aws-sdk-java-v2 icon indicating copy to clipboard operation
aws-sdk-java-v2 copied to clipboard
verified publisher icon aws

Use Overridable `Ec2MetadataClient` for IMDS-backed Providers

Open commiterate opened this issue 11 months ago • 1 comments

Describe the feature

Make IMDS-backed providers accept an Ec2MetadataClient instance which respects IMDS client configurations.

Use Case

Various IMDS-backed providers like the InstanceProfileRegionProvider and InstanceProfileCredentialsProvider make IMDS requests using an HttpURLConnection via the SDK protected (@SdkProtectedApi) software.amazon.awssdk.regions.util.HttpResourcesUtils (def) class. This is instead of the public Ec2MetadataClient (javadoc).

In particular:

  • InstanceProfileRegionProvider
    • Uses the internal software.amazon.awssdk.regions.internal.util.EC2MetadataUtils (def) class which uses the HttpResourcesUtils class.
  • InstanceProfileCredentialsProvider
    • Uses the HttpResourcesUtils class directly.
    • Hardcodes the IMDS token TTL to 21,600 seconds (code).

These may not respect certain IMDS client configurations (e.g. IMDS session token TTL) nor have features like IMDS session token caching + auto-refresh (some fetch a new token every time).

Switch to the Ec2MetadataClient to de-duplicate IMDS functionality.

Proposed Solution

Add builders for all providers and have an ec2MetataClient function on the builder. For example:

import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient
import software.amazon.awssdk.imds.Ec2MetadataClient
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider;

httpClient = UrlConnectionHttpClient.create();

ec2MetadataClient = Ec2MetadataClient
   .builder();
   .httpClient(httpClient);
   .build();

credentialsProvider = InstanceProfileCredentialsProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

regionProvider = InstanceProfileRegionProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

If the existing InstanceProfile*Provider providers shouldn't be refactored, create new Ec2Metadata*Provider classes instead and mark the InstanceProfile*Provider classes as deprecated.

Other Information

Requires https://github.com/aws/aws-sdk-java-v2/issues/5764 to be fixed to reduce the likelihood of using stale IMDS session tokens.

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

AWS Java SDK version used

2.30.16

JDK version used

All

Operating System and version

All

commiterate avatar Feb 10 '25 21:02 commiterate

Hi @commiterate thank you for reaching out. Yes, this change is in our plans.

debora-ito avatar Feb 22 '25 01:02 debora-ito