Ability to customize stsClient in `StsWebIdentityCredentialsProvider`

[marcinczeczko]

At the moment if using client for any AWS service with WebIdentityTokenFileCredentialsProvider as credentials provider it forces to use sync HTTP client. Additionally, STS client instead always assumes region based on the DefaultAwsRegionProviderChain without the ability to override it via the code. In majority cases it's fine as it can be controlled at some extent via system properties or env variables. However, the use case I have

• Using e.g. DynamoDB Async client with WebIdentityTokenFileCredentialsProvider as credentials provider
• It forces me to add any sync HTTP client (URL connection or Apache HTTP client) on the classpath, as the StsWebIdentityCredentialsProviderFactory uses sync client only.
• Additionally, if my code uses Dynamodb client has configured that client to use specific region via the code, I need to repeat the same via sysprops or env vars for sts client.
• For local testing I can't define STS endpoint override as there is no way to customize/configure sts client used by credentials provider.

Describe the Feature

Ability to specify STS client built in my code or STS client builder in the WebIdentityTokenFileCredentialsProvider.Builder

Is your Feature Request related to a problem?

Explained at the top

Proposed Solution

• The best would be to extend the WebIdentityTokenFileCredentialsProvider.Builder to accept stsClient built somewhere else or stsClient builder instead, so I can build either sync or async client.

Describe alternatives you've considered

N/A

Additional Context

I was implementing Quarkus extensions to support AWS SDK v2 client and the web identity token file credentials provider causes troubles to make it easily configurable. And since StsWebIdentityCredentialsProviderFactory is final with private methods it's hard to override it's logic to control how stsClient is being created.

• I may be able to implement this feature request

Your Environment

• AWS Java SDK version used: 2.13.27
• JDK version used: 1.8, 11, Graalvm 19.3.1
• Operating System and version: macOs Catalina

[debora-ito]

It's a reasonable ask, marking as a feature request.

[nhoughto]

It also prevents using a non-AWS STS endpoint, we are trying to override it for local testing (calling localstack) and the current approach makes that hard.

[hawkpatrick]

We have the same problem when using IAM RDS authentication. We use WebIdentityTokenFileCredentialsProvider to get the credentials but we now and then see problems when calling the STS API (connect timed out). This has a tremendous impact as our application is not able to communicate with the database anymore.

The AWS support says:

Regarding the timeout while using WebIdentityTokenFileCredentialsProvider.builder().build().resolveCredentials(), the API calls are retried by default. Each AWS SDK implements automatic retry logic. The AWS SDK for Java automatically retries requests, and you can configure the retry settings using the ClientConfiguration class.

Well, yes... I would like to that. My plan was to modify the timeout value, the number of retries and the wait time between retries but as TO says WebIdentityTokenFileCredentialsProvider does not provide a possibility to modify the configuration.

For now I'll have to copy-paste some classes of the SDK, modify them and see if that works :-(

[zeletrik]

As I see, there is an ongoing PR regarding this. Is there any further news about it?

[sp13ceg]

Just checking. Is there any update on this request ?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.