run ci for #8078 #8177
Conversation
Add opt-in AWS IAM authentication for ElastiCache Redis connections and Redis Cluster mode support. When IAM is enabled, services authenticate to Redis using short-lived SigV4 pre-signed tokens instead of static passwords, with automatic token refresh before expiry. New environment variables: - REDIS_AWS_IAM_AUTH_ENABLED: enable IAM authentication for Redis - REDIS_AWS_IAM_CACHE_NAME: ElastiCache cache instance name for the signer - REDIS_AWS_REGION: optional override for the Redis region - REDIS_CLUSTER_MODE_ENABLED: enable Redis Cluster mode - REDIS_USERNAME: optional Redis username for ACL-based authentication
- Fix refreshIamAuth to set password BEFORE AUTH call (prevents auth failures) - Add timer initialization for pubsub Redis client - Enhance test coverage with unhappy paths and organized test structure - Improve JSDoc comments for AWS IAM interfaces and functions
- Add IAM authentication support for AWS-managed Redis - Refactor redis-config-validation to redis-config with enhanced schema - Update all services to use centralized Redis config - Add ClickHouse and feature flags support to workflows - Implement tracing configuration across services
…word-before-AUTH ordering
dotansimha
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request centralizes Redis client creation and environment variable validation into @hive/service-common across all services, introducing opt-in AWS IAM authentication for ElastiCache Redis and supporting Redis Cluster mode. Feedback recommends caching the AWS credential provider instance at the module level in generatePresignedToken to avoid redundant credential resolution on every token generation call.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| export async function generatePresignedToken(config: PresignedTokenConfig): Promise<string> { | ||
| const credentialProvider = fromNodeProviderChain(); |
There was a problem hiding this comment.
Instantiating fromNodeProviderChain() inside generatePresignedToken on every call creates a new credential provider instance each time. This completely bypasses the internal credential caching and memoization of the AWS SDK.
As a result, the service will perform a full credential resolution chain (checking environment variables, shared credentials file, ECS/EKS container credentials, IMDS, etc.) every 12 minutes (or on every retry). This can significantly increase I/O, slow down token generation, and potentially lead to rate-limiting or throttling from AWS STS or the EC2 Instance Metadata Service (IMDS).
Reusing a single provider instance at the module level is the recommended best practice to leverage internal credential caching.
| export async function generatePresignedToken(config: PresignedTokenConfig): Promise<string> { | |
| const credentialProvider = fromNodeProviderChain(); | |
| let credentialProvider: ReturnType<typeof fromNodeProviderChain> | undefined; | |
| export async function generatePresignedToken(config: PresignedTokenConfig): Promise<string> { | |
| credentialProvider ??= fromNodeProviderChain(); |
|
🐋 This PR was built and pushed to the following Docker images: Targets: Platforms: Image Tags: |
3 participants
Run full ci for #8078