AssumeRoleProvider is not properly caching credentials
#809
Assignees
Labels
bug
This issue is a bug.
Comments
awsrick
added
bug
1 task
github-merge-queue bot
pushed a commit
to smithy-lang/smithy-rs
that referenced
this issue
May 24, 2023
## Motivation and Context Related to awslabs/aws-sdk-rust#809 ## Description It has been discovered that when `AssumeRoleProvider` is used, the Rust SDK emits `credentials cache miss occurred` twice per request. The reason why that log is shown twice is illustrated in the following diagram:  One of the cache miss messages is due to the fact `AssumeRoleProvider` internally uses an STS client, which, in turn, is wrapped by a `LazyCredentialsCache` by default. However, that use of `LazyCredentialsCache` is pointless because caching is already in effect with the outermost `LazyCredentialsCache`. This PR adds a new kind of `CredentialsCache`, `NoCredentialsCache`. As its name suggests, it simplify delegates `provide_cached_credentials` to the underlying provider's `provide_credentials` with no caching functionality. We then update `SsoCredentialsProvider`, `AssumeRoleProvider`, and `WebIdentityTokenCredentialsProvider` to use `NoCredentialsCache` for their STS clients so the logs won't show `credentials cache miss occurred` twice per request. ## Testing - Added unit tests for `NoCredentialsCache` - Updated unit test for `AssumeRoleProvider` to verify `NoCredentialsCache` is used by default ## Checklist - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: Yuki Saito <[email protected]>
hlbarber
pushed a commit
to smithy-lang/smithy-rs
that referenced
this issue
Jun 20, 2023
Related to awslabs/aws-sdk-rust#809 It has been discovered that when `AssumeRoleProvider` is used, the Rust SDK emits `credentials cache miss occurred` twice per request. The reason why that log is shown twice is illustrated in the following diagram:  One of the cache miss messages is due to the fact `AssumeRoleProvider` internally uses an STS client, which, in turn, is wrapped by a `LazyCredentialsCache` by default. However, that use of `LazyCredentialsCache` is pointless because caching is already in effect with the outermost `LazyCredentialsCache`. This PR adds a new kind of `CredentialsCache`, `NoCredentialsCache`. As its name suggests, it simplify delegates `provide_cached_credentials` to the underlying provider's `provide_credentials` with no caching functionality. We then update `SsoCredentialsProvider`, `AssumeRoleProvider`, and `WebIdentityTokenCredentialsProvider` to use `NoCredentialsCache` for their STS clients so the logs won't show `credentials cache miss occurred` twice per request. - Added unit tests for `NoCredentialsCache` - Updated unit test for `AssumeRoleProvider` to verify `NoCredentialsCache` is used by default - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: Yuki Saito <[email protected]>
aws-sdk-rust-ci
pushed a commit
that referenced
this issue
Aug 3, 2023
…#2720) ## Motivation and Context Related to #809 ## Description It has been discovered that when `AssumeRoleProvider` is used, the Rust SDK emits `credentials cache miss occurred` twice per request. The reason why that log is shown twice is illustrated in the following diagram:  One of the cache miss messages is due to the fact `AssumeRoleProvider` internally uses an STS client, which, in turn, is wrapped by a `LazyCredentialsCache` by default. However, that use of `LazyCredentialsCache` is pointless because caching is already in effect with the outermost `LazyCredentialsCache`. This PR adds a new kind of `CredentialsCache`, `NoCredentialsCache`. As its name suggests, it simplify delegates `provide_cached_credentials` to the underlying provider's `provide_credentials` with no caching functionality. We then update `SsoCredentialsProvider`, `AssumeRoleProvider`, and `WebIdentityTokenCredentialsProvider` to use `NoCredentialsCache` for their STS clients so the logs won't show `credentials cache miss occurred` twice per request. ## Testing - Added unit tests for `NoCredentialsCache` - Updated unit test for `AssumeRoleProvider` to verify `NoCredentialsCache` is used by default ## Checklist - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: Yuki Saito <[email protected]>
|
smithy-lang/smithy-rs#2720 has replaced the inner cache of |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
AssumeRoleProvideris not properly caching credentials when using as a credential provider for constructing an EC2 client. See below for the log messages and code snippets. This might be due toAssumeRoleProviderhas its own inner cache because of the internal use of sts client.Expected Behavior
AssumeRoleProvidershould be using the same credential cache provided by sdk_config and should cache credentials after the first request.Current Behavior
Seeing two cache miss messages in the logs every time when I make a request with a client constructed with AssumeRoleProvider. Seeing the messages with back to back requests.
Reproduction Steps
Construct an EC2 client using AssumeRoleProvider like following and use EC2 client to make a request:
SDK config is only loaded once when application starts
Possible Solution
No response
Additional Information/Context
No response
Version
The text was updated successfully, but these errors were encountered: