aws-sdk-java-v2 icon indicating copy to clipboard operation
aws-sdk-java-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

WebIdentityTokenFileCredentialsProvider is not AutoClosable, causing memory leak

Open BartXZX opened this issue 2 years ago • 1 comments

Describe the bug

The DefaultCredentialsProvider (AutoClosable) contains a WebIdentityTokenFileCredentialsProvider (not AutoClosable) which in turn creates its own StsWebIdentityCredentialsProvider (AutoClosable).

This StsWebIdentityCredentialsProvider creates and closes its own STS client. When we create our own (default) clients, use them, and close them, the DefaultCredentialsProvider gets closed. The WebIdentityTokenFileCredentialsProvider however, does not get closed, because it is not AutoClosable, which in turn means that the STS client all the way down does not get closed.

This results in the IdleConnectionReaper hanging on to many ConnectionManagers, and memory to increase.

As a fix we are reusing the client that we were previously re-creating, which is better anyway. This issue is somewhat similar to a previous issue I filed earlier, except in that case it was Lazy<> that was not AutoClosable https://github.com/aws/aws-sdk-java-v2/issues/2149.

Expected Behavior

I expect WebIdentityTokenFileCredentialsProvider to close the resources it creates.

Current Behavior

Currently WebIdentityTokenFileCredentialsProvider is not closing the StsWebIdentityCredentialsProvider it creates.

Reproduction Steps

Using the client is necessary, because the DefaultCredentialsProvider only get created when using it.

while (true) {
  try (StsClient sts = StsClient.builder().build()) {
    AssumeRoleRequest request = AssumeRoleRequest.builder()
                .roleArn("myRole)
                .roleSessionName("mysessionname")
                .build();
    sts.assumeRole(request);
  }
}

Possible Solution

Make WebIdentityTokenFileCredentialsProvider implement AutoClosable, and close the StsWebIdentityCredentialsProvider.

Additional Information/Context

No response

AWS Java SDK version used

2.17.206

JDK version used

17

Operating System and version

openjdk 17 docker image

BartXZX avatar Jun 24 '22 13:06 BartXZX

Thank you for reaching out @BartXZX, it's a reasonable request. We added to our backlog to make WebIdentityTokenFileCredentialsProvider implement AutoCloseable.

debora-ito avatar Jun 27 '22 22:06 debora-ito

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Sep 27 '22 00:09 github-actions[bot]

@BartXZX what was your workaround to solve it?

Can you confirm that the last version of aws-sdk-java-v2 solved the issue?

jonathaff avatar Nov 08 '22 19:11 jonathaff