Client builder seems to always load com.amazonaws.auth.DefaultAWSCredentialsProviderChain which is expensive

[ocind]

For AmazonDynamoDBClientBuilder the recommended way to initialize the client is
AmazonDynamoDBClientBuilder.standard().withCredentials(...).build()

As I read in various other issues (such as #1774), DefaultAWSCredentialsProviderChain is expensive to create and should be avoided. However, there is no way not to load DefaultAWSCredentialsProviderChain while using the AmazonDynamoDBClientBuilder.

There was AmazonDynamoDBClient(AWSCredentialsProvider awsCredentialsProvider) however it has already been deprecated. https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-dynamodb/src/main/java/com/amazonaws/services/dynamodbv2/AmazonDynamoDBClient.java#L283

Is there a way to initialize AmazonDynamoDBClient without loading DefaultAWSCredentialsProviderChain to minimize cold start time?

I noticed that the SDK team does not consider new improvements for V1 anymore and focusing on V2 SDK development instead. We really wanted to move to v2 sdk however the lack of DynamoDb high level client in v2 really hinders us from doing so. It has been 2 years since V2 SDK is considered GA without a high level client. Hopefully it could be completed soon!

[debora-ito]

Hi @ocind, the DefaultAWSCredentialsProviderChain is more expensive because it will search for credentials in the whole credential provider chain. To avoid this search you can explicitly provide the credentials to the client builder using .withCredentials(). The linked docs have examples of how to specify a credential provider, or even specify the access_key_id and secret_access_key directly.

Regarding the DynamoDB high level library for V2, the team is actively working on it. There are several PRs being worked on (look for the ones that mention DynamoDB enhanced preview), you can track the development status (aws/aws-sdk-java-v2#35) and you can read an overview of the refactored library here: https://github.com/aws/aws-sdk-java-v2/blob/master/services-custom/dynamodb-enhanced/README.md

Participation is welcome, we'll be glad to hear your feedback on any stage of its development.

[ocind]

hi @debora-ito thank you for the response!

The way we are supposed to use AmazonDynamoDBClientBuilder is by calling AmazonDynamoDBClientBuilder.standard().withCredentials().build(), am I right?

I was wondering when we do AmazonDynamoDBClientBuilder.standard().build(), do you know whether DefaultAWSCredentialsProviderChain is loaded when .standard() is called or when .build() is called? I was having a hard time to debug which is really the case.

I was suspecting that .standard() basically loads all the default parameters first (which includes loading the DefaultAWSCredentialsProviderChain), and thus DefaultAWSCredentialsProviderChain is loaded when .standard() is called and we cannot fully avoid initializing DefaultAWSCredentialsProviderChain when building the client using AmazonDynamoDBClientBuilder

I noticed that in AmazonS3ClientBuilder this is actually the case, as can be seen on https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/AmazonS3ClientBuilder.java#L46

The .standard() method actually still loads DefaultAWSCredentialsProviderChain anyway by initializing S3CredentialsProviderChain here.

So the best thing that I can do here is actually not to specify any kind of .withCredentials() method while using the builder since anyway the builder already loads DefaultAWSCredentialsProviderChain at first.

I saw some github issues' response such as #1774 (comment) in which it seems to be recommended to specify a credentials providers to improve cold start performance. As mentioned above, I think this is actually not the case (at least for AmazonS3ClientBuilder) and such recommendation (using .withCredentials()) actually will make cold start even worse since now extra works needs to be done to again load some credentials. I think such recommendation needs some clarification.

Can you help me to clarify if it is the case?

I think the best solution for this problem is to replicate the functionality of LazyAwsCredentialsProvider which has been merged recently into V2 SDK here

If this can be done for DefaultAWSCredentialsProviderChain as well it would solve this problem, and as far as I see this change should not break any backward compatibility.

There are several PRs being worked on (look for the ones that mention DynamoDB enhanced preview).

Yes, I have been following the development closely as well :)
But for now we are still sticking with V1 until the Dynamo high level client stabilizes in V2, and hence I would like to improve our cold start performance as much as possible while using V1

[ocind]

Ah apparently this is very similar to this issue reported in V2: aws/aws-sdk-java-v2#749 for which this commit is fixing

[ocind]

hi @debora-ito I noticed that this issue does not happen with AmazonDynamoDBClientBuilder but only with AmazonS3ClientBuilder as seen here

Do you have any suggestion on how to load AmazonS3Client without loading S3CredentialsProviderChain()? 🙏

[debora-ito]

@ocind I'm sorry for the long silence, this issue slipped through the cracks. A lot has changed since 2020! We talked about DynamoDB Enhanced client and it is now generally available.

Unfortunately we don't have plans to change the AmazonS3Client code in v1 as the team is focused in working in v2 features. We know that migrating to SDK v2 is not an easy task, but SDK v2 has some features that will help improve startup time when using Lambda, like the option to use a lighter HTTP Client like UrlConnection. More info: https://aws.amazon.com/blogs/developer/tuning-the-aws-java-sdk-2-x-to-reduce-startup-time/

I'll go ahead and mark to this auto-close soon. Let me know if you have any more questions.