[12.x] Memoize credentials in SqsConnector#59867
Merged
taylorotwell merged 1 commit intoApr 26, 2026
Merged
Conversation
When a queue config sets `credentials.provider = ecs` (or `instance`), SqsConnector::resolveCredentialProvider returned a raw EcsCredentialProvider or InstanceProfileProvider. The AWS SDK's ClientResolver short-circuits any callable passed as `credentials` (no automatic memoize wrap), and the signer middleware invokes the provider on every signed request — so every SQS API call triggered a fresh HTTP fetch to the EKS Pod Identity Agent / EC2 metadata endpoint. Wrap the resolved provider in CredentialProvider::memoize so credentials are cached in-process for the lifetime of the worker, with the SDK's standard 60-second pre-expiry refresh window. This matches what the SDK's own defaultProvider() does and stops queue workers from saturating the Pod Identity Agent's rate limiter under steady-state polling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jonagoldman
pushed a commit
to deplox/laravel-framework
that referenced
this pull request
Apr 30, 2026
When a queue config sets `credentials.provider = ecs` (or `instance`), SqsConnector::resolveCredentialProvider returned a raw EcsCredentialProvider or InstanceProfileProvider. The AWS SDK's ClientResolver short-circuits any callable passed as `credentials` (no automatic memoize wrap), and the signer middleware invokes the provider on every signed request — so every SQS API call triggered a fresh HTTP fetch to the EKS Pod Identity Agent / EC2 metadata endpoint. Wrap the resolved provider in CredentialProvider::memoize so credentials are cached in-process for the lifetime of the worker, with the SDK's standard 60-second pre-expiry refresh window. This matches what the SDK's own defaultProvider() does and stops queue workers from saturating the Pod Identity Agent's rate limiter under steady-state polling. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
timacdonald
added a commit
to timacdonald/framework
that referenced
this pull request
May 14, 2026
taylorotwell
added a commit
that referenced
this pull request
May 14, 2026
* [13.x] Cloud queue metrics (#60074) * Cloud queue metrics * Reset static state before running tests * Add binding test * formatting --------- Co-authored-by: Taylor Otwell <taylor@laravel.com> * Support `after_commit` for queue metrics (#60078) * Use config for queue suffix and prefix (#60094) * Improve queue metric tests * Back port #58341 * Back port #59310 * Back port #59370 * Lint * Remove restart and pause functionality * Remove unsupported tests * Remove unsupported test * Remove unsupported test * Ensure queue is chopped correctly * Ensure to configure managed queues * Back port #59754 * Back port #59867 * Fix issue using custom aws credential providers Includes the fix from #60000 — allows non-string credential providers (e.g. callables from CredentialProvider::ini()) to be passed through to the AWS SDK instead of being treated as invalid. --------- Co-authored-by: Taylor Otwell <taylor@laravel.com> Co-authored-by: Kieran Brown <kswb96@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport of #59866 to 12.x.
SqsConnector.phpis identical between 12.x and 13.x, so this is a straight cherry-pick.When a queue config sets
credentials.provider = ecs(orinstance) — as Laravel Cloud does for managed queue workers viaIlluminate\Foundation\Cloud::configureManagedQueues()—SqsConnector::resolveCredentialProvider()returned a rawAws\Credentials\EcsCredentialProvider/Aws\Credentials\InstanceProfileProviderinstance.The AWS SDK's
Aws\ClientResolver::_apply_credentials()short-circuits any callable passed ascredentials(the SDK only auto-wraps inmemoize()for its own internaldefaultProvider()path), and the signer middleware (Aws\Middleware::signer) invokes the credentials provider on every signed request. Combined with the fact thatEcsCredentialProvider/InstanceProfileProviderissue a fresh HTTP GET to the EKS Pod Identity Agent / EC2 metadata endpoint on every__invoke(), the result is that every single SQS API call triggers an HTTP fetch to the credentials endpoint, saturating the agent's built-in rate limiter under steady-state load.What this PR does
Wraps the resolved provider in
Aws\Credentials\CredentialProvider::memoize()so credentials are cached in-process for the lifetime of the worker, with the SDK's standard 60-second pre-expiry refresh window. This matches what the SDK's ownCredentialProvider::defaultProvider()does for the auto-discovered chain (which also wrapsecsCredentials()inmemoize()).Benefit to end users
instance(EC2 IMDS) branch.Backwards compatibility
resolveCredentialProvider()remainscallable|null.CredentialProvider::memoize()is part of the AWS SDK's public, documented API.staticperClosureinstance). No cross-worker state.Test plan
tests/Queue/suite passes locally (177 tests, 480 assertions).