boto3: Exceptions coming from boto3/botocore when running boto3.client('sts') too many times simultaneously

import boto3, threading
for i in range(50):
    threading.Thread(target=lambda: boto3.client('sts')).start()

And you get, tested on my Windows 10 machine (boto3 version 1.5.31, botocore version 1.8.45) and also on an Amazon Linux EC2, a bunch of exceptions like this:

Exception in thread Thread-20:
Traceback (most recent call last):
  File "C:\Program Files (x86)\Python35-32\lib\threading.py", line 914, in _bootstrap_inner
    self.run()
  File "C:\Program Files (x86)\Python35-32\lib\threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "<stdin>", line 2, in <lambda>
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\boto3\__init__.py", line 83, in client
    return _get_default_session().client(*args, **kwargs)
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\boto3\session.py", line 263, in client
    aws_session_token=aws_session_token, config=config)
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 850, in create_client
    credentials = self.get_credentials()
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 474, in get_credentials
    'credential_provider').load_credentials()
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 926, in get_component
    del self._deferred[name]
KeyError: 'credential_provider'

or:

Exception in thread Thread-24:
Traceback (most recent call last):
  File "C:\Program Files (x86)\Python35-32\lib\threading.py", line 914, in _bootstrap_inner
    self.run()
  File "C:\Program Files (x86)\Python35-32\lib\threading.py", line 862, in run
    self._target(*self._args, **self._kwargs)
  File "<stdin>", line 2, in <lambda>
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\boto3\__init__.py", line 83, in client
    return _get_default_session().client(*args, **kwargs)
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\boto3\session.py", line 263, in client
    aws_session_token=aws_session_token, config=config)
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 851, in create_client
    endpoint_resolver = self.get_component('endpoint_resolver')
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 726, in get_component
    return self._components.get_component(name)
  File "C:\Users\alexander.monk\AppData\Roaming\Python\Python35\site-packages\botocore\session.py", line 926, in get_component
    del self._deferred[name]
KeyError: 'endpoint_resolver'

Normally seems to be several credential_provider ones followed by several endpoint_resolver ones. The chance of getting these exceptions seems to increase with the number of threads.

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 16
  • Comments: 18 (6 by maintainers)

Commits related to this issue

Most upvoted comments

So finally sessions and resources can be shared across threads or not? Immediately after I start using them as described in the docs I hit KeyError: 'credential_provider' or similar. My threads do upload only so I guess I’m on safe side but I keep finding statements contradicting the docs.

+8
zgoda-mobica on Sep 27, 2018

So finally sessions and resources can be shared across threads or not? Immediately after I start using them as described in the docs I hit KeyError: 'credential_provider' or similar. My threads do upload only so I guess I’m on safe side but I keep finding statements contradicting the docs.

@zgoda-mobica , Same issue here. I had ThreadPoolExecutor and each thread was invoking boto3.client('lambda').invoke() without using Session() which throws KeyError: 'credential_provider' error.

So now using following in thread invoked method…

session = boto3.session.Session()
lambda_client = session.client('lambda')
lambda_response = lambda_client.invoke(...)
....

and it seems to be ok.

+6
azec-pdx on Oct 10, 2019

Workaround for this in the mean time: Put a boto3.client('sts') call immediately before the for loop.

+5
moalexmonk on Jun 13, 2018

What is the reason that the “DEFAULT_SESSION” was introduced at the first place?

Creating a Session is a very resource intensive process as it has to load and deserialize several models before it can create clients. If this was required every time a client was created we’d see unacceptable performance impact. It’s a rare use-case customers actually need individual sessions, so we avoid this by creating a single instance by default for reuse. If this is undesired behavior customers are free to instantiate their own Session as you’re showing.

With the code you’ve proposed above, it will have the same performance as creating one client currently. However, we see creating a client take ~15x longer once we start creating many clients. This is because we are currently amortizing that Session cost over each client creation by reusing a single DEFAULT_SESSION instance.

Performance Impact Example

import timeit
import boto3

CLIENT_COUNT = 1_000

global_time = timeit.timeit(
    'boto3.client("s3")',
    setup='import boto3',
    number=CLIENT_COUNT
)
print(f"Average time per client with Global Session: {global_time/CLIENT_COUNT} sec")

unique_time = timeit.timeit(
    'boto3.session.Session().client("s3")',
    setup='import boto3',
    number=CLIENT_COUNT
)
print(f"Average time per client with Unique Session: {unique_time/CLIENT_COUNT} sec")

We’ll see results over 1000 runs come out as seen below:

$ python perf_test.py
Average time per client with Global Session: 0.001492504167 sec
Average time per client with Unique Session: 0.022752786 sec

As you can see this quickly becomes cost prohibitive for time sensitive applications. This is why the current documentation instructs users to pass clients to threads rather than create them in the thread.

+3
nateprewitt on Jan 12, 2023

There is also an outstanding unanswered question in botocore about thread safety. Would be great to know what’s the actual correct approach should be.

+3
rkiyanchuk on Oct 3, 2018

You’re correct about this behavior. Historically we’ve said that session methods aren’t thread safe, but once you’ve created a client or resource, we guarantee that those calls are thread safe (http://boto3.readthedocs.io/en/latest/guide/resources.html#multithreading-multiprocessing).

While we can investigate changing that stance, I suspect there will be more work than just the component logic, though that’s a good start and one of the most common content points in sessions.

+3
jamesls on Jun 19, 2018

I documented the issue based on my own understanding. https://medium.com/@life-is-short-so-enjoy-it/aws-boto3-misunderstanding-about-thread-safe-a7261d7391fd

+1
Gatsby-Lee on Jan 12, 2023

The documentation on multithreading was updated in this PR: https://github.com/boto/boto3/pull/2848.

Here are links to the multithreading documentation for Clients, Resources, and Sessions. Does that help clarify things?

+1
tim-finnigan on Apr 6, 2022

The documentation says that it is “recommended” to create a resource per thread but the example code below that recommendation creates a resource AND a session per thread. IOW, it is ambiguous if sessions can be shared between threads or not. Further down, the documentation states that resources are NOT thread-safe. That would imply that it’s not merely “recommended” to create a resource per thread, but rather that it’s a requirement to do so.

I’m confused.

+1
hannes-ucsc on Nov 17, 2020
Read more comments on GitHub
← boto3: DynamoDB: boto3 doesn't work with the local server: timestamp parsing problems
boto3: generate_presigned_url no longer works, gives: SignatureDoesNotMatch →