Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RefreshingAWSCredentials using global lock + slow AssumeRoleWithWebIdentityCredentials #2464

Closed
denis-nikolayev-warby opened this issue Oct 28, 2022 · 3 comments
Closed

RefreshingAWSCredentials using global lock + slow AssumeRoleWithWebIdentityCredentials #2464

denis-nikolayev-warby opened this issue Oct 28, 2022 · 3 comments
Labels
bug This issue is a bug. credentials p2 This is a standard priority issue queued

Comments

@denis-nikolayev-warby
Copy link

Describe the bug

Encountered interesting issue with GetCredentialsAsync() + "slow" AssumeRoleWithWebIdentityCredentials + tight timeout on calls to our app.

https://github.com/aws/aws-sdk-net/blob/master/sdk/src/Core/Amazon.Runtime/Credentials/RefreshingAWSCredentials.cs#L146
image

  1. it acquires global lock
  2. check if token is expired
  3. makes a slow network call to CredentialsFromAssumeRoleWithWebIdentityAuthenticationAsync
  4. release lock

Unfortunately don't have statistics from aws .net sdk, but have from aws nodejs sdk. Assume this slow call is about the same
image

we tried to implement simple wrapper
image

that works pretty well, because number of timeout errors goes down after deploying this fix (24th)
image

Expected Behavior

background refreshing token

Current Behavior

global lock

Reproduction Steps

do not apply

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.Core 3.7.8.2

Targeted .NET Platform

.NET 6.0

Operating System and version

aws eks, docker, Debian 11, mcr.microsoft.com/dotnet/aspnet:6.0
@denis-nikolayev-warby denis-nikolayev-warby added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 28, 2022
@ik130 ik130 added p1 This is a high priority issue queued and removed needs-triage This issue or PR still needs to be triaged. labels Oct 28, 2022
@ashishdhingra ashishdhingra added p2 This is a standard priority issue and removed p1 This is a high priority issue labels May 19, 2023
@wmundev
Copy link

wmundev commented Oct 21, 2023

can confirm we are having the same issue, using AWS EKS with AssumeRoleWithWebIdentity as recommended in this docs - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

i observe latency every 5 - 15 minutes or so when for example trying to make a dynamodb call and the token is expired and AssumeRoleWithWebIdentity is called to the regional aws sts endpoint with a average latency of around 100ms - 200ms

@dscpinheiro dscpinheiro mentioned this issue Nov 4, 2024
Merged
10 tasks
@dscpinheiro
Copy link
Contributor

We just released preview 5 of V4 and it includes a PR with a fix for this issue: #3541

Please let us know if you still see any problems.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2025

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. credentials p2 This is a standard priority issue queued
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dscpinheiro @wmundev @ik130 @ashishdhingra @denis-nikolayev-warby