Enable credentials caching with --profile flag (#1398)

Add a caching layer to the profile credentials provider, enabled by
`--profile` flag.

This change should provide a fix/mitigation for
#1358.

### Does this change impact existing behavior?

Yes, credentials will be cached for up to 15 minutes, when `--profile`
flag is used.

### Does this change need a changelog entry? Does it require a version
change?

Yes, added. Version `1.17.0` is the correct one for this change.

---

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and I agree to the terms of
the [Developer Certificate of Origin
(DCO)](https://developercertificate.org/).

---------

Signed-off-by: Vlad Volodkin <[email protected]>
Co-authored-by: Vlad Volodkin <[email protected]>

Author: vladem

mountpoint-s3-crt/src/auth/credentials.rs

@@ -4,8 +4,9 @@ use std::fmt::Debug;
 use std::ptr::NonNull;
 
 use mountpoint_s3_crt_sys::{
-    aws_credentials_provider, aws_credentials_provider_acquire, aws_credentials_provider_chain_default_options,
-    aws_credentials_provider_new_anonymous, aws_credentials_provider_new_chain_default,
+    aws_credentials_provider, aws_credentials_provider_acquire, aws_credentials_provider_cached_options,
+    aws_credentials_provider_chain_default_options, aws_credentials_provider_new_anonymous,
+    aws_credentials_provider_new_cached, aws_credentials_provider_new_chain_default,
     aws_credentials_provider_new_profile, aws_credentials_provider_new_static,
     aws_credentials_provider_profile_options, aws_credentials_provider_release,
     aws_credentials_provider_static_options,
@@ -105,14 +106,31 @@ impl CredentialsProvider {
 
         // SAFETY: aws_credentials_provider_new_profile makes a copy of bootstrap
         // and contents of profile_name_override.
+        // SAFETY: aws_credentials_provider_new_cached increments the reference counter of
+        // profile_provider.
         let inner = unsafe {
             let inner_options = aws_credentials_provider_profile_options {
                 bootstrap: options.bootstrap.inner.as_ptr(),
                 profile_name_override: options.profile_name_override.as_aws_byte_cursor(),
                 ..Default::default()
             };
 
-            aws_credentials_provider_new_profile(allocator.inner.as_ptr(), &inner_options).ok_or_last_error()?
+            let profile_provider =
+                aws_credentials_provider_new_profile(allocator.inner.as_ptr(), &inner_options).ok_or_last_error()?;
+
+            let inner_options = aws_credentials_provider_cached_options {
+                source: profile_provider.as_ptr(),
+                refresh_time_in_milliseconds: 900_000, // Same as `aws_credentials_provider_new_chain_default`, 15 minutes
+                ..Default::default()
+            };
+
+            let cached_provider =
+                aws_credentials_provider_new_cached(allocator.inner.as_ptr(), &inner_options).ok_or_last_error()?;
+
+            // transfer ownership
+            aws_credentials_provider_release(profile_provider.as_ptr());
+
+            cached_provider
         };
 
         Ok(Self { inner })

mountpoint-s3/CHANGELOG.md

@@ -1,6 +1,9 @@
 ## Unreleased
 
+### Other changes
+
 * Allow changing log level dynamically with `USR2` signal. See [Changing logging verbosity at runtime](https://github.com/awslabs/mountpoint-s3/blob/main/doc/LOGGING.md#changing-logging-verbosity-at-runtime) for more details. ([#1367](https://github.com/awslabs/mountpoint-s3/pull/1367))
+* Enable caching of credentials when `--profile` CLI argument is used. ([#1398](https://github.com/awslabs/mountpoint-s3/pull/1398))
 
 ## v1.16.2 (April 9, 2025)