Skip to content

feat: Add automatic credential renewal with intelligent scheduling#181

Open
inderpartap wants to merge 3 commits intodowjones:mainfrom
MoveRDC:feature/auto-renewal
Open

feat: Add automatic credential renewal with intelligent scheduling#181
inderpartap wants to merge 3 commits intodowjones:mainfrom
MoveRDC:feature/auto-renewal

Conversation

@inderpartap
Copy link
Copy Markdown

@inderpartap inderpartap commented Mar 20, 2026

Summary

Implements automatic renewal of AWS credentials before expiration, eliminating manual re-authentication throughout the workday.

Key Features

  • Background daemon monitors specified profiles and auto-renews before expiration
  • Intelligent scheduling: sleeps until renewal needed (no constant polling)
  • Batch renewal: multiple profiles renewed with single Okta authentication using --multi-profiles
  • Config responsiveness: max_sleep_minutes ensures config changes picked up promptly
  • macOS launchd integration: service survives system sleep/wake
  • Device token support: passwordless renewal after initial authentication
  • Expiration tracking: stores credential expiration in ~/.aws/credentials

New CLI Commands

# Enable auto-renewal
tokendito --auto-renew-enable \
    --auto-renew-profiles default \
    --auto-renew-profiles cicd_prod

# Check status
tokendito --auto-renew-status

# Disable
tokendito --auto-renew-disable

# Manual daemon
tokendito-renew-daemon [--check-once]

Configuration

Settings stored in tokendito.ini:

[auto-renewal]
enabled = true
profiles = profile1, profile2
renewal_threshold_minutes = 30
check_interval_minutes = 10
max_sleep_minutes = 60

Technical Details

Intelligent Scheduling

  • Daemon calculates when credentials expire
  • Sleeps until renewal time (not polling at intervals)
  • Example: 12-hour credentials → wakes up every 60 min to check config, renews at 11.5 hour mark
  • Max sleep cap ensures config changes picked up within 60 minutes

Batch Renewal Efficiency

  • Uses tokendito --multi-profiles profile1 --multi-profiles profile2 ...
  • Single Okta authentication for all profiles needing renewal
  • Much more efficient than individual renewals

Platform Support

  • macOS: Full support with automatic launchd service
  • Linux/Windows: Manual daemon execution (systemd/Task Scheduler recommended)

Test Coverage

  • 29 unit tests (100% passing)
  • Comprehensive coverage of renewal logic, scheduling, and daemon operations
  • Mock-based tests (no external dependencies)

Documentation

  • docs/AUTO_RENEWAL.md: Complete user guide
  • Multiple technical guides and quick start documentation
  • Updated main README with auto-renewal section

Test Plan

  • Unit tests pass
  • Manual testing on macOS with 6 profiles
  • Verified launchd service starts and runs
  • Confirmed batch renewal with --multi-profiles
  • Validated intelligent scheduling calculations
  • Tested config change detection (max_sleep_minutes)
  • Verified expiration tracking in credentials file
  • Integration testing with real credentials
  • Long-term stability testing (24+ hours)

Breaking Changes

None. This is a new feature with no impact on existing functionality.

Related Issues

Implements credential auto-renewal functionality requested for continuous development workflows.

🤖 Generated with Claude Code

@inderpartap
feat: Add automatic credential renewal with intelligent scheduling
819d47f 
Implements automatic renewal of AWS credentials before expiration, eliminating
manual re-authentication throughout the workday.

Key features:
- Background daemon monitors specified profiles and auto-renews before expiration
- Intelligent scheduling: sleeps until renewal needed (no constant polling)
- Batch renewal: multiple profiles renewed with single Okta authentication
- Config responsiveness: max_sleep_minutes ensures config changes picked up promptly
- macOS launchd integration: service survives system sleep/wake
- Device token support: passwordless renewal after initial authentication
- Expiration tracking: stores credential expiration in ~/.aws/credentials

New CLI commands:
- tokendito --auto-renew-enable --auto-renew-profiles <names>
- tokendito --auto-renew-disable
- tokendito --auto-renew-status
- tokendito-renew-daemon (standalone daemon command)

Configuration stored in tokendito.ini:
[auto-renewal]
enabled = true
profiles = profile1, profile2
renewal_threshold_minutes = 30
check_interval_minutes = 10
max_sleep_minutes = 60

Platform support:
- macOS: Full support with automatic launchd service
- Linux/Windows: Manual daemon execution (systemd/Task Scheduler recommended)
inderpartap
inderpartap commented Mar 20, 2026
View reviewed changes
docs/AUTO_RENEWAL.md
Copy link
Copy Markdown
Author

@inderpartap inderpartap Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be removed.
Consider this as an in-depth explanation of the feature set while the PR is in-review. We'll clean up the docs when it's ready to be merged

@inderpartap inderpartap force-pushed the feature/auto-renewal branch from 70bb69c to cf0ec3a Compare March 20, 2026 22:58
@inderpartap inderpartap force-pushed the feature/auto-renewal branch from 25ab2c4 to 8058069 Compare March 26, 2026 18:30
memo-moreno
memo-moreno approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@memo-moreno memo-moreno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@memo-moreno memo-moreno memo-moreno approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@inderpartap @memo-moreno