However, this puts the values of both access token and refresh token in plain text inside the userdata of the ec2 instance. Thus anyone with ReadOnlyAccess to the AWS account can see the values for both the tokens.
Hi @Bren – I’m following up on this topic. I’m working on Terraform code to deploy the connector in AWS. The TF code is based on the guide, but my plan is to store the tokens in AWS SecretManager; the ec2 instance will be granted permission to fetch them. The startup script needs a very small modification (install AWS cli + jq, fetch the secrets), but everything else works pretty much untouched. I’ve tested this out locally, and it works fine.
I have a question about the lifetime of the Refresh Token, though. I think of the term “refresh token” as implying a short lifetime (hours, days); if that’s the case, then my approach will only work until that Refresh Token expires. However, Updating Connectors | Docs implies that the Refresh Token does not expire:
Connectors are uniquely identified by the tokens individually assigned to them. When updating a Connector, ensure that the same tokens are retained during the update process, otherwise new tokens will need to be provisioned.
Can you clarify whether the Refresh token expires? If I’ve misunderstood anything, or if you need any further information, please let me know.