Skip to content

NIFI-15535 - Fixed AWS Connection Pool Shutdown on EKS with STS Credential Refresh#11020

Open
pvillard31 wants to merge 1 commit intoapache:mainfrom
pvillard31:NIFI-15535-b
Open

NIFI-15535 - Fixed AWS Connection Pool Shutdown on EKS with STS Credential Refresh#11020
pvillard31 wants to merge 1 commit intoapache:mainfrom
pvillard31:NIFI-15535-b

Conversation

@pvillard31
Copy link
Contributor

@pvillard31 pvillard31 commented Mar 18, 2026

Summary

NIFI-15535 - Fixed AWS Connection Pool Shutdown on EKS with STS Credential Refresh

Fixed java.lang.IllegalStateException: Connection pool shut down affecting AWS processors (SQS, S3, etc.) on EKS with pod-level identity. The issue occurs when STS temporary credentials expire and the internal HTTP connection pool used for credential refresh has been garbage collected by the JVM Finalizer thread.

The AWSCredentialsProviderControllerService cached a single AwsCredentialsProvider instance created during @OnEnabled. On EKS, this resolves to a DefaultCredentialsProvider whose internal chain creates an StsClient with its own ApacheHttpClient and PoolingHttpClientConnectionManager. The JVM's Finalizer thread can shut down these internal connection pools (confirmed in logs by [Finalizer] Connection manager is shutting down entries). While cached STS credentials remain valid (~1h), requests succeed. Once credentials expire, the STS refresh call fails because its HTTP pool was already shut down.

This is a documented AWS SDK V2 behavior: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/troubleshooting.html#faq-connection-pool-shutdown-exception

The prior fix for NIFI-12836 (commit 02cbe199260) changed DefaultCredentialsProvider.create() to .builder().build() to avoid the singleton, but the provider was still cached as a single shared instance in the controller service, leaving it vulnerable to GC finalization of internal SDK objects.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000
  • Pull request contains commits signed with a registered key indicating Verified status

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using ./mvnw clean install -P contrib-check
    • JDK 21
    • JDK 25

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@pvillard31 pvillard31 requested a review from turcsanyip March 18, 2026 15:38
@pvillard31 pvillard31 added the bug label Mar 18, 2026
@pvillard31
NIFI-15535 - Fixed AWS Connection Pool Shutdown on EKS with STS Crede…
70e63a4 
…ntial Refresh

Co-authored-by: Lou Vasquez <lou.vasquez@noaa.gov>
@turcsanyip
Copy link
Contributor

turcsanyip commented Mar 18, 2026

Thanks @pvillard31 for the PR. The fix looks fine on a cursory review. Will check it in more detail and run some tests before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turcsanyip turcsanyip Awaiting requested review from turcsanyip

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pvillard31 @turcsanyip