Skip to content

Use Overridable Ec2MetadataClient for IMDS-backed Providers #5876

New issue
New issue
Open
Open
Use Overridable Ec2MetadataClient for IMDS-backed Providers#5876
Labels
ec2-metadata-clientfeature-requestA feature should be added or improved.p2This is a standard priority issue
@commiterate

Description

@commiterate
commiterate
opened on Feb 10, 2025

Describe the feature

Make IMDS-backed providers accept an Ec2MetadataClient instance which respects IMDS client configurations.

Use Case

Various IMDS-backed providers like the InstanceProfileRegionProvider and InstanceProfileCredentialsProvider make IMDS requests using an HttpURLConnection via the SDK protected (@SdkProtectedApi) software.amazon.awssdk.regions.util.HttpResourcesUtils (def) class. This is instead of the public Ec2MetadataClient (javadoc).

In particular:

  • InstanceProfileRegionProvider
    • Uses the internal software.amazon.awssdk.regions.internal.util.EC2MetadataUtils (def) class which uses the HttpResourcesUtils class.
  • InstanceProfileCredentialsProvider
    • Uses the HttpResourcesUtils class directly.
    • Hardcodes the IMDS token TTL to 21,600 seconds (code).

These may not respect certain IMDS client configurations (e.g. IMDS session token TTL) nor have features like IMDS session token caching + auto-refresh (some fetch a new token every time).

Switch to the Ec2MetadataClient to de-duplicate IMDS functionality.

Proposed Solution

Add builders for all providers and have an ec2MetataClient function on the builder. For example:

import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient
import software.amazon.awssdk.imds.Ec2MetadataClient
import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
import software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider;

httpClient = UrlConnectionHttpClient.create();

ec2MetadataClient = Ec2MetadataClient
   .builder();
   .httpClient(httpClient);
   .build();

credentialsProvider = InstanceProfileCredentialsProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

regionProvider = InstanceProfileRegionProvider
   .builder()
   .ec2MetadataClient(ec2MetadataClient)
   .build();

If the existing InstanceProfile*Provider providers shouldn't be refactored, create new Ec2Metadata*Provider classes instead and mark the InstanceProfile*Provider classes as deprecated.

Other Information

Requires #5764 to be fixed to reduce the likelihood of using stale IMDS session tokens.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS Java SDK version used

2.30.16

JDK version used

All

Operating System and version

All

Metadata

Metadata

Assignees

No one assigned

    Labels

    ec2-metadata-clientfeature-requestA feature should be added or improved.p2This is a standard priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions