Additional Changes

-created a new integration test file for IMDS extended url separating it from legacy
-Included the status code to the fallback logic

Author: S-Saranya1

.changes/next-release/feature-AWSEC2-9b178a4.json

@@ -1,6 +1,6 @@
 {
     "type": "feature",
-    "category": "AWS EC2",
+    "category": "AWS SDK for Java v2",
     "contributor": "",
     "description": "EC2 IMDS Changes to Support Account ID"
 }

core/auth/src/it/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderIntegrationTest.java

@@ -35,7 +35,7 @@ public class InstanceProfileCredentialsProviderIntegrationTest {
     /** Starts up the mock EC2 Instance Metadata Service. */
     @Before
     public void setUp() throws Exception {
-        mockServer = new EC2MetadataServiceMock("/latest/meta-data/iam/security-credentials-extended/");
+        mockServer = new EC2MetadataServiceMock("/latest/meta-data/iam/security-credentials/");
         mockServer.start();
     }
 

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -168,10 +168,6 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
 
         try {
             LoadedCredentials credentials = httpCredentialsLoader.loadCredentials(createEndpointProvider());
-            if (apiVersion == ApiVersion.UNKNOWN) {
-                apiVersion = ApiVersion.EXTENDED;
-            }
-
             Instant expiration = credentials.getExpiration().orElse(null);
             log.debug(() -> "Loaded credentials from IMDS with expiration time of " + expiration);
 
@@ -180,7 +176,7 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
                                 .prefetchTime(prefetchTime(expiration))
                                 .build();
         } catch (Ec2MetadataClientException e) {
-            if (apiVersion == ApiVersion.UNKNOWN) {
+            if (e.statusCode() == 404 && apiVersion == ApiVersion.EXTENDED) {
                 apiVersion = ApiVersion.LEGACY;
                 resolvedProfile = null;
                 return refreshCredentials();

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/EC2MetadataServiceMock.java

@@ -42,6 +42,7 @@ public class EC2MetadataServiceMock {
                                                  "Content-Type: text/html\r\n" +
                                                  "Content-Length: ";
     private static final String OUTPUT_END_OF_HEADERS = "\r\n\r\n";
+    private static final String EXTENDED_PATH = "/latest/meta-data/iam/security-credentials-extended/";
     private final String securityCredentialsResource;
     private EC2MockMetadataServiceListenerThread hosmMockServerThread;
 
@@ -140,6 +141,15 @@ public void run() {
                     String[] strings = requestLine.split(" ");
                     String resourcePath = strings[1];
 
+                    // Return 404 for extended path when in legacy mode
+                    if (!credentialsResource.equals(EXTENDED_PATH) && 
+                        (resourcePath.equals(EXTENDED_PATH) || resourcePath.startsWith(EXTENDED_PATH))) {
+                        String notFound = "HTTP/1.1 404 Not Found\r\n" +
+                                        "Content-Length: 0\r\n" +
+                                        "\r\n";
+                        outputStream.write(notFound.getBytes());
+                        continue;
+                    }
 
                     String httpResponse = null;
 

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderExtendedIntegrationTest.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.core.exception.SdkClientException;
+
+/**
+ * Tests for {@link InstanceProfileCredentialsProvider} using the extended IMDS path.
+ */
+public class InstanceProfileCredentialsProviderExtendedIntegrationTest {
+    private static final String EXTENDED_PATH = "/latest/meta-data/iam/security-credentials-extended/";
+    private EC2MetadataServiceMock mockServer;
+
+    @Before
+    public void setUp() throws Exception {
+        mockServer = new EC2MetadataServiceMock(EXTENDED_PATH);
+        mockServer.start();
+    }
+
+    @After
+    public void tearDown() {
+        mockServer.stop();
+    }
+
+    @Test
+    public void resolveCredentials_withExtendedPath_includesAccountId() {
+        mockServer.setAvailableSecurityCredentials("test-role");
+        mockServer.setResponseFileName("sessionResponseExtended");
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        AwsCredentials credentials = provider.resolveCredentials();
+
+        assertThat(credentials.accountId()).isPresent();
+        assertThat(credentials.accountId().get()).isEqualTo("123456789012");
+    }
+
+    @Test
+    public void resolveCredentials_withExtendedPath_hasCorrectCredentials() {
+        mockServer.setAvailableSecurityCredentials("test-role");
+        mockServer.setResponseFileName("sessionResponseExtended");
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        AwsCredentials credentials = provider.resolveCredentials();
+
+        assertThat(credentials).isInstanceOf(AwsSessionCredentials.class);
+        assertThat(credentials.accessKeyId()).isEqualTo("ACCESS_KEY_ID");
+        assertThat(credentials.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        assertThat(((AwsSessionCredentials) credentials).sessionToken()).isEqualTo("TOKEN");
+    }
+
+    @Test
+    public void testSessionCredentials_MultipleInstanceProfiles() {
+        mockServer.setAvailableSecurityCredentials("test-credentials");
+        mockServer.setResponseFileName("sessionResponseExtended");
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        AwsCredentials credentials = provider.resolveCredentials();
+
+        assertThat(credentials).isInstanceOf(AwsSessionCredentials.class);
+        assertThat(credentials.accessKeyId()).isEqualTo("ACCESS_KEY_ID");
+        assertThat(credentials.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        assertThat(((AwsSessionCredentials) credentials).sessionToken()).isEqualTo("TOKEN");
+    }
+
+    @Test
+    public void testNoInstanceProfiles() throws Exception {
+        mockServer.setResponseFileName("sessionResponseExtended");
+        mockServer.setAvailableSecurityCredentials("");
+
+        try (InstanceProfileCredentialsProvider credentialsProvider = InstanceProfileCredentialsProvider.create()) {
+
+            try {
+                credentialsProvider.resolveCredentials();
+                fail("Expected an SdkClientException, but wasn't thrown");
+            } catch (SdkClientException ace) {
+                assertNotNull(ace.getMessage());
+            }
+        }
+    }
+
+    @Test
+    public void resolveCredentials_withDisabledMetadata_throwsException() {
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_DISABLED.property(), "true");
+        try {
+            InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+            assertThatThrownBy(() -> provider.resolveCredentials())
+                .isInstanceOf(SdkClientException.class)
+                .hasMessageContaining("IMDS credentials have been disabled");
+        } finally {
+            System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_DISABLED.property());
+        }
+    }
+
+    @Test
+    public void resolveCredentials_withNoAvailableCredentials_throwsException() {
+        mockServer.setAvailableSecurityCredentials("");
+        mockServer.setResponseFileName("sessionResponseExtended");
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        assertThatThrownBy(() -> provider.resolveCredentials())
+            .isInstanceOf(SdkClientException.class)
+            .hasMessageContaining("Failed to load credentials from IMDS.");
+    }
+}

core/auth/src/test/resources/software/amazon/awssdk/core/auth/sessionResponseExtended.json

@@ -0,0 +1,10 @@
+{
+  "Code" : "Success",
+  "LastUpdated" : "2025-02-13T18:00:00Z",
+  "Type" : "AWS-HMAC",
+  "AccessKeyId" : "ACCESS_KEY_ID",
+  "SecretAccessKey" : "SECRET_ACCESS_KEY",
+  "Token" : "TOKEN",
+  "Expiration" : "2025-02-13T19:00:00Z",
+  "AccountId" : "123456789012"
+}

core/regions/src/main/java/software/amazon/awssdk/regions/util/HttpResourcesUtils.java

@@ -120,6 +120,7 @@ public String readResource(ResourcesEndpointProvider endpointProvider, String me
                 } else if (statusCode == HttpURLConnection.HTTP_NOT_FOUND) {
                     // This is to preserve existing behavior of EC2 Instance metadata service.
                     throw Ec2MetadataClientException.builder()
+                                                    .statusCode(404)
                                                     .message("The requested metadata is not found at " + connection.getURL())
                                                     .build();
                 } else {