How does the AWS provider make API calls with the auto rotation feature enabled?

[davidkuhlke]

I've enabled the auto rotation feature on my CSI driver, and everything is working as expected. I have the rotation poll interval set to 2 minutes. I haven't noticed any large uptick in cost for my AWS Secrets Manger. Right now I'm syncing about 15 secrets between AWS and K8s. My question is: Does the driver invoke one API call for all associated AWS secrets every 2 minutes, or does the driver invoke multiple API calls every 2 minutes (one call for each secret)?

The README file in the repo seems to suggest that there is a danger to having poll intervals set to less than 1 hour since high costs could incur. Is this still true? I'm wondering if something has changed in the way auto rotation poll intervals work since the alpha launch.

[danmancuso]

Every update the driver will call describe secret for each secret and, if it detects a modified secret, it will call GetSecretValue. Here's the logic for it.

So, yes, the logic remains the same. The recommended update of 1 hour should handle most scenarios so long as you are using multi-user rotation.

[davidkuhlke]

Every update the driver will call describe secret for each secret and, if it detects a modified secret, it will call GetSecretValue. Here's the logic for it.

So, yes, the logic remains the same. The recommended update of 1 hour should handle most scenarios so long as you are using multi-user rotation.

I looked through the logic, and it's still unclear to me what happens when the provider sees that it already has the current version of the secret. In that case does the API call still invoke against AWS Secrets Manager thus incurring a cost? Or does the API call only invoke when it's fetching a new version of the secret? For context, I am not using the rotation feature in AWS Secrets Manager, so my secret values should be static most of the time unless I manually update. I just need to know if I am going to be incurring costs for static AWS secrets with the CSI driver auto rotation polling every 2m.

[danmancuso]

DescribeSecret will be called per secret per update. DescribeSecret does incur a 'per XX api calls' charge.

In this case 15 secrets * 30 updates/hour = 450 'describe secret' calls per hour.

[davidkuhlke]

Hi @danmancuso,
Thanks for the clarification. Do you mean "polls" per hour instead of "updates"? My secrets aren't being updated in AWS Secrets Manager since they are static. Just want to clarify before closing this issue.

[simonmarty]

@davidkuhlke Yes that's correct, @danmancuso meant "update" as in "poll", not "updates" as in "secret value change"