[GH-ISSUE #138] Add Service Reference cache control flags #123

Open
opened 2026-03-07 19:42:17 +03:00 by kerem · 0 comments
Owner

Originally created by @C85297 on GitHub (Feb 4, 2026).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/138

I'd like to suggest a way for users to control the behaviour of the service reference cache.

Currently, the service reference cache is stored in the OS temp directory, under a IAMPolicyAutopilot directory, and expires after 6 hours.

I would suggest the addition of command line flags which could be used to specify an alternative directory, and override the cache expiry.

One use case which this would benefit is when running the command in a docker image. Allowing the user to control the cache directory will enable the user to point it to a volume to ensure the cache can be reused across containers.

It would also benefit those running IAM policy autopilot without internet access or with restrictive firewalls, who could disable the cache expiry.

As an alternative to command line flags, environment variables could be used. Perhaps these would make more sense, particularly in the context of managed environments or docker images.

Additionally, functionality could be added to fallback to an expired cache, with a warning, if internet access is not available.

And yet another option would be just to bundle the service reference into the binary, as is currently done for botocore data. This seems less ideal, but it would remove a lot of complexity, avoiding the need to make web requests and maintain a cache at runtime.

Let me know your thoughts - it depends a lot on the direction you have planned for the project. I'd be happy to implement this feature and make a pull request in whichever way you prefer.

Originally created by @C85297 on GitHub (Feb 4, 2026). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/138 I'd like to suggest a way for users to control the behaviour of the service reference cache. Currently, the service reference cache is stored in the OS temp directory, under a `IAMPolicyAutopilot` directory, and expires after 6 hours. I would suggest the addition of command line flags which could be used to specify an alternative directory, and override the cache expiry. One use case which this would benefit is when running the command in a docker image. Allowing the user to control the cache directory will enable the user to point it to a volume to ensure the cache can be reused across containers. It would also benefit those running IAM policy autopilot without internet access or with restrictive firewalls, who could disable the cache expiry. As an alternative to command line flags, environment variables could be used. Perhaps these would make more sense, particularly in the context of managed environments or docker images. Additionally, functionality could be added to fallback to an expired cache, with a warning, if internet access is not available. And yet another option would be just to bundle the service reference into the binary, as is currently done for botocore data. This seems less ideal, but it would remove a lot of complexity, avoiding the need to make web requests and maintain a cache at runtime. Let me know your thoughts - it depends a lot on the direction you have planned for the project. I'd be happy to implement this feature and make a pull request in whichever way you prefer.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/iam-policy-autopilot#123
No description provided.