Skip to content

Fix StsWebIdentityTokenFileCredentialsProvider not respecting prefetchTime and staleTime configuration #6650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
S-Saranya1 wants to merge 6 commits into
base: master
Choose a base branch
from
+126 −1
Open

Fix StsWebIdentityTokenFileCredentialsProvider not respecting prefetchTime and staleTime configuration #6650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4c38871
Fix sts web identity provider not respecting prefetch time and stale …
S-Saranya1 Dec 30, 2025
e644134
Adding additional tests
S-Saranya1 Dec 31, 2025
b1e0909
Fix failed test
S-Saranya1 Dec 31, 2025
da8fed4
Add changelog
S-Saranya1 Dec 31, 2025
ef70dc6
Address PR feedback
S-Saranya1 Dec 31, 2025
ae5ff20
Change wait buffer to to reduce test flakiness
S-Saranya1 Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changes/next-release/bugfix-AWSSTS-bc7dfee.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"type": "bugfix",
"category": "AWS STS",
"contributor": "",
"description": "Fix `StsWebIdentityTokenFileCredentialsProvider` not respecting custom `prefetchTime` and `staleTime` configurations."
}
8 changes: 8 additions & 0 deletions ...es/sts/src/main/java/software/amazon/awssdk/services/sts/auth/StsCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,14 @@ public Duration prefetchTime() {
return prefetchTime;
}

/**
* Whether the provider should fetch credentials asynchronously in the background.
* <p>By default, this is false.</p>
*/
public Boolean asyncCredentialUpdateEnabled() {
return asyncCredentialUpdateEnabled;
}

@Override
public String toString() {
return ToString.create(providerName());
Expand Down
6 changes: 5 additions & 1 deletion .../software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenFileCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,10 +106,14 @@ private StsWebIdentityTokenFileCredentialsProvider(Builder builder) {
.assumeRoleWithWebIdentityRequest(assumeRoleWithWebIdentityRequest.get())
.webIdentityTokenFile(credentialProperties.webIdentityTokenFile())
.build();

credentialsProviderLocal =
StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
.stsClient(builder.stsClient)
.refreshRequest(supplier)
.staleTime(this.staleTime())
.prefetchTime(this.prefetchTime())
.asyncCredentialUpdateEnabled(this.asyncCredentialUpdateEnabled())
.build();
} catch (RuntimeException e) {
// If we couldn't load the credentials provider for some reason, save an exception describing why. This exception
Expand Down Expand Up @@ -181,7 +185,7 @@ private Builder() {
}

private Builder(StsWebIdentityTokenFileCredentialsProvider provider) {
super(StsWebIdentityTokenFileCredentialsProvider::new);
super(StsWebIdentityTokenFileCredentialsProvider::new, provider);
this.roleArn = provider.roleArn;
this.roleSessionName = provider.roleSessionName;
this.webIdentityTokenFile = provider.webIdentityTokenFile;
Expand Down
107 changes: 107 additions & 0 deletions ...a/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenCredentialProviderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,16 @@
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityRequest;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithWebIdentityResponse;
import software.amazon.awssdk.services.sts.model.AssumedRoleUser;
import software.amazon.awssdk.services.sts.model.Credentials;

import java.nio.file.Paths;
import java.time.Duration;
import java.time.Instant;
import software.amazon.awssdk.testutils.EnvironmentVariableHelper;

import static org.mockito.Mockito.when;
import static org.assertj.core.api.Assertions.assertThat;

@ExtendWith(MockitoExtension.class)
class StsWebIdentityTokenCredentialProviderTest {
Expand Down Expand Up @@ -111,4 +114,108 @@ void createAssumeRoleWithWebIdentityTokenCredentialsProvider_raisesInResolveCred
// exception should be raised lazily when resolving credentials, not at creation time.
Assert.assertThrows(IllegalStateException.class, provider::resolveCredentials);
}

@Test
void customPrefetchTime_actuallyTriggersRefreshEarly() throws InterruptedException {
Mockito.reset(stsClient);

Instant tokenExpiration = Instant.now().plusSeconds(5);
Duration customPrefetchTime = Duration.ofSeconds(2);
Duration customStaleTime = Duration.ofSeconds(1);

when(stsClient.assumeRoleWithWebIdentity(Mockito.any(AssumeRoleWithWebIdentityRequest.class)))
.thenReturn(AssumeRoleWithWebIdentityResponse.builder()
.credentials(Credentials.builder()
.accessKeyId("key1")
.secretAccessKey("secret1")
.sessionToken("session1")
.expiration(tokenExpiration)
.build())
.assumedRoleUser(AssumedRoleUser.builder()
.arn("arn:aws:iam::123456789012:role/test-role")
.assumedRoleId("role:session")
.build())
.build())

.thenReturn(AssumeRoleWithWebIdentityResponse.builder()
.credentials(Credentials.builder()
.accessKeyId("key2")
.secretAccessKey("secret2")
.sessionToken("session2")
.expiration(Instant.now().plusSeconds(8))
.build())
.assumedRoleUser(AssumedRoleUser.builder()
.arn("arn:aws:iam::123456789012:role/test-role")
.assumedRoleId("role:session")
.build())
.build());


StsWebIdentityTokenFileCredentialsProvider provider =
StsWebIdentityTokenFileCredentialsProvider.builder()
.stsClient(stsClient)
.asyncCredentialUpdateEnabled(true)
.prefetchTime(customPrefetchTime)
.staleTime(customStaleTime)
.build();

try {
assertThat(provider.prefetchTime()).isEqualTo(customPrefetchTime);
assertThat(provider.staleTime()).isEqualTo(customStaleTime);

provider.resolveCredentials();
Mockito.verify(stsClient, Mockito.times(1)).assumeRoleWithWebIdentity(Mockito.any(AssumeRoleWithWebIdentityRequest.class));

// Wait 5 seconds to ensure prefetch completes
Thread.sleep(5_000);
Mockito.verify(stsClient, Mockito.times(2)).assumeRoleWithWebIdentity(Mockito.any(AssumeRoleWithWebIdentityRequest.class));

} finally {
provider.close();
}
}

@Test
void defaultTiming_usesStandardValues() {
StsWebIdentityTokenFileCredentialsProvider provider =
StsWebIdentityTokenFileCredentialsProvider.builder()
.stsClient(stsClient)
.build();

try {
assertThat(provider.prefetchTime()).isEqualTo(Duration.ofMinutes(5));
assertThat(provider.staleTime()).isEqualTo(Duration.ofMinutes(1));
} finally {
provider.close();
}
}

@Test
void toBuilder_preservesCustomTimingConfiguration() {
Duration customPrefetch = Duration.ofMinutes(10);
Duration customStale = Duration.ofMinutes(3);

StsWebIdentityTokenFileCredentialsProvider originalProvider =
StsWebIdentityTokenFileCredentialsProvider.builder()
.stsClient(stsClient)
.prefetchTime(customPrefetch)
.staleTime(customStale)
.build();

try {
assertThat(originalProvider.prefetchTime()).isEqualTo(customPrefetch);
assertThat(originalProvider.staleTime()).isEqualTo(customStale);

StsWebIdentityTokenFileCredentialsProvider copiedProvider = originalProvider.toBuilder().build();

try {
assertThat(copiedProvider.prefetchTime()).isEqualTo(customPrefetch);
assertThat(copiedProvider.staleTime()).isEqualTo(customStale);
} finally {
copiedProvider.close();
}
} finally {
originalProvider.close();
}
}
}
Loading