Raise exceptions in resolveCredentials instead of creation for StsWebIdentityTokenFileCredentialsProvider (#6553)

alextwoods · web-flow · commit eef206335c7c · 2025-11-07T20:54:58.000Z
diff --git a/.changes/next-release/bugfix-AWSSTS-e3e9e7c.json b/.changes/next-release/bugfix-AWSSTS-e3e9e7c.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "AWS STS",
+    "contributor": "",
+    "description": "Raise exceptions in resolveCredentials instead of creation for StsWebIdentityTokenFileCredentialsProvider"
+}
diff --git a/services/sts/src/main/java/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenFileCredentialsProvider.java b/services/sts/src/main/java/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenFileCredentialsProvider.java
@@ -62,7 +62,7 @@ public final class StsWebIdentityTokenFileCredentialsProvider
 
     private final AwsCredentialsProvider credentialsProvider;
     private final RuntimeException loadException;
-    private final Supplier<AssumeRoleWithWebIdentityRequest> assumeRoleWithWebIdentityRequest;
+    private Supplier<AssumeRoleWithWebIdentityRequest> assumeRoleWithWebIdentityRequest;
 
     private final Path webIdentityTokenFile;
     private final String roleArn;
@@ -71,35 +71,36 @@ public final class StsWebIdentityTokenFileCredentialsProvider
 
     private StsWebIdentityTokenFileCredentialsProvider(Builder builder) {
         super(builder, "sts-assume-role-with-web-identity-credentials-provider");
-        Path webIdentityTokenFile =
-            builder.webIdentityTokenFile != null ? builder.webIdentityTokenFile
-                                                 : Paths.get(trim(SdkSystemSetting.AWS_WEB_IDENTITY_TOKEN_FILE
-                                                                      .getStringValueOrThrow()));
-
-        String roleArn = builder.roleArn != null ? builder.roleArn
-                                                 : trim(SdkSystemSetting.AWS_ROLE_ARN.getStringValueOrThrow());
-
-        String sessionName = builder.roleSessionName != null ? builder.roleSessionName :
-                             SdkSystemSetting.AWS_ROLE_SESSION_NAME.getStringValue()
-                                                                   .orElse("aws-sdk-java-" + System.currentTimeMillis());
-
-        WebIdentityTokenCredentialProperties credentialProperties =
-            WebIdentityTokenCredentialProperties.builder()
-                                                .roleArn(roleArn)
-                                                .roleSessionName(builder.roleSessionName)
-                                                .webIdentityTokenFile(webIdentityTokenFile)
-                                                .build();
-
-        this.assumeRoleWithWebIdentityRequest = builder.assumeRoleWithWebIdentityRequestSupplier != null
-                                                ? builder.assumeRoleWithWebIdentityRequestSupplier
-                                                : () -> AssumeRoleWithWebIdentityRequest.builder()
-                                                                                        .roleArn(credentialProperties.roleArn())
-                                                                                        .roleSessionName(sessionName)
-                                                                                        .build();
-
         AwsCredentialsProvider credentialsProviderLocal = null;
         RuntimeException loadExceptionLocal = null;
         try {
+            Path webIdentityTokenFile =
+                builder.webIdentityTokenFile != null ? builder.webIdentityTokenFile
+                                                     : Paths.get(trim(SdkSystemSetting.AWS_WEB_IDENTITY_TOKEN_FILE
+                                                                          .getStringValueOrThrow()));
+
+            String roleArn = builder.roleArn != null ? builder.roleArn
+                                                     : trim(SdkSystemSetting.AWS_ROLE_ARN.getStringValueOrThrow());
+
+            String sessionName = builder.roleSessionName != null ? builder.roleSessionName :
+                                 SdkSystemSetting.AWS_ROLE_SESSION_NAME.getStringValue()
+                                                                       .orElse("aws-sdk-java-" + System.currentTimeMillis());
+
+            WebIdentityTokenCredentialProperties credentialProperties =
+                WebIdentityTokenCredentialProperties.builder()
+                                                    .roleArn(roleArn)
+                                                    .roleSessionName(builder.roleSessionName)
+                                                    .webIdentityTokenFile(webIdentityTokenFile)
+                                                    .build();
+
+            this.assumeRoleWithWebIdentityRequest =
+                builder.assumeRoleWithWebIdentityRequestSupplier != null
+                ? builder.assumeRoleWithWebIdentityRequestSupplier
+                : () -> AssumeRoleWithWebIdentityRequest.builder()
+                                                        .roleArn(credentialProperties.roleArn())
+                                                        .roleSessionName(sessionName)
+                                                        .build();
+
             AssumeRoleWithWebIdentityRequestSupplier supplier =
                 AssumeRoleWithWebIdentityRequestSupplier.builder()
                                                         .assumeRoleWithWebIdentityRequest(assumeRoleWithWebIdentityRequest.get())
@@ -148,7 +149,9 @@ public AwsCredentials resolveCredentials() {
 
     @Override
     protected AwsSessionCredentials getUpdatedCredentials(StsClient stsClient) {
-        AssumeRoleWithWebIdentityRequest request = assumeRoleWithWebIdentityRequest.get();
+        AssumeRoleWithWebIdentityRequest request =
+            assumeRoleWithWebIdentityRequest != null ? assumeRoleWithWebIdentityRequest.get() : null;
+
         notNull(request, "AssumeRoleWithWebIdentityRequest can't be null");
         AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = stsClient.assumeRoleWithWebIdentity(request);
         return fromStsCredentials(assumeRoleWithWebIdentityResponse.credentials(),
diff --git a/services/sts/src/test/java/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenCredentialProviderTest.java b/services/sts/src/test/java/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenCredentialProviderTest.java
@@ -97,4 +97,18 @@ void createAssumeRoleWithWebIdentityTokenCredentialsProviderStsClientBuilder() {
         provider.resolveCredentials();
         Mockito.verify(stsClient, Mockito.times(1)).assumeRoleWithWebIdentity(Mockito.any(AssumeRoleWithWebIdentityRequest.class));
     }
+
+    @Test
+    void createAssumeRoleWithWebIdentityTokenCredentialsProvider_raisesInResolveCredentials() {
+        ENVIRONMENT_VARIABLE_HELPER.remove(SdkSystemSetting.AWS_WEB_IDENTITY_TOKEN_FILE.environmentVariable());
+
+        StsWebIdentityTokenFileCredentialsProvider provider =
+            StsWebIdentityTokenFileCredentialsProvider.builder().stsClient(stsClient)
+                                                      .refreshRequest(r -> r.build())
+                                                      .roleArn("someRole")
+                                                      .roleSessionName("tempRoleSession")
+                                                      .build();
+        // exception should be raised lazily when resolving credentials, not at creation time.
+        Assert.assertThrows(IllegalStateException.class, provider::resolveCredentials);
+    }
 }
