search

aws / aws-sdk-java-v2

The official AWS SDK for Java - Version 2
Apache License 2.0
2.19k stars 845 forks source link

Don't Throw at Construction Time for StsWebIdentityTokenFileCredentialsProvider #3952

Open dshick-nydig opened 1 year ago

dshick-nydig commented 1 year ago

Describe the bug

StsWebIdentityTokenFileCredentialsProvider throws on instantiation when certain environment variables are unset. This makes it impossible to use in a AwsCredentialsProviderChain unless a AWS_WEB_IDENTITY_TOKEN_FILE environment variable is set.

Expected Behavior

StsWebIdentityTokenFileCredentialsProvider instantiates successfully but throws on the first invocation of resolveCredentials via the loadException instance variable. This would allow a StsWebIdentityTokenFileCredentialsProvider to be used in a credential chain when not configured properly.

Current Behavior

At the time of instantiation, the StsWebIdentityTokenFileCredentialsProvider throws Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set.

Reproduction Steps

Attempt to use a StsWebIdentityTokenFileCredentialsProvider in an AwsCredentialsProviderChain without setting the appropriate environment variables pointing to a token file.

Possible Solution

This try should be lifted above the resolution of SdkSystemSettings as is done in the core WebIdentityTokenFileCredentialsProvider

Additional Information/Context

No response

AWS Java SDK version used

commit hash: 34d02707297ce3fec31da6e431d1bc6e276e0f55 (i.e. the latest as of writing this issue)

JDK version used

openjdk 17.0.4.1 2022-08-12

Operating System and version

macOS 13.3.1 (22E261)

debora-ito commented 1 year ago

@dshick-nydig

This would allow a StsWebIdentityTokenFileCredentialsProvider to be used in a credential chain when not configured properly.

I don't quite understand the ask here. How would you use it if it's not properly configured?

dshick-nydig commented 1 year ago

@dshick-nydig

This would allow a StsWebIdentityTokenFileCredentialsProvider to be used in a credential chain when not configured properly.

I don't quite understand the ask here. How would you use it if it's not properly configured?

Sure, I can elaborate. This only makes sense when discussing this provider as part of a larger credential chain. In some cases it might be configured correctly while in others it may not.

In our example, a service may be running on ECS or EKS, meaning that we either want the metadata service or WebIdentityToken. If this code belongs to a library intended for use in many services, we don't know until runtime which we will want.

The normal behavior of the chain would be to fall through to the next provider if an earlier provider in the chain is misconfigured and throws when attempting to resolve credentials. This one provider behaves differently than the others and throws at the time of instantiation if certain env vars or properties aren't set, rather than at time of use.

dshick-nydig commented 1 year ago

This would allow a StsWebIdentityTokenFileCredentialsProvider to be used in a credential chain when not configured properly.

I should have written "would allow [it] to be included in a credential chain when not configured properly".

debora-ito commented 12 months ago

@dshick-nydig apologies for losing track of this, and thank you for the clarification. Yes, we should make the behavior consistent across the credential providers.