GoLang DynamoDB client performance

Question

To authenticated with DynamoDB we use IAM roles - our persistence is in a different AWS Service Account to compute - however on developer machines running DynamoDB-local containers we override the behaviour with environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), for which we also provide a custom endpoint resolver.

We see jitter when credentials expire: I believe this is because fresh IAM tokens are being obtained by the SDK only after expiry, they are not pre-authenticated prior to expiry.

I would like to hook into the default GoLang credentials.Provider chain to pre-cache valid credentials ahead of expiry to reduce expired token refresh time. The docs talk about about different providers, but it isn't clear to me how I can use the existing chain/behaviour and just replace the token refresh with a goroutine to rotate credentials ahead of expiry.

Can this be done, or do I need to provide a complete custom chain? I'd like to avoid this if at all possible because the environment variables in aws-sdk-go-v2/[email protected]/env_config.go are mostly private.

Answer 1

There are load options for lazy-refresh prior to expiry, although this won't be used if the system is quiet (meaning test environments won't benefit from this if they have been left to go cold):

    
    optFns := []func(options *awsconfig.LoadOptions) error {
        awsconfig.WithBearerAuthTokenCacheOptions(func(options *bearer.TokenCacheOptions) {
            options.RefreshBeforeExpires = 90 * time.Second
            options.RetrieveBearerTokenTimeout = 5 * time.Second
            options.AsyncRefreshMinimumDelay = 100 * time.Millisecond
        }),
        awsconfig.WithCredentialsCacheOptions(func(options *aws.CredentialsCacheOptions) {
            options.ExpiryWindow = 30 * time.Second
            options.ExpiryWindowJitterFrac = 0.5
        })

    dynamodb.NewFromConfig(cfg, optFns...)