Handle Non-Standard STS XML Response - S3 Compatible STS Endpoint

[rohangoli]

What changes were proposed in this pull request?

• Breakdown of Issue - Support Dell ECS On-Premise S3 Object Store with STS support #2743
• Code changes are dependent on Ignore SSL Verification #2805 & Support Dell ECS ObjectScale IAM for AssumeRole #2815
• Fix code to parse Non-Standard STS XML Response which breaks upon receiving Non-AWS STS XML Response with UnprocessableEntityException exception

sequenceDiagram
  participant Polaris as Polaris (caller)
  participant SDK as AWS SDK (StsClient)
  participant Interceptor as StsResponseCaptureInterceptor
  participant Holder as StsResponseCapture (ThreadLocal)
  participant Parser as StsXmlParser
  participant Integration as AwsCredentialsStorageIntegration

  Polaris->>SDK: assumeRole(...)
  SDK->>Interceptor: afterTransmission(context)
  Interceptor->>Holder: setLastBody(rawHttpBody)
  SDK->>SDK: unmarshal to AssumeRoleResponse
  SDK-->>Polaris: AssumeRoleResponse (credentials==null)
  Polaris->>Integration: handle response
  Integration->>Holder: getLastBody()
  alt raw body present
    Integration->>Parser: parseToAccessConfig(rawBody)
    Parser-->>Integration: AccessConfig (keys + expiresAt)
    Integration->>Integration: merge into AccessConfig.Builder
  else no raw body
    Integration->>Integration: failover (error path)
  end
  Integration->>Holder: clear()  %% recommended

Loading

Why are the changes needed?

• On Create Table Rest API request with Non-Standard STS XML Response, we receive UnprocessableEntityException as response

Request

POST https://192.168.0.0:4443/sts?Action=AssumeRole&RoleSessionName=temp&RoleArn=urn:ecs:iam::s3:role/s3assumeRole&DurationSeconds=7200
Accept: */*
X-SDS-AUTH-TOKEN: <AUTH_TOKEN>

Response

HTTP/1.1 200 OK
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:AssumeRoleResponse xmlns:ns2="none">
  <ResponseMetadata>
    <RequestId>0af7b369:171a31ad5b8:12e3a:b</RequestId>
  </ResponseMetadata>
  <AssumeRoleResult>
    <AssumedRoleUser>
      <Arn>urn:ecs:sts::s3:assumed-role/s3assumeRole/temp</Arn>
      <AssumedRoleId>AROA48AEC87ADCFF133F:temp</AssumedRoleId>
    </AssumedRoleUser>
    <Credentials>
      <AccessKeyId>ASIA48DB3A69C19CFE56</AccessKeyId>
      <Expiration>2020-04-23T19:45:46Z</Expiration>
      <SecretAccessKey>wDvqneW8lyJbu0VRAMU8xQHPKH1hIsYfTyozlVg5znM</SecretAccessKey>
      <SessionToken>CgJzMxIFdXNlcjEaFE0EyQ . . . mi5SBHRlbXBo2sSH9QU</SessionToken>
    </Credentials>
  </AssumeRoleResult>
</ns2:AssumeRoleResponse>

curl --location 'http://localhost:8181/api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables' -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -H 'Polaris-Realm: POLARIS' --data '{
  "name": "minio_polaris_ns_table01",
  "schema": {                       
    "type": "struct",
    "fields": [
      {
        "id": 0,
        "name": "id",
        "type": "string",
        "required": true,
        "doc": "car model"
      },
      {
        "id": 1,
        "name": "first_name",
        "type": "string",
        "required": true,
        "doc": "first name"
      }
    ]
  }
}' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   691  100   310  100   381    275    338  0:00:01  0:00:01 --:--:--   614
{
  "error": {
    "message": "Failed to get subscoped credentials: Cannot invoke \"software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()\" because the return value of \"software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()\" is null",
    "type": "UnprocessableEntityException",
    "code": 422
  }
}

Polaris debug logs:

polaris-1        | 2025-10-14 22:13:14,756 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) key=StorageCredentialCacheKey{realmId=POLARIS, catalogId=0, storageConfigSerializedStr={"@type":"AwsStorageConfigurationInfo","allowedLocations":["s3://polaris"],"roleARN":"urn:ecs:iam::otf_dev:role/assumeSameAccountOTF","region":"us-east-1","endpoint":"https://ecmh2.td.teradata.com","pathStyleAccess":true,"stsEndpoint":"https://ecs1.td.teradata.com:4443/sts","ignoreSSLVerification":true,"storageType":"S3","fileIoImplClassName":"org.apache.iceberg.aws.s3.S3FileIO"}, allowedListAction=true, allowedReadLocations=[s3://polaris/minio_polaris_ns/minio_polaris_ns_table01], allowedWriteLocations=[s3://polaris/minio_polaris_ns/minio_polaris_ns_table01]} subscopedCredsCache
polaris-1        | 2025-10-14 22:13:14,760 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) StorageCredentialCache::load
polaris-1        | 2025-10-14 22:13:14,762 DEBUG [org.apa.pol.ser.con.DefaultConfigurationStore] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Get configuration value for STORAGE_CREDENTIAL_DURATION_SECONDS with realm POLARIS
polaris-1        | 2025-10-14 22:13:14,818 WARN  [org.apa.pol.ser.con.ServiceProducers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Creating HTTP client with SSL certificate verification disabled. Use only in development!
polaris-1        | 2025-10-14 22:13:15,229 DEBUG [org.apa.htt.cli.pro.RequestAddCookies] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) CookieSpec selected: default
polaris-1        | 2025-10-14 22:13:15,233 DEBUG [org.apa.htt.cli.pro.RequestAuthCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Auth cache not set in the context
polaris-1        | 2025-10-14 22:13:15,234 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection request: [route: {s}->https://ecs1.td.teradata.com:4443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 50]
polaris-1        | 2025-10-14 22:13:15,241 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection leased: [id: 0][route: {s}->https://ecs1.td.teradata.com:4443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 50]
polaris-1        | 2025-10-14 22:13:15,243 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Opening connection {s}->https://ecs1.td.teradata.com:4443
polaris-1        | 2025-10-14 22:13:15,247 DEBUG [org.apa.htt.imp.con.DefaultHttpClientConnectionOperator] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connecting to ecs1.td.teradata.com/10.25.122.141:4443
polaris-1        | 2025-10-14 22:13:15,247 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connecting socket to ecs1.td.teradata.com/10.25.122.141:4443 with timeout 2000
polaris-1        | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Enabled protocols: [TLSv1.3, TLSv1.2]
polaris-1        | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
polaris-1        | 2025-10-14 22:13:15,285 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Starting handshake
polaris-1        | 2025-10-14 22:13:15,387 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Secure session established
polaris-1        | 2025-10-14 22:13:15,388 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1)  negotiated protocol: TLSv1.3
polaris-1        | 2025-10-14 22:13:15,389 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1)  negotiated cipher suite: TLS_AES_256_GCM_SHA384
polaris-1        | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1)  peer principal: [email protected], OU=PIE, O=Teradata, STREET=17905 Via Del Campo, ST=California, L=SanDiego, C=US, CN=ecmh2.onpremlab.teradata.com
polaris-1        | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1)  peer alternative names: [ecmh2.td.teradata.com, ecs500.td.teradata.com, ecs1.td.teradata.com, ecs2.td.teradata.com, ecs3.td.teradata.com, ecs4.td.teradata.com, ecs5.td.teradata.com, ecs6.td.teradata.com, ecs7.td.teradata.com, ecs8.td.teradata.com, ecs9.td.teradata.com, ecs10.td.teradata.com, 10.25.122.141, 10.25.122.142, 10.25.122.143, 10.25.122.144, 10.25.122.145, 10.25.122.146, 10.25.122.147, 10.25.122.148, 10.25.122.149, 10.25.122.150]
polaris-1        | 2025-10-14 22:13:15,392 DEBUG [org.apa.htt.con.ssl.SSLConnectionSocketFactory] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1)  issuer principal: [email protected], OU=PIE, O=Teradata, STREET=17905 Via Del Campo, ST=California, L=SanDiego, C=US, CN=ecmh2.onpremlab.teradata.com
polaris-1        | 2025-10-14 22:13:15,393 DEBUG [org.apa.htt.imp.con.DefaultHttpClientConnectionOperator] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection established 172.18.0.4:44384<->10.25.122.141:4443
polaris-1        | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.con.DefaultManagedHttpClientConnection] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0: set socket timeout to 30000
polaris-1        | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Executing request POST /sts HTTP/1.1
polaris-1        | 2025-10-14 22:13:15,394 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Proxy auth state: UNCHALLENGED
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> POST /sts HTTP/1.1
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Host: ecs1.td.teradata.com:4443
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> amz-sdk-invocation-id: 07cbfcd4-ecb9-b6fe-cd84-1cdf6baf0a54
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> amz-sdk-request: attempt=1; max=4
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Authorization: AWS4-HMAC-SHA256 Credential=AKIA914B58000A66FBBE/20251014/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=7b9ea31d6faace691231843b6b83d8c4d39f585af65b24f44ae491d5be34ff2d
polaris-1        | 2025-10-14 22:13:15,396 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded; charset=utf-8
polaris-1        | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> User-Agent: aws-sdk-java/2.35.5 md/io#sync md/http#Apache ua/2.1 api/STS#2.35.x os/Linux#5.15.0-141-generic lang/java#21.0.8 md/OpenJDK_64-Bit_Server_VM#21.0.8+9-LTS md/vendor#Red_Hat__Inc. m/D,g
polaris-1        | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> x-amz-content-sha256: b3215ee719d45cafa29092fd81651900acf29f5ac998e8b4228c7dcecc58d2e0
polaris-1        | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> X-Amz-Date: 20251014T221315Z
polaris-1        | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Content-Length: 976
polaris-1        | 2025-10-14 22:13:15,397 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> Connection: Keep-Alive
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "POST /sts HTTP/1.1[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Host: ecs1.td.teradata.com:4443[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "amz-sdk-invocation-id: 07cbfcd4-ecb9-b6fe-cd84-1cdf6baf0a54[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "amz-sdk-request: attempt=1; max=4[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Authorization: AWS4-HMAC-SHA256 Credential=AKIA914B58000A66FBBE/20251014/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=7b9ea31d6faace691231843b6b83d8c4d39f585af65b24f44ae491d5be34ff2d[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,398 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded; charset=utf-8[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "User-Agent: aws-sdk-java/2.35.5 md/io#sync md/http#Apache ua/2.1 api/STS#2.35.x os/Linux#5.15.0-141-generic lang/java#21.0.8 md/OpenJDK_64-Bit_Server_VM#21.0.8+9-LTS md/vendor#Red_Hat__Inc. m/D,g[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "x-amz-content-sha256: b3215ee719d45cafa29092fd81651900acf29f5ac998e8b4228c7dcecc58d2e0[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "X-Amz-Date: 20251014T221315Z[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Content-Length: 976[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,399 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,400 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,400 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 >> "Action=AssumeRole&Version=2011-06-15&RoleArn=urn%3Aecs%3Aiam%3A%3Aotf_dev%3Arole%2FassumeSameAccountOTF&RoleSessionName=PolarisAwsCredentialsStorageIntegration&Policy=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22s3%3APutObject%22%2C%22s3%3ADeleteObject%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%2F*%22%7D%2C%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22s3%3AListBucket%22%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%22%2C%22Condition%22%3A%7B%22StringLike%22%3A%7B%22s3%3Aprefix%22%3A%22minio_polaris_ns%2Fminio_polaris_ns_table01%2F*%22%7D%7D%7D%2C%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22s3%3AGetBucketLocation%22%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%22%7D%2C%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22s3%3AGetObject%22%2C%22s3%3AGetObjectVersion%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3Apolaris%2F*%22%7D%5D%7D&DurationSeconds=3600"
polaris-1        | 2025-10-14 22:13:15,424 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "HTTP/1.1 200 OK[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Date: Tue, 14 Oct 2025 22:15:06 GMT[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Content-Type: application/xml[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Content-Length: 1751[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "Connection: keep-alive[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,425 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "[\r][\n]"
polaris-1        | 2025-10-14 22:13:15,426 DEBUG [org.apa.htt.wire] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:AssumeRoleResponse xmlns:ns2="none"><ResponseMetadata><RequestId>0a00078d:196f956a4f3:4bdae:0-none</RequestId></ResponseMetadata><AssumeRoleResult><AssumedRoleUser><Arn>urn:ecs:sts::otf_dev:assumed-role/assumeSameAccountOTF/PolarisAwsCredentialsStorageIntegration</Arn><AssumedRoleId>AROAE95F8953C905D8A1:PolarisAwsCredentialsStorageIntegration</AssumedRoleId></AssumedRoleUser><Credentials><AccessKeyId>ASIA97044C20D38F7E26</AccessKeyId><Expiration>2025-10-14T23:15:06Z</Expiration><SecretAccessKey>dQAWYId_iRNZzenu0jRQ-jM1uVgIHNzOZYK8aLACmDs</SecretAccessKey><SessionToken>CgdvdGZfZGV2EghvdGZfdXNlchoUQVJPQTVCRkFCMUFBMzdGRUQwREUiLnVybjplY3M6aWFtOjpvdGZfZGV2OnJvbGUvYXNzdW1lU2FtZUFjY291bnRPVEYqFEFTSUE5NzA0NEMyMEQzOEY3RTI2MlBNYXN0ZXJLZXlSZWNvcmQtM2RhNGUyZTZjMjBjYjM4NjQ1ZWUyZWI5ZDVlMWM1MTgyYmEwYWI0NzViMTA4OGFhOTQwZjMyMmUwMjVhM2NkNTiGjIaonjNC6gN7IlZlcnNpb24iOiIyMDEyLTEwLTE3IiwiU3RhdGVtZW50IjpbeyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6WyJzMzpQdXRPYmplY3QiLCJzMzpEZWxldGVPYmplY3QiXSwiUmVzb3VyY2UiOiJhcm46YXdzOnMzOjo6cG9sYXJpcy8qIn0seyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6InMzOkxpc3RCdWNrZXQiLCJSZXNvdXJjZSI6ImFybjphd3M6czM6Ojpwb2xhcmlzIiwiQ29uZGl0aW9uIjp7IlN0cmluZ0xpa2UiOnsiczM6cHJlZml4IjoibWluaW9fcG9sYXJpc19ucy9taW5pb19wb2xhcmlzX25zX3RhYmxlMDEvKiJ9fX0seyJFZmZlY3QiOiJBbGxvdyIsIkFjdGlvbiI6InMzOkdldEJ1Y2tldExvY2F0aW9uIiwiUmVzb3VyY2UiOiJhcm46YXdzOnMzOjo6cG9sYXJpcyJ9LHsiRWZmZWN0IjoiQWxsb3ciLCJBY3Rpb24iOlsiczM6R2V0T2JqZWN0IiwiczM6R2V0T2JqZWN0VmVyc2lvbiJdLCJSZXNvdXJjZSI6ImFybjphd3M6czM6Ojpwb2xhcmlzLyoifV19UidQb2xhcmlzQXdzQ3JlZGVudGlhbHNTdG9yYWdlSW50ZWdyYXRpb25o6pa7xwaKAQhJQU1fVVNFUg</SessionToken></Credentials><PackedPolicySize>1243</PackedPolicySize></AssumeRoleResult></ns2:AssumeRoleResponse>"
polaris-1        | 2025-10-14 22:13:15,427 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << HTTP/1.1 200 OK
polaris-1        | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Date: Tue, 14 Oct 2025 22:15:06 GMT
polaris-1        | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Content-Type: application/xml
polaris-1        | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Content-Length: 1751
polaris-1        | 2025-10-14 22:13:15,428 DEBUG [org.apa.htt.headers] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0 << Connection: keep-alive
polaris-1        | 2025-10-14 22:13:15,431 DEBUG [org.apa.htt.imp.exe.MainClientExec] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection can be kept alive for 60000 MILLISECONDS
polaris-1        | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection [id: 0][route: {s}->https://ecs1.td.teradata.com:4443] can be kept alive for 60.0 seconds
polaris-1        | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.DefaultManagedHttpClientConnection] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) http-outgoing-0: set socket timeout to 0
polaris-1        | 2025-10-14 22:13:15,494 DEBUG [org.apa.htt.imp.con.PoolingHttpClientConnectionManager] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Connection released: [id: 0][route: {s}->https://ecs1.td.teradata.com:4443][total available: 1; route allocated: 1 of 50; total allocated: 1 of 50]
polaris-1        | 2025-10-14 22:13:15,500 DEBUG [org.apa.pol.cor.sto.cac.StorageCredentialCache] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) errorMessage=Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null Failed to get subscoped credentials
polaris-1        | 2025-10-14 22:13:15,500 DEBUG [org.apa.pol.ser.cat.ice.IcebergCatalogAdapter] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) RuntimeException while operating on catalog. Propagating to caller.: org.apache.iceberg.exceptions.UnprocessableEntityException: Failed to get subscoped credentials: Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null
polaris-1        |      at org.apache.polaris.core.storage.cache.StorageCredentialCache.lambda$getOrGenerateSubScopeCreds$2(StorageCredentialCache.java:151)
polaris-1        |      at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$0(BoundedLocalCache.java:2690)
polaris-1        |      at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1916)
polaris-1        |      at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2688)
polaris-1        |      at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2670)
polaris-1        |      at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:112)
polaris-1        |      at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:63)
polaris-1        |      at org.apache.polaris.core.storage.cache.StorageCredentialCache.getOrGenerateSubScopeCreds(StorageCredentialCache.java:153)
polaris-1        |      at org.apache.polaris.core.storage.cache.ServiceProducers_ProducerMethod_storageCredentialCache_hzAWPa00ffa2II6zBfUMmDXk9AQ_ClientProxy.getOrGenerateSubScopeCreds(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.io.FileIOUtil.refreshAccessConfig(FileIOUtil.java:109)
polaris-1        |      at org.apache.polaris.service.catalog.io.DefaultFileIOFactory.lambda$loadFileIO$0(DefaultFileIOFactory.java:102)
polaris-1        |      at java.base/java.util.Optional.map(Optional.java:260)
polaris-1        |      at org.apache.polaris.service.catalog.io.DefaultFileIOFactory.loadFileIO(DefaultFileIOFactory.java:100)
polaris-1        |      at org.apache.polaris.service.catalog.io.DefaultFileIOFactory_ClientProxy.loadFileIO(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog.loadFileIOForTableLike(IcebergCatalog.java:2040)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.doCommit(IcebergCatalog.java:1431)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalog$BasePolarisTableOperations.commit(IcebergCatalog.java:1324)
polaris-1        |      at org.apache.iceberg.BaseMetastoreCatalog$BaseMetastoreCatalogTableBuilder.create(BaseMetastoreCatalog.java:201)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogHandler.createTableDirect(IcebergCatalogHandler.java:463)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.lambda$createTable$6(IcebergCatalogAdapter.java:394)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.withCatalog(IcebergCatalogAdapter.java:209)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter.createTable(IcebergCatalogAdapter.java:378)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable$$superforward(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator_Gj_WCptqTcdHu-fbZfgVkAwPXCI_Delegate_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergRestCatalogEventServiceDelegator.createTable(IcebergRestCatalogEventServiceDelegator.java:217)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.iceberg.IcebergCatalogAdapter_ClientProxy.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi.createTable(IcebergRestCatalogApi.java:193)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable$$superforward(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass$$function$$3.apply(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$8(FaultToleranceInterceptor.java:364)
polaris-1        |      at io.smallrye.faulttolerance.core.Future.from(Future.java:85)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.lambda$syncFlow$9(FaultToleranceInterceptor.java:364)
polaris-1        |      at io.smallrye.faulttolerance.core.FaultToleranceContext.call(FaultToleranceContext.java:20)
polaris-1        |      at io.smallrye.faulttolerance.core.Invocation.apply(Invocation.java:29)
polaris-1        |      at io.smallrye.faulttolerance.core.metrics.MetricsCollector.apply(MetricsCollector.java:98)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.syncFlow(FaultToleranceInterceptor.java:367)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor.intercept(FaultToleranceInterceptor.java:205)
polaris-1        |      at io.smallrye.faulttolerance.FaultToleranceInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor.timedMethod(MicrometerTimedInterceptor.java:79)
polaris-1        |      at io.quarkus.micrometer.runtime.MicrometerTimedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)
polaris-1        |      at io.quarkus.security.runtime.interceptor.SecurityHandler.handle(SecurityHandler.java:27)
polaris-1        |      at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor.intercept(RolesAllowedInterceptor.java:29)
polaris-1        |      at io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:70)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor.intercept(StandardSecurityCheckInterceptor.java:44)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor_RolesAllowedInterceptor_Bean.intercept(Unknown Source)
polaris-1        |      at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
polaris-1        |      at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
polaris-1        |      at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi_Subclass.createTable(Unknown Source)
polaris-1        |      at org.apache.polaris.service.catalog.api.IcebergRestCatalogApi$quarkusrestinvoker$createTable_01f5a1bd6d7815fd3314a553161c943c8cd03101.invoke(Unknown Source)
polaris-1        |      at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
polaris-1        |      at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
polaris-1        |      at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
polaris-1        |      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
polaris-1        |      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
polaris-1        |      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
polaris-1        |      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
polaris-1        |      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
polaris-1        |      at java.base/java.lang.Thread.run(Thread.java:1583)
polaris-1        | 
polaris-1        | 2025-10-14 22:13:15,529 INFO  [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Handling runtimeException Failed to get subscoped credentials: Cannot invoke "software.amazon.awssdk.services.sts.model.Credentials.accessKeyId()" because the return value of "software.amazon.awssdk.services.sts.model.AssumeRoleResponse.credentials()" is null
polaris-1        | 2025-10-14 22:13:15,540 DEBUG [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Full RuntimeException
polaris-1        | 2025-10-14 22:13:15,542 DEBUG [org.apa.pol.ser.exc.IcebergExceptionMapper] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) Mapped exception to errorResp: org.jboss.resteasy.reactive.common.jaxrs.ResponseImpl@6e6feecc
polaris-1        | 2025-10-14 22:13:15,544 INFO  [io.qua.htt.access-log] [38e7630b-c671-44d0-924b-0da67e15d907_0000000000000000006,POLARIS] [,,,] (executor-thread-1) 172.18.0.1 - root [14/Oct/2025:22:13:15 +0000] "POST /api/catalog/v1/quickstart_catalog/namespaces/minio_polaris_ns/tables HTTP/1.1" 422 310

Does this PR introduce any user-facing change?

• NO

How was this patch tested?

• Ran full gradle build and test
• Tests added/updated:
  • StsResponseCaptureTest.java
    • Unit test for the thread-local set/get/clear behavior.
  • StsXmlParserTest.java
    • Tests parsing of a sample non‑standard namespaced STS XML (happy path) and a negative case (missing AccessKeyId).
  • StsResponseCaptureInterceptorTest.java
    • Verifies the interceptor reads httpResponse().content() via a dynamic proxy (simulates SDK context/response) and stores the raw body into the thread-local holder. Also tests the interceptor silently ignores null contexts.

CHANGELOG.md

[dimas-b]

Since this PR depends on #2805 is might be preferable to mark it as "draft" to clarify that it should not be merged by itself, but be rebased after #2805 is merged.

[snazy]

@rohangoli can you elaborate why that credentials attribute is not present?
I don't see a fundamental difference between the documented ECS response and AWS response, beside that the XML namespacing in the ECS response looks different.

I'm concerned about the usage of ThreadLocal holding the last captured STS response. The assumption in getSubscopedCreds() this PR is that the parsing happens within the same thread, but I'm not sure that this is a guaranteed behavior. StsResponseCapture exposes non-ECS credentials to any caller to any call site.
Maybe software.amazon.awssdk.core.interceptor.ExecutionInterceptor#modifyHttpResponseContent/modifyAsyncHttpResponseContent are better alternatives?