Aws-sdk-java: EC2CredentialsFetcher refreshes credentials too eagerly

Created on 24 Jan 2019  路  4Comments  路  Source: aws/aws-sdk-java

In this SDK, EC2 Instance Profile credentials are refreshed if they are within 15 minutes of expiration, as seen here:
https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/EC2CredentialsFetcher.java#L43-L53

I believe this is an issue for a couple reasons:
1) Most AWS SDKs refresh tokens if they are within 5 minutes of expiration. I verified this in the Ruby and Go SDKs. Javascript does not seem to refresh tokens early. Java is far longer than any other SDK I've seen so far.
2) 15 minutes is the minimum length of time a token can be created for, which matches this SDK's early expiration window. This is problematic as there are 3rd party tools that help to manage Instance Profile credentials (such as KIAM, in our case) that default to using the most conservative configurations possible (reasonably so). In this scenario, this SDK refreshes tokens on EVERY request.
3) This is non-configurable.

I think this 15 minute window should be dropped to 5 minutes to match the other libraries and enable conservative token policies.

feature-request needs-discussion
Source
picture jutley
👍27 👀1

Most helpful comment

I am also observing a significant performance degradation as a result of this synchronized fetchCredentials() function.

Can you remove the synchronized in addition to the 5 minute reduction?

picture tmc24win on 22 Feb 2019
👍2

All 4 comments

Sounds like a reasonable proposal, and easy to fix. +1 to making it 5 minutes (to match the other SDKs) and making it configurable.

millems picture millems on 24 Jan 2019

Under load synchronization on fetchCredentials method caused significant performance degradation
https://github.com/aws/aws-sdk-java/blob/6097d36e3fac88faba16bad92bb021dade8c3a72/aws-java-sdk-core/src/main/java/com/amazonaws/auth/EC2CredentialsFetcher.java#L111

idimaster picture idimaster on 20 Feb 2019

I am also observing a significant performance degradation as a result of this synchronized fetchCredentials() function.

Can you remove the synchronized in addition to the 5 minute reduction?

tmc24win picture tmc24win on 22 Feb 2019
👍2

Unfortunately we're concentrating our development effort on 2.x of the SDK (based on customer feedback), and aren't planning to make many changes in 1.11.x at this time. If this is still an issue in 2.x of the SDK, please open an issue there and we'll investigate.

millems picture millems on 31 Mar 2020
👎9
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dalbani picture dalbani  路  5Comments
rdifalco picture rdifalco  路  5Comments
shanielh picture shanielh  路  5Comments
Yeggstry picture Yeggstry  路  3Comments
neil-rubens picture neil-rubens  路  5Comments