smithy-lang
diff --git a/‎aws/aws-credentials-imds/src/main/java/software/amazon/smithy/java/aws/credentials/imds/ImdsClient.java‎
Lines changed: 6 additions & 0 deletions b/‎aws/aws-credentials-imds/src/main/java/software/amazon/smithy/java/aws/credentials/imds/ImdsClient.java‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎aws/aws-credentials-imds/src/main/java/software/amazon/smithy/java/aws/credentials/imds/ImdsCredentialProvider.java‎
Lines changed: 0 additions & 13 deletions b/‎aws/aws-credentials-imds/src/main/java/software/amazon/smithy/java/aws/credentials/imds/ImdsCredentialProvider.java‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎aws/aws-credentials-sts/src/main/java/software/amazon/smithy/java/aws/credentials/sts/StsAssumeRoleResolver.java‎
Lines changed: 8 additions & 7 deletions b/‎aws/aws-credentials-sts/src/main/java/software/amazon/smithy/java/aws/credentials/sts/StsAssumeRoleResolver.java‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityCache.java‎
Lines changed: 90 additions & 12 deletions b/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityCache.java‎
Lines changed: 90 additions & 12 deletions
diff --git a/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProvider.java‎
Lines changed: 9 additions & 1 deletion b/‎aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityProvider.java‎
Lines changed: 9 additions & 1 deletion
@@ -16,6 +16,12 @@
 
 /**
  * Minimal IMDSv2 client. Handles token acquisition, caching, and retries with exponential backoff.
+ *
+ * <p>Intended for use behind {@link software.amazon.smithy.java.auth.api.identity.CachingIdentityResolver},
+ * which serializes refreshes so a given instance is never re-entered concurrently. All mutable state is
+ * {@code volatile} and the cached token/profile/path flags only ever advance monotonically, so sharing an
+ * instance across threads is still safe — concurrent callers will at worst issue redundant token or profile
+ * fetches, never return incorrect results.
  */
 final class ImdsClient {
 
 
@@ -23,7 +23,6 @@
 import software.amazon.smithy.java.aws.credentials.chain.CredentialFeatureId;
 import software.amazon.smithy.java.aws.credentials.chain.OrderingConstraint;
 import software.amazon.smithy.java.aws.credentials.chain.StandardProvider;
-import software.amazon.smithy.java.context.Context;
 import software.amazon.smithy.java.core.serde.document.Document;
 import software.amazon.smithy.java.json.JsonCodec;
 import software.amazon.smithy.java.logging.InternalLogger;
@@ -188,16 +187,4 @@ private static String getProfileProperty(AwsProfileFile profileFile, String key)
         AwsProfile profile = profileFile.profile(profileName);
         return profile != null ? profile.property(key) : null;
     }
-
-    /** Resolver returned when IMDS is disabled via configuration. */
-    private static final class DisabledResolver implements AwsCredentialsResolver {
-        private static final IdentityResult<AwsCredentialsIdentity> DISABLED = IdentityResult.ofError(
-                ImdsCredentialProvider.class,
-                "IMDS credential fetching is disabled");
-
-        @Override
-        public IdentityResult<AwsCredentialsIdentity> resolveIdentity(Context requestProperties) {
-            return DISABLED;
-        }
-    }
 }
@@ -5,6 +5,7 @@
 
 package software.amazon.smithy.java.aws.credentials.sts;
 
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -144,13 +145,13 @@ private IdentityResult<AwsCredentialsIdentity> callAssumeRole(
         var sourceResolver = createSourceResolver(sourceCredentials);
 
         try (DynamicClient client = StsClientFactory.create(sourceResolver, endpoint)) {
-            Map<String, Object> input = Map.of(
-                    "RoleArn",
-                    roleArn,
-                    "RoleSessionName",
-                    "smithy-java-" + System.currentTimeMillis(),
-                    "ExternalId",
-                    externalId);
+            // ExternalId is optional; Map.of rejects null values, so only include it when present.
+            Map<String, Object> input = new HashMap<>();
+            input.put("RoleArn", roleArn);
+            input.put("RoleSessionName", "smithy-java-" + System.currentTimeMillis());
+            if (externalId != null) {
+                input.put("ExternalId", externalId);
+            }
             return StsWebIdentityResolver.parseCredentials(client.call("AssumeRole", input));
         }
     }
 
@@ -5,7 +5,12 @@
 
 package software.amazon.smithy.java.aws.client.auth.scheme.s3express;
 
+import java.time.Clock;
+import java.time.Duration;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Function;
@@ -32,46 +37,90 @@
  * is O(N) but only runs on insert when the cache is full — eviction does not happen on the
  * read path.
  *
+ * <h3>Idle eviction</h3>
+ *
+ * <p>The S3 Express SEP requires that cached session credentials for buckets that are no longer
+ * accessed be reaped, to bound their lifetime. A periodic background sweep removes (and closes)
+ * any entry that has not been accessed by a request for longer than {@link #idleTimeoutMillis}
+ * (default 5 minutes). Closing an entry stops its {@link CachingIdentityResolver}'s background
+ * {@code CreateSession} refresh loop, so an unused bucket stops re-minting credentials.
+ *
  * <h3>Bounding</h3>
  *
- * <p>{@link #MAX_SIZE} is a small constant (25). The S3 Express SEP describes a recommended
- * upper bound of 100; v2's SDK uses 25 pending real-world data, and we follow that. Not
- * configurable today.
+ * <p>{@link #MAX_SIZE} is a small constant (100), the recommended upper bound from the S3 Express
+ * SEP. Not configurable today.
  */
 final class S3ExpressIdentityCache implements AutoCloseable {
 
-    private static final int MAX_SIZE = 25;
+    private static final int MAX_SIZE = 100;
+    private static final Duration DEFAULT_IDLE_TIMEOUT = Duration.ofMinutes(5);
 
     private final ConcurrentHashMap<S3ExpressIdentityKey, Entry> entries = new ConcurrentHashMap<>();
     private final ReentrantLock writeLock = new ReentrantLock();
     private final AtomicLong tick = new AtomicLong();
     private final Function<S3ExpressIdentityKey, CachingIdentityResolver<AwsCredentialsIdentity>> factory;
+    private final Clock clock;
+    private final long idleTimeoutMillis;
+    private final ScheduledFuture<?> sweepTask;
 
     S3ExpressIdentityCache(Function<S3ExpressIdentityKey, CachingIdentityResolver<AwsCredentialsIdentity>> factory) {
+        this(factory, null, DEFAULT_IDLE_TIMEOUT, Clock.systemUTC());
+    }
+
+    /**
+     * @param factory       builds the per-bucket resolver on cache miss.
+     * @param sweepExecutor executor for the periodic idle-eviction sweep, or {@code null} to disable
+     *                      the background sweep (callers may still invoke {@link #evictIdle()} directly).
+     * @param idleTimeout   how long an entry may go unaccessed before it is eligible for eviction.
+     * @param clock         clock used for idle tracking (injectable for tests).
+     */
+    S3ExpressIdentityCache(
+            Function<S3ExpressIdentityKey, CachingIdentityResolver<AwsCredentialsIdentity>> factory,
+            ScheduledExecutorService sweepExecutor,
+            Duration idleTimeout,
+            Clock clock
+    ) {
         this.factory = factory;
+        this.clock = clock;
+        this.idleTimeoutMillis = idleTimeout.toMillis();
+        if (sweepExecutor != null) {
+            long sweepMillis = idleTimeoutMillis;
+            this.sweepTask = sweepExecutor.scheduleWithFixedDelay(
+                    this::evictIdle,
+                    sweepMillis,
+                    sweepMillis,
+                    TimeUnit.MILLISECONDS);
+        } else {
+            this.sweepTask = null;
+        }
     }
 
     CachingIdentityResolver<AwsCredentialsIdentity> get(S3ExpressIdentityKey key) {
         Entry e = entries.get(key);
         if (e != null) {
-            e.lastAccess = tick.incrementAndGet();
+            touch(e);
             return e.resolver;
         }
         return getOrCreate(key);
     }
 
+    private void touch(Entry e) {
+        e.lastAccessTick = tick.incrementAndGet();
+        e.lastAccessMillis = clock.millis();
+    }
+
     private CachingIdentityResolver<AwsCredentialsIdentity> getOrCreate(S3ExpressIdentityKey key) {
         writeLock.lock();
         try {
             Entry e = entries.get(key);
             if (e != null) {
-                e.lastAccess = tick.incrementAndGet();
+                touch(e);
                 return e.resolver;
             }
             if (entries.size() >= MAX_SIZE) {
                 evictLeastRecentlyUsed();
             }
-            Entry created = new Entry(factory.apply(key), tick.incrementAndGet());
+            Entry created = new Entry(factory.apply(key), tick.incrementAndGet(), clock.millis());
             entries.put(key, created);
             return created.resolver;
         } finally {
@@ -83,7 +132,7 @@ private void evictLeastRecentlyUsed() {
         S3ExpressIdentityKey victim = null;
         long minTick = Long.MAX_VALUE;
         for (var entry : entries.entrySet()) {
-            long t = entry.getValue().lastAccess;
+            long t = entry.getValue().lastAccessTick;
             if (t < minTick) {
                 minTick = t;
                 victim = entry.getKey();
@@ -97,6 +146,27 @@ private void evictLeastRecentlyUsed() {
         }
     }
 
+    /**
+     * Evict (and close) every entry that has not been accessed within the idle timeout. Invoked
+     * periodically by the background sweep; also callable directly for testing.
+     */
+    void evictIdle() {
+        long now = clock.millis();
+        writeLock.lock();
+        try {
+            var it = entries.entrySet().iterator();
+            while (it.hasNext()) {
+                Entry entry = it.next().getValue();
+                if (now - entry.lastAccessMillis > idleTimeoutMillis) {
+                    it.remove();
+                    closeQuietly(entry.resolver);
+                }
+            }
+        } finally {
+            writeLock.unlock();
+        }
+    }
+
     void invalidateAll() {
         writeLock.lock();
         try {
@@ -110,6 +180,9 @@ void invalidateAll() {
 
     @Override
     public void close() {
+        if (sweepTask != null) {
+            sweepTask.cancel(false);
+        }
         writeLock.lock();
         try {
             for (var entry : entries.values()) {
@@ -133,12 +206,17 @@ private static final class Entry {
         final CachingIdentityResolver<AwsCredentialsIdentity> resolver;
 
         // Volatile so concurrent readers see updated values; races on simultaneous writes are
-        // benign (we only use this for approximate ordering of eviction).
-        volatile long lastAccess;
+        // benign (we only use these for approximate ordering of eviction).
+        //
+        // lastAccessTick is a strictly monotonic counter used to pick the LRU victim on overflow.
+        // lastAccessMillis is wall-clock time used to detect idle entries for proactive eviction.
+        volatile long lastAccessTick;
+        volatile long lastAccessMillis;
 
-        Entry(CachingIdentityResolver<AwsCredentialsIdentity> resolver, long lastAccess) {
+        Entry(CachingIdentityResolver<AwsCredentialsIdentity> resolver, long lastAccessTick, long lastAccessMillis) {
             this.resolver = resolver;
-            this.lastAccess = lastAccess;
+            this.lastAccessTick = lastAccessTick;
+            this.lastAccessMillis = lastAccessMillis;
         }
     }
 }
@@ -5,6 +5,8 @@
 
 package software.amazon.smithy.java.aws.client.auth.scheme.s3express;
 
+import java.time.Clock;
+import java.time.Duration;
 import java.util.Objects;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
@@ -35,6 +37,7 @@
  */
 final class S3ExpressIdentityProvider implements IdentityResolver<AwsCredentialsIdentity> {
 
+    private static final Duration IDLE_TIMEOUT = Duration.ofMinutes(5);
     private static final AtomicInteger THREAD_COUNTER = new AtomicInteger();
     private static final ScheduledExecutorService REFRESH_EXECUTOR = Executors.newSingleThreadScheduledExecutor(r -> {
         Thread t = new Thread(r, "smithy-s3express-session-refresh-" + THREAD_COUNTER.incrementAndGet());
@@ -57,7 +60,12 @@ final class S3ExpressIdentityProvider implements IdentityResolver<AwsCredentials
     ) {
         this.baseIdentityProvider = Objects.requireNonNull(baseIdentityProvider, "baseIdentityProvider");
         Objects.requireNonNull(createSession, "createSession");
-        this.cache = new S3ExpressIdentityCache(key -> buildPerBucketResolver(key, createSession));
+        // Reuse the shared refresh executor to also drive periodic idle-entry eviction.
+        this.cache = new S3ExpressIdentityCache(
+                key -> buildPerBucketResolver(key, createSession),
+                REFRESH_EXECUTOR,
+                IDLE_TIMEOUT,
+                Clock.systemUTC());
     }
 
     private CachingIdentityResolver<AwsCredentialsIdentity> buildPerBucketResolver(