HADOOP-16568. S3A FullCredentialsTokenBinding fails if local credentials are unset.

Move the loading to deployUnbonded (where they are required) and add a safety check when a new DT is requested

Change-Id: I516368c2c4a558a2a86e8cf107f77f1e40338261

Author: steveloughran

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java

@@ -22,6 +22,8 @@
 import java.net.URI;
 import java.util.Optional;
 
+import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
 import org.apache.hadoop.fs.s3a.S3AUtils;
@@ -72,7 +74,6 @@ public FullCredentialsTokenBinding() {
   @Override
   protected void serviceStart() throws Exception {
     super.serviceStart();
-    loadAWSCredentials();
   }
 
   /**
@@ -115,6 +116,7 @@ private void loadAWSCredentials() throws IOException {
   @Override
   public AWSCredentialProviderList deployUnbonded() throws IOException {
     requireServiceStarted();
+    loadAWSCredentials();
     return new AWSCredentialProviderList(
         "Full Credentials Token Binding",
         new MarshalledCredentialProvider(
@@ -140,7 +142,8 @@ public AbstractS3ATokenIdentifier createTokenIdentifier(
       final Optional<RoleModel.Policy> policy,
       final EncryptionSecrets encryptionSecrets) throws IOException {
     requireServiceStarted();
-
+    Preconditions.checkNotNull(
+        awsCredentials, "No AWS credentials to use for a delegation token");
     return new FullCredentialsTokenIdentifier(getCanonicalUri(),
         getOwnerText(),
         awsCredentials,