Skip to content

Prevent memory leak when overriding credentials #4340

New issue
New issue
Open
Open
Prevent memory leak when overriding credentials#4340
@rcoh

Description

@rcoh
rcoh
opened on Oct 9, 2025

There is a fairly common practice of late-setting credentials in a config override. However, doing this naively will cause issues because each new credential you set is going through here:

smithy-rs/aws/rust-runtime/aws-credential-types/src/provider/credentials.rs

Lines 136 to 138 in 13c8bb3

pub fn new(provider: impl ProvideCredentials + 'static) -> Self {
Self(Arc::new(provider), IdentityCachePartition::new())
}

This allocates a new cache partition which will then be stored in the identity cache. Customer have to know this.

There are a couple of potential ways around this:

  1. When using config_override to set new credentials, don't persist these to the cache
  2. Add a new method like is_static or cacheable or directly IdentityCacheLocation to ProvideCredentials:

    smithy-rs/aws/rust-runtime/aws-credential-types/src/provider/credentials.rs

    Line 86 in 13c8bb3

    pub trait ProvideCredentials: Send + Sync + std::fmt::Debug {
    then use it in the implementation of IdentityResolver to properly set the "cache location":

    smithy-rs/aws/rust-runtime/aws-credential-types/src/provider/credentials.rs

    Lines 166 to 182 in 13c8bb3

    impl ResolveIdentity for SharedCredentialsProvider {
    fn resolve_identity<'a>(
    &'a self,
    _runtime_components: &'a RuntimeComponents,
    _config_bag: &'a ConfigBag,
    ) -> IdentityFuture<'a> {
    IdentityFuture::new(async move { Ok(self.provide_credentials().await?.into()) })
    }
    fn fallback_on_interrupt(&self) -> Option<Identity> {
    ProvideCredentials::fallback_on_interrupt(self).map(|creds| creds.into())
    }
    fn cache_partition(&self) -> Option<IdentityCachePartition> {
    Some(self.1)
    }
    }

Either of these cases prevents the accidental caching of these identities in the identity cache leading to a memory leak.

A final stopgap measure is probably adding a cap to the size of the IdentityCache implementation as-is — A normally functioning application should not have more than 5-10 credentials providers active at any given time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions