Large number of `AssumeRoleWithWebIdentity` events when using `aws-s3-storage` plugin

[millerick]

Your Environment

• verdaccio version: 5.24
• node version [12.x.x, 14.x.x]: 18.18.2
• package manager: npm@9.8.1
• os: [mac, windows@10, linux] : alpine linux
• platform: [npm, docker, helm, other]: docker running on EKS

Describe the bug

I'm using verdaccio 5.24 as a pull through cache with the aws-s3-storage plugin for storage. I've noticed that in our CloudTrail events, that this service is responsible for substantially all AssumeRoleWithWebIdentity events reported by CloudTrail. I don't believe Verdaccio needs to be assuming a role this many times in order to make its requests to S3. It should be able to assume a session once and make use of the session for multiple requests until the session expires.

As an example, when I use npm i lodash --save --save-exact to install lodash into an empty package.json, I see 3 AssumeRoleWithWebIdentity events. npm i mocha --save --save-exact to install mocha into an empty package.json results in 124 AssumeRoleWithWebIdentity events.

To Reproduce

Run verdaccio as a pull through cache against the public NPM registry and run an NPM install against it. Use an S3 bucket for the underlying storage. Use Cloudtrail for the account the S3 bucket is in to see the large number of AssumeRoleWithWebIdentity requests made against it.

Expected behavior

Screenshots, server logs, package manager log

Configuration File (cat ~/.config/verdaccio/config.yaml)

---
web:
  title: redacted

server:
  keepAliveTimeout: 60

middlewares:
  audit:
    enabled: true

logs:
  - {type: stdout, format: pretty, level: info}

store:
  aws-s3-storage:
    bucket: redacted
    keyPrefix: public

packages:
  '**':
    access: $all
    publish: none
    proxy: npmjs

uplinks:
  npmjs:
    url: https://registry.npmjs.org/
    cache: true

Environment information

  System:
    OS: Linux 5.4 Alpine Linux
    CPU: (16) x64 Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz
  Binaries:
    npm: 9.8.1 - /usr/local/bin/npm

Debugging output

• $ NODE_DEBUG=request verdaccio display request calls (verdaccio <--> uplinks)
• $ DEBUG=verdaccio* verdaccio enable extreme verdaccio debug mode (verdaccio api)
• $ npm -ddd prints:
• $ npm config get registry prints:

Contribute to Verdaccio

• [x] I'm willing to fix this bug 🥇

[millerick]

@juanpicado , any commentary from you on this? If you can point me to where the core verdaccio service invokes/instantiates/calls the configured storage plugin, then I would be happy to begin debugging and figuring out how to solve this.

[juanpicado]

@juanpicado , any commentary from you on this? If you can point me to where the core verdaccio service invokes/instantiates/calls the configured storage plugin, then I would be happy to begin debugging and figuring out how to solve this.

No yet because I haven't had time to read it carefully