Do I need to cache the IAM role credentials when using the AWS Node.JS SDK

0
votes

We're using Role Based IAM credentials in our AWS VPC. This means that you never pass in keys to the client of the AWS SDK.

Previously we've used the PHP SDK. Amazon specifically recommends to cache the credentials when using role based authentication with the PHP SDK:

https://docs.aws.amazon.com/aws-sdk-php/guide/latest/credentials.html#caching-iam-role-credentials

I'm now writing a Node.JS application using the S3 client. I'm wondering if I need to cache the credentials (as per PHP SDK) or is this something that the Node.JS SDK automatically does for us?

The docs for the Node.JS SDK do not specifically mention anything about caching role based credentials:

http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-configuring.html#Credentials_from_IAM_Roles_for_EC2_Instances

Thanks

2
node.jsamazon-web-servicesamazon-ec2amazon-s3amazon-iam

2 Answers

2
votes

No, you do not need to cache IAM role credentials when using the AWS Node.js SDK.

I believe that the recommendation to cache credentials when using PHP is related to the request/CGI model that PHP uses. Without caching, your per-request PHP process would have to call out to the EC2 instance metadata service to retrieve credentials. Not ideal if you're handling high load.

With Node.js, you have a node process constantly running and it can persist credentials so will only need to call out to the EC2 instance metadata service once to retrieve initial credentials and then periodically to renew credentials when they are auto-rotated (every few hours, I believe).

1
votes

As far as I can work out, unless you keep the client object around, the SDK will go back to the instance metadata service when it's instantiated again (except in the case where you instantiate a bunch of clients at the same time, in which case they all use the same instance metadata request event - odd).

i.e. cache your Amazon client objects (but this is not PHP, so you don't need an on-disk cache :) ).