Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak related to DeferredRefreshableCredentials #3366

Open
1 task
Veetaha opened this issue Feb 2, 2025 · 0 comments
Open
1 task

Memory leak related to DeferredRefreshableCredentials #3366

Veetaha opened this issue Feb 2, 2025 · 0 comments
Labels
bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged.

Comments

@Veetaha
Copy link

Veetaha commented Feb 2, 2025
edited
Loading

Describe the bug

When you configure AssumeRole credentials programmatically via DeferredRefreshableCredentials, the process leaks some memory in the specific code shown in the reproduction steps.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

There should be no memory leaks.

Current Behavior

Memory is leaked and not cleaned up until Session object is unreferenced.

Reproduction Steps

Paste this Python code into a file and replace {YOUR_ACCOUNT_ID} with your AWS account ID and {ROLE_NAME} with the name of the role to assume.

Note that in my real-world case this account ID is dynamic, as my script traverses all AWS accounts in an organization (see additional context at the bottom for details)

from botocore.session import Session
import botocore.session
import botocore.credentials

sts = Session().create_client("sts")

params = {
    "RoleArn": "arn:aws:iam::{YOUR_ACCOUNT_ID}:role/{ROLE_NAME}",
}
refresher = botocore.credentials.create_assume_role_refresher(sts, params)

sessions = []

for i in range(50):
    print(i)

    creds = botocore.credentials.DeferredRefreshableCredentials(
        method="assume-role",
        refresh_using=refresher,
    )

    sess = Session()
    sess._credentials = creds

    sess.create_client("ec2").describe_regions()
    sessions.append(sess)

Run this script and you'll find that the memory usage grows rapidly. Once the script accumulates ~30 sessions, the used-up memory is half a gig.

Demo (with sound 😄):

botocore-mem-leak-demo.mp4

Possible Solution

No response

Additional Information/Context

I'm using botocore to write a script, that lists all accounts in an organization, and then traverses all accounts and their regions to discover all resources present in them. For this, the script uses DeferredRefreshableCredentials to configure AssumeRole credentials dynamically for every discovered account. I haven't found any documentation on how DeferredRefereshableCredentials must be used. There is no official way to configure the credentials provider other than by setting it directly in the Sessions _credentials field. It looks like the official way of doing that via Session.set_credentials requires static credentials, which sucks, so I have to resort to the method described in this issue.

Maybe there is a better way to configure AssumeRole credential provider dynamically in-memory? I'm quite inexperienced with Python and Botocore, but doing such thing in Rust AWS SDK is embarrassingly easy, and I'm surprised it's such a problem in botocore.

SDK version used

1.36.3

Environment details (OS name and version, etc.)

22.04.5 LTS (Jammy Jellyfish)
@Veetaha Veetaha added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Feb 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Veetaha