Pl.utils.execute() :new vs :access phases

Using the docker alpine 2.0 ce version, I have implemented a mechanic where certain configuration information is retrieved from aws dynamodb when a new container instantiates (auto-scaling).

Using pl.utils.execute() we can successfully call the aws cli command and retrieve a response (having passed the credential information into the environment variable -e
“AWS_SHARED_CREDENTIALS_FILE=/usr/local/credentials” during run) when called during the “new” phase.

However, when we attempt these calls during the “access” phase (understanding the performance implication), I get the "Unable to locate credentials. You can configure credentials by running “aws configure” error.

Disregarding whether it is wise to make a blocking http request durign the access phase, any suggestion/ideas of why the “aws cli” call would fail during :new as composed to :access? My guess is that its related to the master vs worker processes in nginx.

Thank you in advance for any help.

As you said, disregarding the anti-pattern of invoking a blocking system call during the access phase, the difference between the :new and :access plugins phases is that the former is ran by the Nginx master process, while the latter is ran by Nginx worker processes.
Environment variables are visible to the former, but cleared when worker processes are forked. To preserve environment variables in worker processes, one must rely on the Nginx env directive.

Nginx configuration directives can be injected by Kong: Configuration Reference - v2.2.x | Kong - Open-Source API Management and Microservice Management

And many more topics should touch on this topic on this forum as well: Search results for 'environment variable' - Kong Nation

1 Like

Perfect, thank you for confirming that. I assumed it had to do with environment variable access, but this also helps confirm my larger understanding of how kong/nginx work and interact.