Skip to content

fix: ensure AWS credentials are resolved fresh on each request#3

Merged
stephaneberle9 merged 3 commits intostephaneberle9:mainfrom
abstraktor:fix/refresh-credentials
Feb 2, 2026
Merged

fix: ensure AWS credentials are resolved fresh on each request#3
stephaneberle9 merged 3 commits intostephaneberle9:mainfrom
abstraktor:fix/refresh-credentials

Conversation

@abstraktor
Copy link
Copy Markdown

@abstraktor abstraktor commented Jan 27, 2026

In our product, we're having a long-living BlobStoreContext and BlobStore instance. We're facing the issue that credentials expire after a while without being refreshed. This PR attempts to fix that (I have no means though to test it right now).

Do you think, this could fix the issue we are facing?

Analysis

In AWSCredentialsProvider.java:

public Credentials getCredentials() {
if (this.awsCredentials == null) {
this.awsCredentials = resolveAwsCredentials(); // ⚠️ Called ONCE and cached
}
// ... returns the cached credentials
}

The bug: awsCredentials is resolved once and then cached in an instance field. When temporary credentials expire (typically after 1 hour for IAM roles, 15 minutes for some STS tokens), jclouds keeps using the expired ones.

What SHOULD Happen (According to the Code Comments)
The code has this comment:

// Note: No need to manually refresh credentials, AWS SDK v2 handles credential refresh automatically
// via the credentials provider chain
This is misleading! The AWS SDK DefaultCredentialsProvider DOES auto-refresh, but **only if you call `.resolveCredentials()` each time**. By caching the result, jclouds bypasses the refresh mechanism.

However, this is misleading! The AWS SDK DefaultCredentialsProvider DOES auto-refresh, but only if you call .resolveCredentials() each time. By caching the result, jclouds bypasses the refresh mechanism.

Fix

Modified common/aws/src/main/java/org/jclouds/aws/credentials/AWSCredentialsProvider.java:

  1. Removed credential caching - Deleted the awsCredentials instance field that was caching credentials
  2. Updated getCredentials() method - Now calls resolveAwsCredentials() on every request instead of caching the result
  3. Removed misleading comment - The comment claiming AWS SDK handles refresh automatically was correct but misleading, as it only works when not caching credentials

Added regression test in common/aws/src/test/java/org/jclouds/aws/credentials/AWSCredentialsProviderTest.java:

  • testCredentialsAreNotCachedIndefinitely() - Verifies that credentials are resolved fresh on each call rather than being cached
  • Uses a testable subclass to track credential resolution calls without requiring real AWS credentials

@stephaneberle9
Copy link
Copy Markdown
Owner

stephaneberle9 commented Jan 29, 2026

Thanks a lot for this contribution. This addresses and fixes a critical issue.

Before merging it, we'd need to get over this test failure: https://github.com/stephaneberle9/jclouds/actions/runs/21396283792/job/61843076287?pr=3

Maybe just a missing dependency in the test project?

@abstraktor abstraktor force-pushed the fix/refresh-credentials branch from 38e1129 to e257596 Compare February 2, 2026 12:01
@abstraktor
Copy link
Copy Markdown
Author

abstraktor commented Feb 2, 2026

Should be fixed now. It seems to test providers/aws-s3 to be usable without AWS SDK. This usage seems to have worked beforehand by relying on the compiler to tolerate referencing missing classes in some places. My changes seems to have exceeded this tolerance…

@abstraktor abstraktor force-pushed the fix/refresh-credentials branch from e257596 to 6f2109e Compare February 2, 2026 13:01
@stephaneberle9 stephaneberle9 merged commit e128f58 into stephaneberle9:main Feb 2, 2026
3 checks passed
stephaneberle9 pushed a commit that referenced this pull request Feb 2, 2026
@abstraktor @stephaneberle9
fix: resolve AWS credentials fresh on each request to support automat…
02dc888 
…ic refresh (#3)

Fixes credential expiration issue in long-living BlobStoreContext instances
by removing credential caching and ensuring fresh credential resolution on
each request.

Problem:
- AWS credentials were cached in an instance field after first resolution
- Temporary credentials (IAM roles, STS tokens) would expire after 1 hour
  but were never refreshed
- Long-running applications using jclouds would fail with expired credentials

Solution:
- Removed the awsCredentials instance field that was caching credentials
- Modified getCredentials() to call resolveAwsCredentials() on every invocation
- AWS SDK v2's DefaultCredentialsProvider automatically refreshes credentials,
  but only when resolveCredentials() is called each time
- Cached the AwsCredentialsProvider instance instead to balance performance
  with credential freshness

Changes:
- common/aws: Removed credential caching from AWSCredentialsProvider
- common/aws: Added regression test to verify credentials are not cached
- providers/aws-s3: Fixed class loading to work without AWS SDK present
  in test environments

This enables automatic credential refresh for applications using IAM roles,
IRSA (EKS), or other temporary credential mechanisms without requiring
context recreation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abstraktor @stephaneberle9