Noisy warn log "(ProfileFileSupplier()) Retrieved value expiration is in the past [...]"

[tlopesPT]

Describe the bug

We've got an S3 integration uploading files to a bucket every 5 seconds, we use AWS IAM for authentication via the DefaultCredentialsProvider.

One of the authentication options is then using Credential profiles, which by default uses the fixedProfileFile ProfileFileSupplier, and this is fine.

However, if we use the ProfileFileSupplier.defaultSupplier() which I understand uses reloadWhenModified, we get a WARN log similar to WARN s.a.a.utils.cache.CachedSupplier -- (ProfileFileSupplier()) Retrieved value expiration is in the past (2025-01-27T18:16:25.592341Z). Using expiration of 2025-01-27T18:16:26.592584Z on every S3 PUT call.

My understanding is that the credentials file will only be reloaded if it has been modified, so the stale/expiration logic in this scenario is confusing, and I can't grasp the meaning/utility of this log, specially at warn level.

Other than that, both suppliers seem to work as expected, including reload, despite the open issue .

I used our S3 integration to test the different suppliers, but this is a bigger issue with our Kafka to MSK integration, which uses the reloadWhenModified by default and every kafka client is triggering this log often, see issue over at aws-msk-iam-auth

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Ideally we'd never see the log WARN s.a.a.utils.cache.CachedSupplier -- (ProfileFileSupplier()) Retrieved value expiration is in the past (2025-01-27T18:16:25.592341Z). Using expiration of 2025-01-27T18:16:26.592584Z

Current Behavior

Our logs are filled with the mentioned warn log, although the authentication flow appears to be working as expected and we have not identified an action to solve this warning.

Reproduction Steps

• Connect to a AWS service (e.g. S3) using AWS IAM ProfileCredentialsProvider with the profileFile ProfileFileSupplier.defaultSupplier()
• Fetch credentials / call S3, you should see the warn log, wait a couple seconds, repeat call, another warn log

Skipping how to setup the S3Client, sharing the test we did by swapping from fixed profile to reloadable:

AwsCredentialsProviderChain.builder() //
                .credentialsProviders( //
                        ProfileCredentialsProvider.builder()
                                .profileName(profileName)
                                .profileFile(ProfileFileSupplier.defaultSupplier())
                                .build()) //
                .build();

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

aws-sdkv2:2.30.6 on the S3 integration, aws-msk-iam-auth:2.2.0 on the Kafka to MSK integration

JDK version used

openjdk 11.0.22 2024-01-16 LTS OpenJDK Runtime Environment Zulu11.70+15-CA (build 11.0.22+7-LTS) OpenJDK 64-Bit Server VM Zulu11.70+15-CA (build 11.0.22+7-LTS, mixed mode)

Operating System and version

MacOS 14.5 and reproduced on EC2 with amazon linux 2

[bhoradc]

Hello @tlopesPT,

Thank you for reporting the issue. We have a backlog item specifically for this issue to fix the behavior and address the warning log. I will bring this report to the team's notice as well. Having said that, I cannot guarantee any timeline for this bug to be fixed.

Regards,
Chaitanya