Auth: Respect async credentials update flag from DefaultCredentialsProvider for WebIdentityTokenFileCredentialProvider (#3899)

paulolieuthier · web-flow · commit 58278f6b1cc1 · 2023-05-08T12:04:44.000-04:00
Enable async credential update for WebIdentityTokenFileCredentialProvider
diff --git a/.changes/next-release/feature-AWSSDKforJavav2AWSSTS-ff6862b.json b/.changes/next-release/feature-AWSSDKforJavav2AWSSTS-ff6862b.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2, AWS STS",
+    "contributor": "paulolieuthier",
+    "description": "Respect async credentials update flag from DefaultCredentialsProvider for WebIdentityTokenFileCredentialProvider, potentially avoiding latency spikes on credentials expiration"
+}
diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java
@@ -92,7 +92,9 @@ private static LazyAwsCredentialsProvider createChain(Builder builder) {
             AwsCredentialsProvider[] credentialsProviders = new AwsCredentialsProvider[] {
                 SystemPropertyCredentialsProvider.create(),
                 EnvironmentVariableCredentialsProvider.create(),
-                WebIdentityTokenFileCredentialsProvider.create(),
+                WebIdentityTokenFileCredentialsProvider.builder()
+                                                       .asyncCredentialUpdateEnabled(asyncCredentialUpdateEnabled)
+                                                       .build(),
                 ProfileCredentialsProvider.builder()
                                           .profileFile(builder.profileFile)
                                           .profileName(builder.profileName)
diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/WebIdentityTokenFileCredentialsProvider.java b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/WebIdentityTokenFileCredentialsProvider.java
@@ -58,12 +58,15 @@ public class WebIdentityTokenFileCredentialsProvider
 
     private final Path webIdentityTokenFile;
 
+    private final Boolean asyncCredentialUpdateEnabled;
+
     private WebIdentityTokenFileCredentialsProvider(BuilderImpl builder) {
         AwsCredentialsProvider credentialsProvider = null;
         RuntimeException loadException = null;
         String roleArn = null;
         String roleSessionName = null;
         Path webIdentityTokenFile = null;
+        Boolean asyncCredentialUpdateEnabled = null;
 
         try {
             webIdentityTokenFile =
@@ -78,11 +81,15 @@ private WebIdentityTokenFileCredentialsProvider(BuilderImpl builder) {
                 builder.roleSessionName != null ? builder.roleSessionName
                                                 : SdkSystemSetting.AWS_ROLE_SESSION_NAME.getStringValue().orElse(null);
 
+            asyncCredentialUpdateEnabled =
+                builder.asyncCredentialUpdateEnabled != null ? builder.asyncCredentialUpdateEnabled : false;
+
             WebIdentityTokenCredentialProperties credentialProperties =
                 WebIdentityTokenCredentialProperties.builder()
                                                     .roleArn(roleArn)
                                                     .roleSessionName(roleSessionName)
                                                     .webIdentityTokenFile(webIdentityTokenFile)
+                                                    .asyncCredentialUpdateEnabled(asyncCredentialUpdateEnabled)
                                                     .build();
 
             credentialsProvider = WebIdentityCredentialsUtils.factory().create(credentialProperties);
@@ -98,6 +105,7 @@ private WebIdentityTokenFileCredentialsProvider(BuilderImpl builder) {
         this.roleArn = roleArn;
         this.roleSessionName = roleSessionName;
         this.webIdentityTokenFile = webIdentityTokenFile;
+        this.asyncCredentialUpdateEnabled = asyncCredentialUpdateEnabled;
     }
 
     public static WebIdentityTokenFileCredentialsProvider create() {
@@ -152,6 +160,12 @@ public interface Builder extends CopyableBuilder<Builder, WebIdentityTokenFileCr
          */
         Builder webIdentityTokenFile(Path webIdentityTokenFile);
 
+        /**
+         * Define whether the provider should fetch credentials asynchronously in the background.
+         */
+
+        Builder asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled);
+
         /**
          * Create a {@link WebIdentityTokenFileCredentialsProvider} using the configuration applied to this builder.
          */
@@ -162,6 +176,7 @@ static final class BuilderImpl implements Builder {
         private String roleArn;
         private String roleSessionName;
         private Path webIdentityTokenFile;
+        private Boolean asyncCredentialUpdateEnabled;
 
         BuilderImpl() {
         }
@@ -170,6 +185,7 @@ private BuilderImpl(WebIdentityTokenFileCredentialsProvider provider) {
             this.roleArn = provider.roleArn;
             this.roleSessionName = provider.roleSessionName;
             this.webIdentityTokenFile = provider.webIdentityTokenFile;
+            this.asyncCredentialUpdateEnabled = provider.asyncCredentialUpdateEnabled;
         }
 
         @Override
@@ -202,6 +218,16 @@ public void setWebIdentityTokenFile(Path webIdentityTokenFile) {
             webIdentityTokenFile(webIdentityTokenFile);
         }
 
+        @Override
+        public Builder asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled) {
+            this.asyncCredentialUpdateEnabled = asyncCredentialUpdateEnabled;
+            return this;
+        }
+
+        public void setAsyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled) {
+            asyncCredentialUpdateEnabled(asyncCredentialUpdateEnabled);
+        }
+
         @Override
         public WebIdentityTokenFileCredentialsProvider build() {
             return new WebIdentityTokenFileCredentialsProvider(this);
diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/WebIdentityTokenCredentialProperties.java b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/WebIdentityTokenCredentialProperties.java
@@ -27,11 +27,13 @@ public class WebIdentityTokenCredentialProperties {
     private final String roleArn;
     private final String roleSessionName;
     private final Path webIdentityTokenFile;
+    private final Boolean asyncCredentialUpdateEnabled;
 
     private WebIdentityTokenCredentialProperties(Builder builder) {
         this.roleArn = builder.roleArn;
         this.roleSessionName = builder.roleSessionName;
         this.webIdentityTokenFile = builder.webIdentityTokenFile;
+        this.asyncCredentialUpdateEnabled = builder.asyncCredentialUpdateEnabled;
     }
 
     public String roleArn() {
@@ -46,6 +48,10 @@ public Path webIdentityTokenFile() {
         return webIdentityTokenFile;
     }
 
+    public Boolean asyncCredentialUpdateEnabled() {
+        return asyncCredentialUpdateEnabled;
+    }
+
     public static Builder builder() {
         return new Builder();
     }
@@ -54,6 +60,7 @@ public static final class Builder {
         private String roleArn;
         private String roleSessionName;
         private Path webIdentityTokenFile;
+        private Boolean asyncCredentialUpdateEnabled;
 
         public Builder roleArn(String roleArn) {
             this.roleArn = roleArn;
@@ -70,6 +77,11 @@ public Builder webIdentityTokenFile(Path webIdentityTokenFile) {
             return this;
         }
 
+        public Builder asyncCredentialUpdateEnabled(Boolean asyncCredentialUpdateEnabled) {
+            this.asyncCredentialUpdateEnabled = asyncCredentialUpdateEnabled;
+            return this;
+        }
+
         public WebIdentityTokenCredentialProperties build() {
             return new WebIdentityTokenCredentialProperties(this);
         }
diff --git a/services/sts/src/main/java/software/amazon/awssdk/services/sts/internal/StsWebIdentityCredentialsProviderFactory.java b/services/sts/src/main/java/software/amazon/awssdk/services/sts/internal/StsWebIdentityCredentialsProviderFactory.java
@@ -59,6 +59,8 @@ private static final class StsWebIdentityCredentialsProvider implements AwsCrede
         private StsWebIdentityCredentialsProvider(WebIdentityTokenCredentialProperties credentialProperties) {
             String roleSessionName = credentialProperties.roleSessionName();
             String sessionName = roleSessionName != null ? roleSessionName : "aws-sdk-java-" + System.currentTimeMillis();
+            Boolean asyncCredentialUpdateEnabled = credentialProperties.asyncCredentialUpdateEnabled() != null ?
+                                                   credentialProperties.asyncCredentialUpdateEnabled() : false;
 
             OrRetryCondition retryCondition =
                 OrRetryCondition.create(context -> context.exception() instanceof IdpCommunicationErrorException,
@@ -83,6 +85,7 @@ private StsWebIdentityCredentialsProvider(WebIdentityTokenCredentialProperties c
 
             this.credentialsProvider =
                 StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
+                                                               .asyncCredentialUpdateEnabled(asyncCredentialUpdateEnabled)
                                                                .stsClient(stsClient)
                                                                .refreshRequest(supplier)
                                                                .build();
