Additional Changes:

S-Saranya1 · S-Saranya1 · commit 8eef6e43986d · 2025-07-31T13:49:43.000-07:00
Adding the logic to close the client
Addressing PR feedback
diff --git a/core/aws-core/src/main/java/software/amazon/awssdk/awscore/internal/defaultsmode/AutoDefaultsModeDiscovery.java b/core/aws-core/src/main/java/software/amazon/awssdk/awscore/internal/defaultsmode/AutoDefaultsModeDiscovery.java
@@ -88,15 +88,20 @@ private static Optional<String> queryImdsV2() {
             return Optional.empty();
         }
 
+        Ec2MetadataClient client = null;
         try {
-            Ec2MetadataClient client = Ec2MetadataSharedClient.builder()
-                                                              .retryPolicy(Ec2MetadataRetryPolicy.none())
-                                                              .build();
+            client = Ec2MetadataSharedClient.builder()
+                                            .retryPolicy(Ec2MetadataRetryPolicy.none())
+                                            .build();
 
             String ec2InstanceRegion = client.get(EC2_METADATA_REGION_PATH).asString();
             return Optional.ofNullable(ec2InstanceRegion);
         } catch (Exception exception) {
             return Optional.empty();
+        } finally {
+            if (client != null) {
+                Ec2MetadataSharedClient.decrementAndClose();
+            }
         }
     }
 
diff --git a/core/aws-core/src/test/java/software/amazon/awssdk/awscore/internal/defaultsmode/AutoDefaultsModeDiscoveryEc2MetadataClientTest.java b/core/aws-core/src/test/java/software/amazon/awssdk/awscore/internal/defaultsmode/AutoDefaultsModeDiscoveryEc2MetadataClientTest.java
@@ -23,22 +23,21 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.putRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static com.github.tomakehurst.wiremock.client.WireMock.matching;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
 import static org.assertj.core.api.Assertions.assertThat;
 
-import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
 import java.lang.reflect.Field;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
 import software.amazon.awssdk.awscore.defaultsmode.DefaultsMode;
 import software.amazon.awssdk.core.SdkSystemSetting;
-import software.amazon.awssdk.http.SdkHttpClient;
-import software.amazon.awssdk.imds.internal.Ec2MetadataSharedClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.testutils.EnvironmentVariableHelper;
-import software.amazon.awssdk.utils.Lazy;
 
 /**
  * Tests specifically for AutoDefaultsModeDiscovery's migration to use Ec2MetadataClient.
@@ -47,26 +46,29 @@
 public class AutoDefaultsModeDiscoveryEc2MetadataClientTest {
     private static final EnvironmentVariableHelper ENVIRONMENT_VARIABLE_HELPER = new EnvironmentVariableHelper();
 
-    @Rule
-    public WireMockRule wireMock = new WireMockRule(wireMockConfig()
-            .port(0)
-            .httpsPort(-1));
+    @RegisterExtension
+    static WireMockExtension wireMock = WireMockExtension.newInstance()
+                                                               .options(wireMockConfig().dynamicPort().dynamicPort())
+                                                               .configureStaticDsl(true)
+                                                               .build();
 
-    @Before
-    public void setup() {
+    @BeforeAll
+    static void setupClass() {
         System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property(),
-                           "http://localhost:" + wireMock.port());
+                           "http://localhost:" + wireMock.getPort());
+    }
 
+    @BeforeEach
+    public void setup() {
         clearEnvironmentVariable("AWS_EXECUTION_ENV");
         clearEnvironmentVariable("AWS_REGION");
         clearEnvironmentVariable("AWS_DEFAULT_REGION");
     }
 
-    @After
+    @AfterEach
     public void cleanup() {
         wireMock.resetAll();
         ENVIRONMENT_VARIABLE_HELPER.reset();
-        System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property());
     }
 
    // Clear an environment variable by setting it to null.
@@ -82,7 +84,10 @@ private void clearEnvironmentVariable(String name) {
     public void autoDefaultsModeDiscovery_shouldUseSharedHttpClient() throws Exception {
         // Stub successful IMDS responses
         stubFor(put("/latest/api/token")
-                    .willReturn(aResponse().withStatus(200).withBody("test-token")));
+                    .willReturn(aResponse()
+                                    .withStatus(200)
+                                    .withHeader("x-aws-ec2-metadata-token-ttl-seconds", "21600")
+                                    .withBody("test-token")));
         stubFor(get("/latest/meta-data/placement/region")
                     .willReturn(aResponse().withStatus(200).withBody("us-east-1")));
 
@@ -92,23 +97,25 @@ public void autoDefaultsModeDiscovery_shouldUseSharedHttpClient() throws Excepti
         // Should return IN_REGION since client region matches IMDS region
         assertThat(result).isEqualTo(DefaultsMode.IN_REGION);
 
-        // Verify that the shared HTTP client was used
-        Field sharedClientField = Ec2MetadataSharedClient.class.getDeclaredField("SHARED_HTTP_CLIENT");
-        sharedClientField.setAccessible(true);
-        Lazy<SdkHttpClient> sharedHttpClient = (Lazy<SdkHttpClient>) sharedClientField.get(null);
-
-        // Verify the shared HTTP client was initialized
-        assertThat(sharedHttpClient.hasValue()).isTrue();
-
-        // Verify IMDS requests were made
+        // Verify token request was made
         verify(putRequestedFor(urlEqualTo("/latest/api/token")));
-        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region")));
+        
+        // Verify region request was made with token header - IMDSv2
+        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withHeader("x-aws-ec2-metadata-token", matching("test-token")));
+        
+        // Verify no IMDSv1 requests were made
+        verify(0, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withoutHeader("x-aws-ec2-metadata-token"));
     }
 
     @Test
     public void multipleDiscoveryInstances_shouldShareSameHttpClient() throws Exception {
         stubFor(put("/latest/api/token")
-                    .willReturn(aResponse().withStatus(200).withBody("test-token")));
+                    .willReturn(aResponse()
+                                    .withStatus(200)
+                                    .withHeader("x-aws-ec2-metadata-token-ttl-seconds", "21600")
+                                    .withBody("test-token")));
         stubFor(get("/latest/meta-data/placement/region")
                     .willReturn(aResponse().withStatus(200).withBody("us-west-2")));
 
@@ -124,16 +131,16 @@ public void multipleDiscoveryInstances_shouldShareSameHttpClient() throws Except
         assertThat(result1).isEqualTo(DefaultsMode.CROSS_REGION);
         assertThat(result2).isEqualTo(DefaultsMode.CROSS_REGION);
 
-        // Verify shared HTTP client was used
-        Field sharedClientField = Ec2MetadataSharedClient.class.getDeclaredField("SHARED_HTTP_CLIENT");
-        sharedClientField.setAccessible(true);
-        Lazy<SdkHttpClient> sharedHttpClient = (Lazy<SdkHttpClient>) sharedClientField.get(null);
-
-        assertThat(sharedHttpClient.hasValue()).isTrue();
-
-        // Verify IMDS requests were made
+        // Verify token request was made
         verify(putRequestedFor(urlEqualTo("/latest/api/token")));
-        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region")));
+        
+        // Verify region request was made with token header - IMDSv2
+        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withHeader("x-aws-ec2-metadata-token", matching("test-token")));
+        
+        // Verify no IMDSv1 requests were made
+        verify(0, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withoutHeader("x-aws-ec2-metadata-token"));
     }
 
     @Test
@@ -174,7 +181,10 @@ public void imdsFailure_shouldFallbackToStandardMode() {
     public void noRetryPolicy_shouldBeUsedByDefault() {
         // Stub token to succeed but region to fail with retryable error
         stubFor(put("/latest/api/token")
-                    .willReturn(aResponse().withStatus(200).withBody("test-token")));
+                    .willReturn(aResponse()
+                                    .withStatus(200)
+                                    .withHeader("x-aws-ec2-metadata-token-ttl-seconds", "21600")
+                                    .withBody("test-token")));
         stubFor(get("/latest/meta-data/placement/region")
                     .willReturn(aResponse().withStatus(500).withBody("Internal Server Error")));
 
@@ -186,7 +196,14 @@ public void noRetryPolicy_shouldBeUsedByDefault() {
 
         // Verify requests were made once (no retries)
         verify(1, putRequestedFor(urlEqualTo("/latest/api/token")));
-        verify(1, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region")));
+        
+        // Verify region request was made with token header - IMDSv2
+        verify(1, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withHeader("x-aws-ec2-metadata-token", matching("test-token")));
+        
+        // Verify no IMDSv1 requests were made
+        verify(0, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withoutHeader("x-aws-ec2-metadata-token"));
     }
 
     @Test
@@ -205,9 +222,16 @@ public void imdsV1Fallback_shouldWorkWhenTokenFails() {
         // Should fall back to IMDSv1 and return IN_REGION
         assertThat(result).isEqualTo(DefaultsMode.IN_REGION);
 
-        // Verify both token request and region request were made
+        // Verify token request was attempted
         verify(putRequestedFor(urlEqualTo("/latest/api/token")));
-        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region")));
+        
+        // Verify region request was made without token header - IMDSv1 fallback
+        verify(getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withoutHeader("x-aws-ec2-metadata-token"));
+        
+        // Verify no IMDSv2 requests were made
+        verify(0, getRequestedFor(urlEqualTo("/latest/meta-data/placement/region"))
+                .withHeader("x-aws-ec2-metadata-token", matching(".*")));
     }
 
     @Test
diff --git a/core/imds/src/main/java/software/amazon/awssdk/imds/internal/DefaultEc2MetadataClientWithFallback.java b/core/imds/src/main/java/software/amazon/awssdk/imds/internal/DefaultEc2MetadataClientWithFallback.java
@@ -124,7 +124,7 @@ public Ec2MetadataResponse get(String path) {
                 if (token == null || token.isExpired()) {
                     token = tokenCache.get();
                 }
-                return sendRequest(path, token != null ? token.value() : null);
+                return sendRequest(path, token == null ? null : token.value());
             } catch (UncheckedIOException | RetryableException e) {
                 lastCause = e;
                 int currentTry = attempt;
diff --git a/core/imds/src/main/java/software/amazon/awssdk/imds/internal/Ec2MetadataSharedClient.java b/core/imds/src/main/java/software/amazon/awssdk/imds/internal/Ec2MetadataSharedClient.java
@@ -16,24 +16,24 @@
 package software.amazon.awssdk.imds.internal;
 
 import java.time.Duration;
-import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.annotations.SdkProtectedApi;
 import software.amazon.awssdk.core.internal.http.loader.DefaultSdkHttpClientBuilder;
 import software.amazon.awssdk.http.SdkHttpClient;
 import software.amazon.awssdk.http.SdkHttpConfigurationOption;
 import software.amazon.awssdk.imds.Ec2MetadataClient;
 import software.amazon.awssdk.imds.Ec2MetadataRetryPolicy;
 import software.amazon.awssdk.utils.AttributeMap;
-import software.amazon.awssdk.utils.Lazy;
 
 /**
  * Creates Ec2MetadataClient instances using a shared HTTP client internally.
  * This provides resource efficiency by sharing a single HTTP client across all IMDS-backed providers
  */
-@SdkInternalApi
+@SdkProtectedApi
 public final class Ec2MetadataSharedClient {
-    // Singleton HTTP client shared across all Ec2MetadataClient instances
-    private static final Lazy<SdkHttpClient> SHARED_HTTP_CLIENT = new Lazy<>(() -> createImdsHttpClient());
-    
+
+    private static volatile SdkHttpClient sharedHttpClient;
+    private static int referenceCount = 0;
+
     private Ec2MetadataSharedClient() {
         // Prevent instantiation
     }
@@ -52,6 +52,17 @@ public static Builder builder() {
     public static Ec2MetadataClient create() {
         return builder().build();
     }
+
+    /**
+     * Decrements the reference count and closes the shared HTTP client if no more references exist.
+     */
+    public static synchronized void decrementAndClose() {
+        referenceCount--;
+        if (referenceCount == 0 && sharedHttpClient != null) {
+            sharedHttpClient.close();
+            sharedHttpClient = null;
+        }
+    }
     
     private static SdkHttpClient createImdsHttpClient() {
         Duration metadataServiceTimeout = Ec2MetadataConfigProvider.instance().resolveServiceTimeout();
@@ -69,14 +80,21 @@ public static final class Builder {
         private Builder() {
         }
         
-        public Builder retryPolicy(Ec2MetadataRetryPolicy retryPolicy) {
+        public synchronized Builder retryPolicy(Ec2MetadataRetryPolicy retryPolicy) {
             this.retryPolicy = retryPolicy;
             return this;
         }
         
-        public Ec2MetadataClient build() {
+        public synchronized Ec2MetadataClient build() {
+
+            if (sharedHttpClient == null) {
+                sharedHttpClient = createImdsHttpClient();
+            }
+
+            referenceCount++;
+            
             return DefaultEc2MetadataClientWithFallback.builder()
-                .httpClient(SHARED_HTTP_CLIENT.getValue())
+                .httpClient(sharedHttpClient)
                 .retryPolicy(retryPolicy)
                 .build();
         }
diff --git a/core/imds/src/main/java/software/amazon/awssdk/imds/internal/RequestMarshaller.java b/core/imds/src/main/java/software/amazon/awssdk/imds/internal/RequestMarshaller.java
@@ -59,12 +59,14 @@ public SdkHttpFullRequest createTokenRequest(Duration tokenTtl) {
 
     public SdkHttpFullRequest createDataRequest(String path, String token, Duration tokenTtl) {
         URI resourcePath = URI.create(basePath + path);
-        return defaulttHttpBuilder()
+        SdkHttpFullRequest.Builder builder = defaulttHttpBuilder()
             .method(SdkHttpMethod.GET)
             .uri(resourcePath)
-            .putHeader(EC2_METADATA_TOKEN_TTL_HEADER, String.valueOf(tokenTtl.getSeconds()))
-            .putHeader(TOKEN_HEADER, token)
-            .build();
+            .putHeader(EC2_METADATA_TOKEN_TTL_HEADER, String.valueOf(tokenTtl.getSeconds()));
+        if (token != null) {
+            builder.putHeader(TOKEN_HEADER, token);
+        }
+        return builder.build();
     }
 
     private SdkHttpFullRequest.Builder defaulttHttpBuilder() {
diff --git a/core/imds/src/test/java/software/amazon/awssdk/imds/internal/DefaultEc2MetadataClientWithFallbackTest.java b/core/imds/src/test/java/software/amazon/awssdk/imds/internal/DefaultEc2MetadataClientWithFallbackTest.java
diff --git a/core/sdk-core/src/main/java/software/amazon/awssdk/core/internal/http/loader/DefaultSdkHttpClientBuilder.java b/core/sdk-core/src/main/java/software/amazon/awssdk/core/internal/http/loader/DefaultSdkHttpClientBuilder.java

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ public Ec2MetadataResponse get(String path) {`
`124`	`124`	`if (token == null \|\| token.isExpired()) {`
`125`	`125`	`token = tokenCache.get();`
`126`	`126`	`}`
`127`		`- return sendRequest(path, token != null ? token.value() : null);`
	`127`	`+ return sendRequest(path, token == null ? null : token.value());`
`128`	`128`	`} catch (UncheckedIOException \| RetryableException e) {`
`129`	`129`	`lastCause = e;`
`130`	`130`	`int currentTry = attempt;`