Refresh token with WebIdentityTokenCredentialsProvider #2606

bpuertolas · 2021-07-05T13:58:24Z

Describe the Feature

Actually there is no way to refresh the AWS credentials when using the WebIdentityTokenCredentialsProvider. (Or maybe I didn't find it?)

Is your Feature Request related to a problem?

I use WebIdentityTokenCredentialsProvider to get IAM credential when working with EKS.
Actually, I see in the tracing tool we use, that AWSSecurityTokenService.AssumeRoleWithWebIdentity calls took more than 500ms in average and we would like to reduce this with a background task which refresh the token manually.

Proposed Solution

I don't know if it can solve the problem but actually the refresh method in the WebIdentityTokenCredentialsProvider.class doesn't do nothing. Maybe it can call this.credentialsProvider.refresh() instead ?

The text was updated successfully, but these errors were encountered:

debora-ito · 2021-07-17T01:12:13Z

Hi @bpuertolas

The Web Identity Token is provided by EKS in the file present in the path configured in AWS_WEB_IDENTITY_TOKEN_FILE env variable, the SDK just uses the token to make the AssumeRole call. Any token refresh request must be made from the container side.

Let us know if this makes sense (or maybe I misunderstood the ask).

bpuertolas · 2021-07-21T15:10:56Z

Hi @debora-ito

Thanks for your response but I think you misunderstood the ask. I will try to be more precise.
We have an application running on EKS which communicate with DynamoDB. Sometimes, we have long calls to STS to refresh the token in a endpoint which needs to answer fast to the client. It's happening in 1% of the traces. You can find here a screenshot of the problem:

We are looking for a solution to automatically refresh the token on the container side in a such way that it will never happen in a client request. First, I was thinking of calling the refresh() method of the CredentialProvider (the one used by dynamodb) periodically in a background task on my application. Unfortunately, It seems that the refresh method of the WebIdentityTokenCredentialsProvider class returns without doing nothing:

public void refresh() {}

debora-ito · 2024-07-26T19:45:21Z

We are closing stale v1 issues before going into Maintenance Mode, so if this issue is still relevant in v2 please open a new issue in the v2 repo.

Reference:

Announcing end-of-support for AWS SDK for Java v1.x effective December 31, 2025 - blog post

github-actions · 2024-07-26T19:45:39Z

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

bpuertolas added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 5, 2021

debora-ito added response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 17, 2021

github-actions bot removed the response-requested Waiting on additional info or feedback. Will move to "closing-soon" in 5 days. label Jul 21, 2021

debora-ito closed this as not planned Won't fix, can't repro, duplicate, stale Jul 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refresh token with WebIdentityTokenCredentialsProvider #2606

Refresh token with WebIdentityTokenCredentialsProvider #2606

bpuertolas commented Jul 5, 2021

debora-ito commented Jul 17, 2021

bpuertolas commented Jul 21, 2021

debora-ito commented Jul 26, 2024

github-actions bot commented Jul 26, 2024