EC2CredentialsFetcher seems to force refresh, when expiration time has not been reached.

[tmc24win]

It seems like the logic in this function (isWithinExpirationThreshold() line 198) should evaluate greater than the expiration threshold.

(credentialsExpiration.getTime() - System.currentTimeMillis()) < EXPIRATION_THRESHOLD;

I checked that our iam server response returns an expiration date that is 10 minutes from now() and this provider is still forcing a refresh on every request. Since this is a synchronized code block it is severely impacting performance.

It also would be good to add some TRACE or DEBUG message, when the provider has to refresh the credentials.

[tmc24win]

It is possible that I am not understanding the intended functionality regarding EXPIRATION_THRESHOLD, but it seems like if the credentials are within 15 minutes, it constantly will force a re-fresh of the same credentials with the same expiration date negatively impacting performance. It would be beneficial to add the debug logging and possibly improve the documentation around what the purpose of the expiration threshold is.

[debora-ito]

Hi @tmc24win, your second comment is correct, if the credentials expiration date are within the 15 minutes they will be refreshed.

This doc about Using IAM Roles with EC2 mentions the 15 minutes expiration, but I agree with you, there should be a clearer documentation about this rule. I'll request that to the documentation team.

There is a feature request (#1893) to drop EXPIRATION_THRESHOLD to 5 minutes and make it configurable, you can +1 it to help the team prioritize its implementation.

[tmc24win]

Thanks, I will +1 that issue and add my comments to the other issue.

[debora-ito]

Do you have any suggestion where you'd like to see the documentation improvement?

[tmc24win]

After getting more understanding of the EC2CredentialsFetcher, it remains unclear to me what the difference between the REFRESH_THRESHOLD and the EXPIRATION_THRESHOLD is. It also seems having a refresh threshold greater than even a minute doesn't provide much use, because until the expiration time is actually reached, it continue to receive the same token.

Are you also planning to remove the synchronized method?

[debora-ito]

The credentials are refreshed if:

• The credentials expiration are within the EXPIRATION_THRESHOLD of 15 minutes; OR
• the last attempt to refresh credentials is greater than the REFRESH_THRESHOLD.

Currently REFRESH_THRESHOLD is 60 minutes. So if your credentials do not expire within 15 minutes but the last time you used them was more than 60 minutes ago, they'll be refreshed.

[debora-ito]

Closing this, let's keep the synchronized discussion in the feature request thread. Feel free to reopen if you have more questions.