Strange behavior with sts client

[anoopnarang]

Describe the bug

I am using sts client to assume roles in various accounts ( account id + role on demand ) to execute some operations. The setup is like, the sts client is created once in beginning and role assumption is done multiple times based on a message from queue or a http request.
In a long running setting, lets say external id gets changed and we recieve new external id from user, assumeRole simply gives UnAuthorized exception. On some testing, I found it takes a several minutes to address this external id change in trust relationship.

While in a short setting, where sts client gets created again and again, changes in external id takes few seconds to be addressed.

What might be reason for this behavior ?

Expected Behavior

StsClient should address changes in external id in same amount of time whether its long running or recreated with every request.

Current Behavior

stsClient in long running setting addresses the change in external id much slower than stsClient which is freshly created.

Reproduction Steps

public static void main(String[] args) {
        StsClient stsClient = StsClient.builder().credentialsProvider(ProfileCredentialsProvider.create("SomeProfile")).build();
        stsClient.assumeRole(AssumeRoleRequest.builder().roleArn("arn:aws:iam::123456789000:role/SomeRole").externalId("customExternalId").roleSessionName("Test").build());
        stsClient.close();
    }

Start with a role you can successfully assume from your local.
In above code, put a debug point on line number 2. Once there, modify the external id in trust relationship of the role in aws console. Evaluate the expression in debugger, it will give Unauthorized for lot of minutes.
If we simply restart the code, it will assume right away.

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.20.103

JDK version used

openjdk 11.0.18 2023-01-17 OpenJDK Runtime Environment Temurin-11.0.18+10 (build 11.0.18+10) OpenJDK 64-Bit Server VM Temurin-11.0.18+10 (build 11.0.18+10, mixed mode)

Operating System and version

mac os 13.3.1

[debora-ito]

@anoopnarang every session created by an AssumeRole call has an expiration date. The STS client will try to refresh the credentials only when the session is close to the expiration date.

If I understood correctly, in you case the externalId is being changed in the middle of the session. Since it's not close enough to the session's expiration date, the STS client will continue to use the old credentials and get Unauthorized until it's time to refresh them.

This doesn't happen when you create a new STS client with every request because it is probably picking up the new externalId right away.

Does it make sense?

[github-actions]

It looks like this issue has not been active for more than five days. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please add a comment to prevent automatic closure, or if the issue is already closed please feel free to reopen it.

[anoopnarang]

@debora-ito Thanks, that makes sense. So I guess for usecases where new roles or roles with new external ids have to be assumed regularly, it would be better to create new client for each request.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.