fix(credential-provider-node): open credential provider lock after failed chain (#7692)

kuhe · web-flow · commit 2320c7c0b3de · 2026-01-29T13:03:02.000-05:00
diff --git a/packages-internal/credential-provider-node/src/runtime/memoize-chain.spec.ts b/packages-internal/credential-provider-node/src/runtime/memoize-chain.spec.ts
@@ -3,6 +3,7 @@ import { beforeEach, describe, expect, test as it, vi } from "vitest";
 
 import { credentialsWillNeedRefresh } from "../defaultProvider";
 import { memoizeChain } from "./memoize-chain";
+import { CredentialsProviderError } from "@smithy/property-provider";
 
 describe("memoize runtime config aware AWS credential chain", () => {
   let staticCredentials!: RuntimeConfigAwsCredentialIdentityProvider;
@@ -156,4 +157,37 @@ describe("memoize runtime config aware AWS credential chain", () => {
 
     expect(expiringCredentials).toHaveBeenCalledTimes(5);
   });
+
+  it("should release locks on credential resolution failure at the end of the chain", async () => {
+    const neverAvailableCredentialProvider: () => RuntimeConfigAwsCredentialIdentityProvider = () => async () => {
+      throw new CredentialsProviderError("never available", { tryNextLink: true });
+    };
+
+    let n = 0;
+    const eventuallyAvailableCredentialProvider: RuntimeConfigAwsCredentialIdentityProvider = async () => {
+      if (n++ === 0) {
+        throw new CredentialsProviderError("initially unavailable", { tryNextLink: false });
+      }
+      return {
+        accessKeyId: "xyz",
+        secretAccessKey: "xyz",
+      };
+    };
+
+    const provider = memoizeChain(
+      [neverAvailableCredentialProvider(), neverAvailableCredentialProvider(), eventuallyAvailableCredentialProvider],
+      credentialsWillNeedRefresh
+    );
+
+    try {
+      await provider();
+    } catch (e) {
+      const credentials = await provider();
+      expect(credentials).toEqual({
+        accessKeyId: "xyz",
+        secretAccessKey: "xyz",
+      });
+    }
+    expect.assertions(1);
+  });
 });
diff --git a/packages-internal/credential-provider-node/src/runtime/memoize-chain.ts b/packages-internal/credential-provider-node/src/runtime/memoize-chain.ts
@@ -44,16 +44,22 @@ export function memoizeChain(
     } else if (!credentials || treatAsExpired?.(credentials!)) {
       if (credentials) {
         if (!passiveLock) {
-          passiveLock = chain(options).then((c) => {
-            credentials = c;
-            passiveLock = undefined;
-          });
+          passiveLock = chain(options)
+            .then((c) => {
+              credentials = c;
+            })
+            .finally(() => {
+              passiveLock = undefined;
+            });
         }
       } else {
-        activeLock = chain(options).then((c) => {
-          credentials = c;
-          activeLock = undefined;
-        });
+        activeLock = chain(options)
+          .then((c) => {
+            credentials = c;
+          })
+          .finally(() => {
+            activeLock = undefined;
+          });
         return provider(options);
       }
     }
