to introduce a delay before VSO writes secrets to Kubernetes

Describe alternatives you've considered
It may be possible to get the pods that consume VSO secrets to have a delay before attempting to use their secrets, but then logic needs to be build into each application. It may make sense for VSO to handle this delay, as it a central service/tool.

Additional context
To quote:
https://developer.hashicorp.com/vault/docs/secrets/aws#usage

Unfortunately, IAM credentials are eventually consistent with respect to other Amazon services. If you are planning on using these credential in a pipeline, you may need to add a delay of 5-10 seconds (or more) after fetching credentials before they can be used successfully.
@adrianmoisey adrianmoisey added the enhancement New feature or request label Jun 19, 2023
adrianmoisey added a commit to adrianmoisey/vault-secrets-operator that referenced this issue Nov 22, 2023
@adrianmoisey
Add a configurable delay before writing a dynamic secret
dc71437 
Fixes hashicorp#271

Some services (such as AWS IAM) are eventually consistent and require
some time between generating the secret, and using the secret.

Without this delay our services can't access AWS for a short while
immediately after the secret rotation happens.
adrianmoisey added a commit to adrianmoisey/vault-secrets-operator that referenced this issue Nov 22, 2023
@adrianmoisey
Add a configurable delay before writing a dynamic secret
3451ac8 
Fixes hashicorp#271

Some services (such as AWS IAM) are eventually consistent and require
some time between generating the secret, and using the secret.

Without this delay our services can't access AWS for a short while
immediately after the secret rotation happens.
adrianmoisey added a commit to adrianmoisey/vault-secrets-operator that referenced this issue Nov 22, 2023
@adrianmoisey
Add a configurable delay before writing a dynamic secret
df2478a 
Fixes hashicorp#271

Some services (such as AWS IAM) are eventually consistent and require
some time between generating the secret, and using the secret.

Without this delay our services can't access AWS for a short while
immediately after the secret rotation happens.
@adrianmoisey adrianmoisey linked a pull request Nov 22, 2023 that will close this issue
Open
@adrianmoisey adrianmoisey mentioned this issue Dec 8, 2023
Closed
adrianmoisey added a commit to adrianmoisey/vault-secrets-operator that referenced this issue Jan 16, 2024
@adrianmoisey
Add a configurable delay before writing a dynamic secret
3ab06c4 
Fixes hashicorp#271

Some services (such as AWS IAM) are eventually consistent and require
some time between generating the secret, and using the secret.

Without this delay our services can't access AWS for a short while
immediately after the secret rotation happens.
@adrianmoisey
Copy link
Contributor Author

This bug is still hurting us. Is there any way it can be prioritised? I made a PR but it hasn't been looked at.

ebdekock pushed a commit to ebdekock/vault-secrets-operator that referenced this issue May 24, 2024
@adrianmoisey @ebdekock
Add a configurable delay before writing a dynamic secret
895252f 
Fixes hashicorp#271

Some services (such as AWS IAM) are eventually consistent and require
some time between generating the secret, and using the secret.

Without this delay our services can't access AWS for a short while
immediately after the secret rotation happens.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a configurable delay before writing a dynamic secret adrianmoisey/vault-secrets-operator
1 participant
@adrianmoisey