fix cache and threading concerns with STS Webidentity provider

sbiscigl · sbiscigl · commit 1e23124c3fe3 · 2025-09-23T14:14:53.000-04:00
diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/STSCredentialsProvider.h
@@ -42,6 +42,8 @@ namespace Aws
             void Reload() override;
 
         private:
+            bool ExpiresSoon() const;
+            void RefreshIfExpired();
             enum class STATE {
               INITIALIZED,
               SHUT_DOWN,
@@ -50,6 +52,7 @@ namespace Aws
             std::condition_variable m_refreshSignal;
             std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> m_credentialsProvider;
             std::chrono::milliseconds m_providerFuturesTimeoutMs;
+            AWSCredentials m_credentials;
         };
     } // namespace Auth
 } // namespace Aws
diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp
@@ -14,6 +14,7 @@ using namespace Aws::Utils;
 
 namespace {
 const char* STS_LOG_TAG = "STSAssumeRoleWebIdentityCredentialsProvider";
+const int STS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 60 * 1000; // 5 Minutes.
 }
 
 STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(
@@ -76,9 +77,21 @@ STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentials
 STSAssumeRoleWebIdentityCredentialsProvider::~STSAssumeRoleWebIdentityCredentialsProvider()  = default;
 
 AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials() {
+  // A valid client means required information like role arn and token file were constructed correctly.
+  // We can use this provider to load creds, otherwise, we can just return empty creds.
+  if (m_state != STATE::INITIALIZED)
+  {
+    return Aws::Auth::AWSCredentials();
+  }
+  RefreshIfExpired();
+  Utils::Threading::ReaderLockGuard guard(m_reloadLock);
+  return m_credentials;
+}
+
+void STSAssumeRoleWebIdentityCredentialsProvider::Reload() {
   if (m_state != STATE::INITIALIZED) {
     AWS_LOGSTREAM_DEBUG(STS_LOG_TAG, "STSCredentialsProvider is not initialized, returning empty credentials");
-    return AWSCredentials{};
+    return;
   }
   AWSCredentials credentials{};
   auto refreshDone = false;
@@ -109,10 +122,25 @@ AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials()
   if (!credentials.IsEmpty()) {
     credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN);
   }
+  m_credentials = credentials;
+}
 
-  return credentials;
+bool STSAssumeRoleWebIdentityCredentialsProvider::ExpiresSoon() const {
+  return ((m_credentials.GetExpiration() - Aws::Utils::DateTime::Now()).count() < STS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD);
 }
 
-void STSAssumeRoleWebIdentityCredentialsProvider::Reload() {
-  AWS_LOGSTREAM_DEBUG(STS_LOG_TAG, "Calling reload on STSCredentialsProvider is a no-op and no longer in the call path");
+void STSAssumeRoleWebIdentityCredentialsProvider::RefreshIfExpired() {
+  Utils::Threading::ReaderLockGuard guard(m_reloadLock);
+  if (!m_credentials.IsEmpty() && !ExpiresSoon())
+  {
+    return;
+  }
+
+  guard.UpgradeToWriterLock();
+  if (!m_credentials.IsExpiredOrEmpty() && !ExpiresSoon()) // double-checked lock to avoid refreshing twice
+  {
+    return;
+  }
+
+  Reload();
 }
