Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EC2CredentialsFetcher refreshes credentials too eagerly #1893

jutley opened this Issue Jan 23, 2019 · 3 comments


None yet
5 participants
Copy link

jutley commented Jan 23, 2019

In this SDK, EC2 Instance Profile credentials are refreshed if they are within 15 minutes of expiration, as seen here:

I believe this is an issue for a couple reasons:

  1. Most AWS SDKs refresh tokens if they are within 5 minutes of expiration. I verified this in the Ruby and Go SDKs. Javascript does not seem to refresh tokens early. Java is far longer than any other SDK I've seen so far.
  2. 15 minutes is the minimum length of time a token can be created for, which matches this SDK's early expiration window. This is problematic as there are 3rd party tools that help to manage Instance Profile credentials (such as KIAM, in our case) that default to using the most conservative configurations possible (reasonably so). In this scenario, this SDK refreshes tokens on EVERY request.
  3. This is non-configurable.

I think this 15 minute window should be dropped to 5 minutes to match the other libraries and enable conservative token policies.


This comment has been minimized.

Copy link

millems commented Jan 24, 2019

Sounds like a reasonable proposal, and easy to fix. +1 to making it 5 minutes (to match the other SDKs) and making it configurable.


This comment has been minimized.

Copy link

idimaster commented Feb 20, 2019

Under load synchronization on fetchCredentials method caused significant performance degradation


This comment has been minimized.

Copy link

tmc24win commented Feb 22, 2019

I am also observing a significant performance degradation as a result of this synchronized fetchCredentials() function.

Can you remove the synchronized in addition to the 5 minute reduction?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.