Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProfileCredentialsProvider use old credentials in case parallel requests try to refresh credentials #5001

Open
tczypion opened this issue Mar 7, 2024 · 0 comments
Open

ProfileCredentialsProvider use old credentials in case parallel requests try to refresh credentials #5001

tczypion opened this issue Mar 7, 2024 · 0 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@tczypion
Copy link

tczypion commented Mar 7, 2024

Describe the bug

When ProfileCredentialsProvider is used it happens sometimes that some requests are using old/expired credentials.
Issue happens when few parallel requests are executed at the same time.

After some analyze it looks to me like both requests reach resolveCredentials in ProfileCredentialProviders at the same time.

Looks to me like synchronized code block for reloading credentials is not working correct:

public AwsCredentials resolveCredentials() {
        if (loadException != null) {
            throw loadException;
        }
        ProfileFile cachedOrRefreshedProfileFile = refreshProfileFile();
        if (shouldUpdateCredentialsProvider(cachedOrRefreshedProfileFile)) {
            synchronized (credentialsProviderLock) {
                if (shouldUpdateCredentialsProvider(cachedOrRefreshedProfileFile)) {
                    currentProfileFile = cachedOrRefreshedProfileFile;
                    handleProfileFileReload(cachedOrRefreshedProfileFile);
                }
            }
        }

        return credentialsProvider.resolveCredentials();
    }

In case first request detects file is changed and should update credentials provider - at first it set currentProfileFile to new one, and later reload the provider. If second parallel request reach this code block at the same time it see already new file and may return directly credentialsProvider.resolveCredentials() which will still use old credentialsProvider.

Expected Behavior

All requests use new credentials once credential file was changed.

Current Behavior

Some requests are using old credentials which may be already expired.

Reproduction Steps

As this issue does not happen all the time and depends on race condition it's occurring just in some cases.
To reproduce - CredentialsProvider is configured this way:
DefaultCredentialsProvider.builder().profileFile(ProfileFileSupplier.reloadWhenModified(Paths.get(awsConfigFilePath), ProfileFile.Type.CREDENTIALS)) .build();
When trying to reproduce the AWS config files was changed and right after few parallel requests were send - in some cases it happened that one of the requests was using old credentials.

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

awssdk 2.25.1

JDK version used

openjdk 17.0.8 2023-07-18 LTS

Operating System and version

Ubuntu 22.04
@tczypion tczypion added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tczypion