Skip to content

fix: cache S3Presigner as singleton to prevent IRSA credential refresh failure#1856

Open
achdmbp wants to merge 1 commit into
eclipse-openvsx:mainfrom
achdmbp:fix/s3-presigner-lifecycle
Open

fix: cache S3Presigner as singleton to prevent IRSA credential refresh failure#1856
achdmbp wants to merge 1 commit into
eclipse-openvsx:mainfrom
achdmbp:fix/s3-presigner-lifecycle

Conversation

@achdmbp
Copy link
Copy Markdown
Contributor

@achdmbp achdmbp commented May 20, 2026

Fixes #1855

The S3Presigner was created and closed on every getLocation() call via try-with-resources. Closing the presigner destroys the HTTP connection pool that DefaultCredentialsProvider needs to refresh IRSA credentials via STS. After ~63 minutes when credentials expire, all presign operations fail with 500 errors.

This change caches the S3Presigner as a singleton field, matching the existing pattern used for S3Client. The presigner stays open for the application's lifetime, allowing credential refresh to work indefinitely.

Changes

  • Cache S3Presigner as a singleton field (lazy initialization)
  • Remove try-with-resources in getLocation() since presigner is now long-lived
  • Add unit tests verifying singleton caching behavior

Testing

  • Unit tests pass (AwsStorageServiceTest)
  • Deployed on OpenShift (ROSA) with IRSA and S3 storage (no CDN)
  • Pod ran for 3+ hours with continuous successful presigned URL generation
  • Well past the previous 63-minute failure point where credentials would fail to refresh

@achdmbp
fix: cache S3Presigner as singleton to prevent credential refresh fai…
60135ec 
…lure

The S3Presigner was created fresh on every getLocation() call and
immediately closed via try-with-resources. Closing the presigner shuts
down the underlying HTTP connection pool used by DefaultCredentialsProvider
for STS token refresh. After ~63 minutes when IRSA credentials expire,
the next presign attempt fails because the connection pool is dead.

Fix: Cache the S3Presigner as a singleton field (same pattern as S3Client).
The presigner stays open for the lifetime of the application, allowing
DefaultCredentialsProvider to refresh IRSA tokens via its internal HTTP
client without interruption.

Fixes: eclipse-openvsx#1855
Signed-off-by: Adnan Al <98621989+achdmbp@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

S3Presigner credential refresh fails after ~60 minutes when using IRSA

1 participant

@achdmbp