[GEP-26] Fix Route53 client rate limiter key for Workload Identity credentials (#1629)

vpnachev · dimityrmirchev · web-flow · commit 943fe84c23cf · 2026-01-09T12:47:01.000+02:00
* Fix Route53 client rate limiter key for Workload Identity credentials

* Clarify why roleARN is used as rate limiter key

* Fix type

Co-authored-by: Dimitar Mirchev &lt;dimitar.mirchev@sap.com&gt;

---------

Co-authored-by: Dimitar Mirchev &lt;dimitar.mirchev@sap.com&gt;
diff --git a/pkg/aws/client/types_route53.go b/pkg/aws/client/types_route53.go
@@ -53,26 +53,39 @@ func (f *route53Factory) NewClient(authConfig AuthConfig) (Interface, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.Route53RateLimiter = f.getRateLimiter(authConfig.AccessKey.ID)
+
+	var rateLimiterKey string
+	if authConfig.AccessKey != nil {
+		rateLimiterKey = authConfig.AccessKey.ID
+	} else {
+		// In practice single AWS Role (the same roleARN) can be assumed by multiple Workload Identities.
+		// A side effect of rate limiter using the roleARN as key is that all Workload Identities assuming the same
+		// RoleARN will be throttled at the same time.
+		// However, most probably on the server side(AWS STS) they would be throttled also on the roleARN
+		// as this is the identity authenticated with AWS.
+		rateLimiterKey = authConfig.WorkloadIdentity.RoleARN
+	}
+
+	c.Route53RateLimiter = f.getRateLimiter(rateLimiterKey)
 	c.Route53RateLimiterWaitTimeout = f.waitTimeout
 	return c, nil
 }
 
-func (f *route53Factory) getRateLimiter(accessKeyID string) *rate.Limiter {
+func (f *route53Factory) getRateLimiter(rateLimiterKey string) *rate.Limiter {
 	// cache.Expiring Get and Set methods are concurrency-safe
 	// However, if f rate limiter is not present in the cache, it may happen that multiple rate limiters are created
-	// at the same time for the same access key id, and the desired QPS is exceeded, so use f mutex to guard against this
+	// at the same time for the same rate limiter key, and the desired QPS is exceeded, so use f mutex to guard against this
 	f.rateLimitersMutex.Lock()
 	defer f.rateLimitersMutex.Unlock()
 
 	// Get f rate limiter from the cache, or create f new one if not present
 	var rateLimiter *rate.Limiter
-	if v, ok := f.rateLimiters.Get(accessKeyID); ok {
+	if v, ok := f.rateLimiters.Get(rateLimiterKey); ok {
 		rateLimiter = v.(*rate.Limiter)
 	} else {
 		rateLimiter = rate.NewLimiter(f.limit, f.burst)
 	}
 	// Set should be called on every Get with cache.Expiring to refresh the TTL
-	f.rateLimiters.Set(accessKeyID, rateLimiter, route53RateLimiterCacheTTL)
+	f.rateLimiters.Set(rateLimiterKey, rateLimiter, route53RateLimiterCacheTTL)
 	return rateLimiter
 }
