How to preemptively refresh credentials (sts, eks pod, java)?

[kncesarini]

I'm using the java sdk v2. My spring boot app is running in EKS with a pod identity, so credentials are supplied automagically by sts with the Default credentials provider chain. The app reads and writes things to dynamodb- this is how the client is created.

DynamoDbClient.builder().region(Region.of(region)).build();

The issue I'm having is that these credentials don't seem to be refreshed proactively. When the app starts up after a reboot or deploy, the first request will be slower, since the app finds it has no credentials, fetches credentials from STS, then does the dynamodb request. If the app runs long enough for the credentials to expire, I assume this happens again, but haven't tested that specific scenario thoroughly.

What I want is for this refresh to happen automatically before any dynamodb requests are made. When the app starts, credentials should be fetched before the app is "ready". When credentials are about to expire, the app should refresh them before they do. Is there a way to accomplish this? I would hate to e.g. have to use an iam user just to work around this performance annoyance.

[debora-ito]

EKS with Pod Identity is part of the ContainerCredentialsProvider, and it has the ability to refresh credentials when they are about to expire. For additional assistance and make the credential refreshing to execute in the background, you can enable the asyncCredentialUpdateEnabled option:

        ContainerCredentialsProvider containerProvider = ContainerCredentialsProvider.builder()
                .asyncCredentialUpdateEnabled(Boolean.TRUE)
                .build();

This option is disabled by default, which means if you use the default credential provider chain this will be disabled. But you can set ContainerCredentialsProvider to be used explicitly in the client.