Skip to content

Use Overridable Ec2MetadataClient for IMDS-backed Providers #5876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks
commiterate opened this issue Feb 10, 2025 · 1 comment
Open
2 tasks

Use Overridable Ec2MetadataClient for IMDS-backed Providers #5876

commiterate opened this issue Feb 10, 2025 · 1 comment
Labels
ec2-metadata-client feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@commiterate
Copy link

commiterate commented Feb 10, 2025
edited
Loading

Describe the feature

Make IMDS-backed providers accept an Ec2MetadataClient instance which respects IMDS client configurations.

Use Case

Various IMDS-backed providers like the InstanceProfileRegionProvider and InstanceProfileCredentialsProvider make IMDS requests using an HttpURLConnection via the SDK protected (@SdkProtectedApi) software.amazon.awssdk.regions.util.HttpResourcesUtils (def) class. This is instead of the public Ec2MetadataClient (javadoc).

In particular:

  • InstanceProfileRegionProvider
    • Uses the internal software.amazon.awssdk.regions.internal.util.EC2MetadataUtils (def) class which uses the HttpResourcesUtils class.
  • InstanceProfileCredentialsProvider
    • Uses the HttpResourcesUtils class directly.
    • Hardcodes the IMDS token TTL to 21,600 seconds (code).

These may not respect certain IMDS client configurations (e.g. IMDS session token TTL) nor have features like IMDS session token caching + auto-refresh (some fetch a new token every time).

Switch to the Ec2MetadataClient to de-duplicate IMDS functionality.

Proposed Solution

Add builders for all providers and have an ec2MetataClient function on the builder. For example:

import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient
import software.amazon.awssdk.imds.Ec2MetadataClient
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider;

httpClient = UrlConnectionHttpClient.create();

ec2MetadataClient = Ec2MetadataClient
   .builder();
   .httpClient(httpClient);
   .build();

credentialsProvider = InstanceProfileCredentialsProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

regionProvider = InstanceProfileRegionProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

If the existing InstanceProfile*Provider providers shouldn't be refactored, create new Ec2Metadata*Provider classes instead and mark the InstanceProfile*Provider classes as deprecated.

Other Information

Requires #5764 to be fixed to reduce the likelihood of using stale IMDS session tokens.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS Java SDK version used

2.30.16

JDK version used

All

Operating System and version

All
@commiterate commiterate added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 10, 2025
@debora-ito debora-ito added ec2-metadata-client needs-review This issue or PR needs review from the team. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 13, 2025
@debora-ito debora-ito self-assigned this Feb 18, 2025
@debora-ito debora-ito added p2 This is a standard priority issue and removed needs-review This issue or PR needs review from the team. labels Feb 20, 2025
@debora-ito
Copy link
Member

Hi @commiterate thank you for reaching out. Yes, this change is in our plans.

@debora-ito debora-ito removed their assignment Apr 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ec2-metadata-client feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@debora-ito @commiterate