[GH-ISSUE #138] Add Service Reference cache control flags #123

New issue

Open

opened 2026-03-07 19:42:17 +03:00 by kerem · 0 comments

kerem commented

2026-03-07 19:42:17 +03:00

Owner

Originally created by @C85297 on GitHub (Feb 4, 2026).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/138

I'd like to suggest a way for users to control the behaviour of the service reference cache.

Currently, the service reference cache is stored in the OS temp directory, under a IAMPolicyAutopilot directory, and expires after 6 hours.

I would suggest the addition of command line flags which could be used to specify an alternative directory, and override the cache expiry.

One use case which this would benefit is when running the command in a docker image. Allowing the user to control the cache directory will enable the user to point it to a volume to ensure the cache can be reused across containers.

It would also benefit those running IAM policy autopilot without internet access or with restrictive firewalls, who could disable the cache expiry.

As an alternative to command line flags, environment variables could be used. Perhaps these would make more sense, particularly in the context of managed environments or docker images.

Additionally, functionality could be added to fallback to an expired cache, with a warning, if internet access is not available.

And yet another option would be just to bundle the service reference into the binary, as is currently done for botocore data. This seems less ideal, but it would remove a lot of complexity, avoiding the need to make web requests and maintain a cache at runtime.

Let me know your thoughts - it depends a lot on the direction you have planned for the project. I'd be happy to implement this feature and make a pull request in whichever way you prefer.

Originally created by @C85297 on GitHub (Feb 4, 2026). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/138 I'd like to suggest a way for users to control the behaviour of the service reference cache. Currently, the service reference cache is stored in the OS temp directory, under a `IAMPolicyAutopilot` directory, and expires after 6 hours. I would suggest the addition of command line flags which could be used to specify an alternative directory, and override the cache expiry. One use case which this would benefit is when running the command in a docker image. Allowing the user to control the cache directory will enable the user to point it to a volume to ensure the cache can be reused across containers. It would also benefit those running IAM policy autopilot without internet access or with restrictive firewalls, who could disable the cache expiry. As an alternative to command line flags, environment variables could be used. Perhaps these would make more sense, particularly in the context of managed environments or docker images. Additionally, functionality could be added to fallback to an expired cache, with a warning, if internet access is not available. And yet another option would be just to bundle the service reference into the binary, as is currently done for botocore data. This seems less ideal, but it would remove a lot of complexity, avoiding the need to make web requests and maintain a cache at runtime. Let me know your thoughts - it depends a lot on the direction you have planned for the project. I'd be happy to implement this feature and make a pull request in whichever way you prefer.