Skip to content

Add support for version 2.1 of the IMDS credentials provider #4109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Add support for version 2.1 of the IMDS credentials provider #4109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8fcfd16
Add support for IMDS v2.1
ysaito1001 Apr 30, 2025
fd51389
Update connection recording tests
ysaito1001 Apr 30, 2025
fcdc1b8
Remove redundant comments that are self-explanatory
ysaito1001 May 1, 2025
bff4f26
Use `.expect` instead of `unwrap` when accessing `LockResult`
ysaito1001 May 1, 2025
c510cfe
Remove code that came from stale pseudo-code from design
ysaito1001 May 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion aws/rust-runtime/aws-config/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion aws/rust-runtime/aws-config/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "aws-config"
version = "1.6.2"
version = "1.7.0"
authors = [
"AWS Rust SDK Team <[email protected]>",
"Russell Cohen <[email protected]>",
Expand Down
11 changes: 10 additions & 1 deletion aws/rust-runtime/aws-config/src/imds/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,8 +733,17 @@ pub(crate) mod test {
.unwrap()
}

pub(crate) fn imds_response_404() -> HttpResponse {
HttpResponse::try_from(
http::Response::builder()
.status(404)
.body(SdkBody::empty())
.unwrap(),
)
.unwrap()
}

pub(crate) fn make_imds_client(http_client: &StaticReplayClient) -> super::Client {
tokio::time::pause();
super::Client::builder()
.configure(
&ProviderConfig::no_configuration()
Expand Down
820 changes: 730 additions & 90 deletions aws/rust-runtime/aws-config/src/imds/credentials.rs
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions aws/rust-runtime/aws-config/src/imds/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ pub mod region;

mod env {
pub(crate) const EC2_METADATA_DISABLED: &str = "AWS_EC2_METADATA_DISABLED";
pub(crate) const EC2_INSTANCE_PROFILE_NAME: &str = "AWS_EC2_INSTANCE_PROFILE_NAME";
}

mod profile_key {
pub(crate) const EC2_METADATA_DISABLED: &str = "disable_ec2_metadata";
pub(crate) const EC2_INSTANCE_PROFILE_NAME: &str = "ec2_instance_profile_name";
}

#[doc(inline)]
Expand Down
4 changes: 2 additions & 2 deletions ...aws-config/test-data/default-credential-provider-chain/imds_assume_role/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this test is updated to hit extended but the response isn't updated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good point, not strictly necessary since extended API can still return credentials without account ID. Admittedly, this is what happens when we manually tweak connection recording files for a feature that hasn't been supported in the real world.

"headers": {
"x-aws-ec2-metadata-token": [
"imdssesiontoken=="
Expand Down Expand Up @@ -179,7 +179,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/imds-assume-role-test",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/imds-assume-role-test",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
Expand Down
4 changes: 2 additions & 2 deletions ...g/test-data/default-credential-provider-chain/imds_config_with_no_creds/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -179,7 +179,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/imds-assume-role-test",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/imds-assume-role-test",
"headers": {
"x-aws-ec2-metadata-token": [
"AQAEAKQRRHnsX8GCPgYTGMShrFJkMhru3n-8Ul5Gzvzj-bpWKYZuiw=="
Expand Down
86 changes: 85 additions & 1 deletion ...ig/test-data/default-credential-provider-chain/imds_default_chain_error/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -167,6 +167,90 @@
"direction": "Response"
}
}
},
{
"connection_id": 2,
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
],
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
],
"x-aws-ec2-metadata-token": [
"faketoken"
]
},
"method": "GET"
}
}
}
},
{
"connection_id": 2,
"action": {
"Eof": {
"ok": true,
"direction": "Request"
}
}
},
{
"connection_id": 2,
"action": {
"Response": {
"response": {
"Ok": {
"status": 404,
"version": "HTTP/1.1",
"headers": {
"content-length": [
"339"
],
"date": [
"Mon, 20 Sep 2021 20:51:52 GMT"
],
"content-type": [
"text/html"
],
"x-aws-ec2-metadata-token-ttl-seconds": [
"21600"
],
"connection": [
"close"
],
"server": [
"EC2ws"
]
}
}
}
}
}
},
{
"connection_id": 2,
"action": {
"Data": {
"data": {
"Utf8": "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n\t\t \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n"
},
"direction": "Response"
}
}
},
{
"connection_id": 2,
"action": {
"Eof": {
"ok": true,
"direction": "Response"
}
}
}
],
"docs": "live IMDS token retrieval",
Expand Down
8 changes: 4 additions & 4 deletions .../test-data/default-credential-provider-chain/imds_default_chain_retries/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -197,7 +197,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"x-aws-ec2-metadata-token": [
"imdstoken"
Expand Down Expand Up @@ -287,7 +287,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/imds-assume-role-test",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/imds-assume-role-test",
"headers": {
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -341,7 +341,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/imds-assume-role-test",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/imds-assume-role-test",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
Expand Down
4 changes: 2 additions & 2 deletions .../test-data/default-credential-provider-chain/imds_default_chain_success/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -179,7 +179,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/imds-assume-role-test",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/imds-assume-role-test",
"headers": {
"x-aws-ec2-metadata-token": [
"AQAEAKQRRHnsX8GCPgYTGMShrFJkMhru3n-8Ul5Gzvzj-bpWKYZuiw=="
Expand Down
86 changes: 85 additions & 1 deletion ...aws-config/test-data/default-credential-provider-chain/imds_no_iam_role/http-traffic.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials-extended/",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
Expand Down Expand Up @@ -167,6 +167,90 @@
"direction": "Response"
}
}
},
{
"connection_id": 2,
"action": {
"Request": {
"request": {
"uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"headers": {
"user-agent": [
"aws-sdk-rust/0.1.0 os/linux lang/rust/1.52.1"
],
"x-amz-user-agent": [
"aws-sdk-rust/0.1.0 api/imds/0.1.0 os/linux lang/rust/1.52.1"
],
"x-aws-ec2-metadata-token": [
"faketoken"
]
},
"method": "GET"
}
}
}
},
{
"connection_id": 2,
"action": {
"Eof": {
"ok": true,
"direction": "Request"
}
}
},
{
"connection_id": 2,
"action": {
"Response": {
"response": {
"Ok": {
"status": 404,
"version": "HTTP/1.1",
"headers": {
"content-length": [
"339"
],
"date": [
"Mon, 20 Sep 2021 20:51:52 GMT"
],
"content-type": [
"text/html"
],
"x-aws-ec2-metadata-token-ttl-seconds": [
"21600"
],
"connection": [
"close"
],
"server": [
"EC2ws"
]
}
}
}
}
}
},
{
"connection_id": 2,
"action": {
"Data": {
"data": {
"Utf8": "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n\t\t \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n"
},
"direction": "Response"
}
}
},
{
"connection_id": 2,
"action": {
"Eof": {
"ok": true,
"direction": "Response"
}
}
}
],
"docs": "live IMDS token retrieval",
Expand Down
Loading