Comments (7)
This is a valid concern. I'll look into it soon, and others are welcome to as well. Thanks for bringing it up!
from go-aws-auth.
That synchronizes the signing, but clients still must write to the package global Keys manually whenever credentials are updated. If that happens more often than at program start (i.e. in func init
) they still need to bring their own synchronization, to prevent data races.
from go-aws-auth.
@peterbourgon This is true. I just glanced at the code again, and the only time that I can see that the credentials are updated within the package is when a signing request is made, and fortunately, those are all within the mutex (the checkKeys()
function). To update credentials yourself, then, yes, using your own mutex would be a good idea. (I think my logic is okay here, but I may be wrong since I haven't tested that scenario.)
from go-aws-auth.
To update credentials yourself, then, yes, using your own mutex would be a good idea.
Well, it's not just a good idea—it's a data race if you don't. Actually, even if you claimed that local clientMutex
, another goroutine could still call a Sign method, claim the package signMutex
, which could cause a mutation and trigger another data race :(
Problems, as I see them:
checkKeys()
implies read-only access; that it mutatesKeys
is very confusing!checkKeys()
relies on the caller claiming thesignMutex
—very fragile.checkKeys()
pulling information fromos.Getenv
is spooky action at a distance :(
I'm afraid the current architecture is inherently unsafe. The Keys
credentials should be wrapped (i.e. not available as a package global), explicitly initialized (i.e. no implicit os.Getenv
), and all access synchronized through a clear API boundary provided by the package.
from go-aws-auth.
Is changing the credentials something you do frequently?
from go-aws-auth.
Of course. Imagine a program that uses multiple credentials to make distinct requests on different periodic intervals.
from go-aws-auth.
Alright, we'll use issue #14 to resolve this; thanks!
from go-aws-auth.
Related Issues (20)
- Broken S3 sign HOT 14
- Credentials need to be thread-safe HOT 2
- Cannot find package? HOT 1
- Unnecessary mutex in awsauth.go? HOT 5
- Signature invalid when using for "Product Advertising API"
- Does not support API Gateway with custom host names HOT 4
- URL needs double-encoding for non-S3 endpoints HOT 7
- serviceAndRegion logic is incorrect
- Implement Route 53 authentication HOT 1
- request.Host may include port, causes incorrect signature
- SigV4 query-string URI-signing for AWS IoT Data service
- tag a release
- unable to use EC2 service
- master (2043e6d0bb7e4c18464a7bba562acbe482e3cabd) does not pass tests!
- Rename the `awsauth.Keys` variable? HOT 2
- can't override service/region magic
- MissingAuthenticationTokenException
- Warning: go-aws-auth is no longer maintained and will soon be removed! HOT 2
- Support S3 query string URLs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-aws-auth.