aws-sdk-js icon indicating copy to clipboard operation
aws-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon aws

s3.upload still refreshes credentials on each call

Open jacknagel opened this issue 4 years ago • 7 comments

Describe the bug s3.upload refreshes credentials on each call, rather than re-using them until they expire. This continues to occur in the latest SDk version, despite the fix that was implemented for #3481.

Is the issue in the browser/Node.js? Node.js

If on Node.js, are you running this on AWS Lambda? No

Details of the browser/Node.js version v14.16.0 v16.13.0

SDK version number v2.893.0 v2.1034.0

To Reproduce (observed behavior) Using web identity credentials (i.e. EKS IRSA), with the following script:

const AWS = require('aws-sdk')
const { randomBytes } = require('crypto')

AWS.config.update({
  logger: console
})

const s3 = new AWS.S3({
  apiVersion: '2006-03-01',
  params: {
    Bucket: '<REDACTED>'
  }
});

(async function() {
  for (let i = 0; i < 3; i++) {
    const key = randomBytes(32).toString('hex')
    await s3.upload({ Key: key, Body: Buffer.from('test') }).promise()
  }
})()

The following output is observed, where credentials are refreshed on each call to s3.upload.

[AWS sts 200 0.498s 0 retries] assumeRoleWithWebIdentity({
  WebIdentityToken: '<REDACATED>',
  RoleArn: '<REDACTED>',
  RoleSessionName: 'token-file-web-identity'
})
[AWS s3 200 0.839s 0 retries] putObject({
  Body: <Buffer 74 65 73 74>,
  Bucket: '<REDACTED>',
  Key: 'acdeaef4a58eea73c1f067b9143353cb606f6bb6764ed56d9ea6d4402969a207'
})
[AWS sts 200 0.401s 0 retries] assumeRoleWithWebIdentity({
  WebIdentityToken: '<REDACATED>',
  RoleArn: '<REDACTED>',
  RoleSessionName: 'token-file-web-identity'
})
[AWS s3 200 0.696s 0 retries] putObject({
  Body: <Buffer 74 65 73 74>,
  Bucket: '<REDACTED>',
  Key: '216bc6d80834a7c86b86a8e2c7b78a2e87f7d15b2888eb93033f434136af329e'
})
[AWS sts 200 0.416s 0 retries] assumeRoleWithWebIdentity({
  WebIdentityToken: '<REDACATED>',
  RoleArn: '<REDACTED>',
  RoleSessionName: 'token-file-web-identity'
})
[AWS s3 200 0.718s 0 retries] putObject({
  Body: <Buffer 74 65 73 74>,
  Bucket: '<REDACTED>',
  Key: '1cf67111f7717a8f91518fa2b0667c5d93a3077272eb79268b08dd1527b47581'
})

Expected behavior Credentials are fetched on the first call to s3.upload and re-used on subsequent calls until they expire.

jacknagel avatar Apr 27 '21 15:04 jacknagel

I think the fix should be like this;

var config = AWS.util.copy(service.config || service._originalConfig || {});

in aws-sdk-js/lib/s3/managed_upload.js file line 287.

hakan-bilgin avatar Nov 17 '21 12:11 hakan-bilgin

And I think it is fixed after the release 2.883.0 I don't have the problem anymore.

hakan-bilgin avatar Nov 17 '21 13:11 hakan-bilgin

Hi @jacknagel, thanks for reaching out. Can you update the SDK to the latest version @3.41.0 and confirm again if you still experience the same problem?

vudh1 avatar Nov 17 '21 18:11 vudh1

@vudh1 This is a legacy application that is using the v2 SDK and we can't justify the cost of migrating to the v3 SDK at this time.

jacknagel avatar Nov 17 '21 18:11 jacknagel

@jacknagel I'm sorry, my mistake. I mean the latest version for v2

vudh1 avatar Nov 17 '21 18:11 vudh1

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

github-actions[bot] avatar Nov 23 '21 00:11 github-actions[bot]

@vudh1 Yes, I can still reproduce the issue with the latest v2.1034.0.

jacknagel avatar Nov 23 '21 02:11 jacknagel

Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.

github-actions[bot] avatar Feb 23 '23 00:02 github-actions[bot]