aws
Refresh token with WebIdentityTokenCredentialsProvider
Describe the Feature
Actually there is no way to refresh the AWS credentials when using the WebIdentityTokenCredentialsProvider. (Or maybe I didn't find it?)
Is your Feature Request related to a problem?
I use WebIdentityTokenCredentialsProvider to get IAM credential when working with EKS.
Actually, I see in the tracing tool we use, that AWSSecurityTokenService.AssumeRoleWithWebIdentity calls took more than 500ms in average and we would like to reduce this with a background task which refresh the token manually.
Proposed Solution
I don't know if it can solve the problem but actually the refresh method in the WebIdentityTokenCredentialsProvider.class doesn't do nothing. Maybe it can call this.credentialsProvider.refresh() instead ?
Hi @bpuertolas
The Web Identity Token is provided by EKS in the file present in the path configured in AWS_WEB_IDENTITY_TOKEN_FILE env variable, the SDK just uses the token to make the AssumeRole call. Any token refresh request must be made from the container side.
Let us know if this makes sense (or maybe I misunderstood the ask).
Hi @debora-ito
Thanks for your response but I think you misunderstood the ask. I will try to be more precise.
We have an application running on EKS which communicate with DynamoDB. Sometimes, we have long calls to STS to refresh the token in a endpoint which needs to answer fast to the client. It's happening in 1% of the traces. You can find here a screenshot of the problem:
We are looking for a solution to automatically refresh the token on the container side in a such way that it will never happen in a client request. First, I was thinking of calling the refresh() method of the CredentialProvider (the one used by dynamodb) periodically in a background task on my application. Unfortunately, It seems that the refresh method of the WebIdentityTokenCredentialsProvider class returns without doing nothing:
public void refresh() {}