EC2 IMDS Changes to Support Account ID

Author: S-Saranya1

.changes/next-release/feature-AWSEC2-9b178a4.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS EC2",
+    "contributor": "",
+    "description": "EC2 IMDS Changes to Support Account ID"
+}

core/auth/src/it/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderIntegrationTest.java

@@ -35,7 +35,7 @@ public class InstanceProfileCredentialsProviderIntegrationTest {
     /** Starts up the mock EC2 Instance Metadata Service. */
     @Before
     public void setUp() throws Exception {
-        mockServer = new EC2MetadataServiceMock("/latest/meta-data/iam/security-credentials/");
+        mockServer = new EC2MetadataServiceMock("/latest/meta-data/iam/security-credentials-extended/");
         mockServer.start();
     }
 

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -37,12 +37,14 @@
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.exception.SdkServiceException;
+import software.amazon.awssdk.imds.Ec2MetadataClientException;
 import software.amazon.awssdk.profiles.ProfileFile;
 import software.amazon.awssdk.profiles.ProfileFileSupplier;
 import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
 import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
+import software.amazon.awssdk.utils.Lazy;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.ToString;
 import software.amazon.awssdk.utils.Validate;
@@ -70,9 +72,19 @@ public final class InstanceProfileCredentialsProvider
     private static final String PROVIDER_NAME = "InstanceProfileCredentialsProvider";
     private static final String EC2_METADATA_TOKEN_HEADER = "x-aws-ec2-metadata-token";
     private static final String SECURITY_CREDENTIALS_RESOURCE = "/latest/meta-data/iam/security-credentials/";
+    private static final String SECURITY_CREDENTIALS_EXTENDED_RESOURCE = "/latest/meta-data/iam/security-credentials-extended/";
     private static final String TOKEN_RESOURCE = "/latest/api/token";
+
+    private enum ApiVersion {
+        UNKNOWN,
+        LEGACY,
+        EXTENDED
+    }
+
     private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
     private static final String DEFAULT_TOKEN_TTL = "21600";
+    private Lazy<ApiVersion> apiVersion = new Lazy<>(() -> ApiVersion.UNKNOWN);
+    private Lazy<String> resolvedProfile = new Lazy<>(() -> null);
 
     private final Clock clock;
     private final String endpoint;
@@ -157,14 +169,27 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
 
         try {
             LoadedCredentials credentials = httpCredentialsLoader.loadCredentials(createEndpointProvider());
+            ApiVersion currentVersion = apiVersion.getValue();
+            if (currentVersion == ApiVersion.UNKNOWN) {
+                apiVersion = Lazy.withValue(ApiVersion.EXTENDED);
+            }
+
             Instant expiration = credentials.getExpiration().orElse(null);
             log.debug(() -> "Loaded credentials from IMDS with expiration time of " + expiration);
 
             return RefreshResult.builder(credentials.getAwsCredentials())
                                 .staleTime(staleTime(expiration))
                                 .prefetchTime(prefetchTime(expiration))
                                 .build();
+        } catch (Ec2MetadataClientException e) {
+            if (apiVersion.getValue() == ApiVersion.UNKNOWN) {
+                apiVersion = Lazy.withValue(ApiVersion.LEGACY);
+                resolvedProfile = new Lazy<>(() -> null);
+                return refreshCredentials();
+            }
+            throw SdkClientException.create("Failed to load credentials from IMDS.", e);
         } catch (RuntimeException e) {
+            resolvedProfile = new Lazy<>(() -> null);
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);
         }
     }
@@ -207,14 +232,20 @@ public String toString() {
         return ToString.create(PROVIDER_NAME);
     }
 
+    private String getSecurityCredentialsResource() {
+        return apiVersion.getValue() == ApiVersion.LEGACY ?
+               SECURITY_CREDENTIALS_RESOURCE :
+               SECURITY_CREDENTIALS_EXTENDED_RESOURCE;
+    }
+
     private ResourcesEndpointProvider createEndpointProvider() {
         String imdsHostname = getImdsEndpoint();
         String token = getToken(imdsHostname);
         String[] securityCredentials = getSecurityCredentials(imdsHostname, token);
-
+        String urlBase = getSecurityCredentialsResource();
+        
         return StaticResourcesEndpointProvider.builder()
-                                              .endpoint(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE
-                                                                   + securityCredentials[0]))
+                                              .endpoint(URI.create(imdsHostname + urlBase + securityCredentials[0]))
                                               .headers(getTokenHeaders(token))
                                               .connectionTimeout(Duration.ofMillis(
                                                   this.configProvider.serviceTimeout()))
@@ -285,21 +316,41 @@ private boolean isInsecureFallbackDisabled() {
     }
 
     private String[] getSecurityCredentials(String imdsHostname, String metadataToken) {
+        if (resolvedProfile.hasValue()) {
+            return new String[]{resolvedProfile.getValue()};
+        }
+
+        String urlBase = getSecurityCredentialsResource();
         ResourcesEndpointProvider securityCredentialsEndpoint =
             StaticResourcesEndpointProvider.builder()
-                                           .endpoint(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE))
+                                           .endpoint(URI.create(imdsHostname + urlBase))
                                            .headers(getTokenHeaders(metadataToken))
-                .connectionTimeout(Duration.ofMillis(this.configProvider.serviceTimeout()))
+                                           .connectionTimeout(Duration.ofMillis(this.configProvider.serviceTimeout()))
                                            .build();
 
-        String securityCredentialsList =
-            invokeSafely(() -> HttpResourcesUtils.instance().readResource(securityCredentialsEndpoint));
-        String[] securityCredentials = securityCredentialsList.trim().split("\n");
+        try {
+            String securityCredentialsList =
+                invokeSafely(() -> HttpResourcesUtils.instance().readResource(securityCredentialsEndpoint));
+            String[] securityCredentials = securityCredentialsList.trim().split("\n");
+
+            if (securityCredentials.length == 0) {
+                throw SdkClientException.builder().message("Unable to load credentials path").build();
+            }
 
-        if (securityCredentials.length == 0) {
-            throw SdkClientException.builder().message("Unable to load credentials path").build();
+            ApiVersion currentVersion = apiVersion.getValue();
+            if (currentVersion == ApiVersion.UNKNOWN) {
+                apiVersion = Lazy.withValue(ApiVersion.EXTENDED);
+            }
+            resolvedProfile = new Lazy<>(() -> securityCredentials[0]);
+            return securityCredentials;
+
+        } catch (Ec2MetadataClientException e) {
+            if (apiVersion.getValue() == ApiVersion.UNKNOWN) {
+                apiVersion = Lazy.withValue(ApiVersion.LEGACY);
+                return getSecurityCredentials(imdsHostname, metadataToken);
+            }
+            throw SdkClientException.create("Failed to load credentials from IMDS.", e);
         }
-        return securityCredentials;
     }
 
     private Map<String, String> getTokenHeaders(String metadataToken) {

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/HttpCredentialsLoader.java

@@ -64,15 +64,17 @@ public LoadedCredentials loadCredentials(ResourcesEndpointProvider endpoint) {
             JsonNode secretKey = node.get("SecretAccessKey");
             JsonNode token = node.get("Token");
             JsonNode expiration = node.get("Expiration");
+            JsonNode accountId = node.get("AccountId");
 
             Validate.notNull(accessKey, "Failed to load access key from metadata service.");
             Validate.notNull(secretKey, "Failed to load secret key from metadata service.");
 
             return new LoadedCredentials(accessKey.text(),
-                                         secretKey.text(),
-                                         token != null ? token.text() : null,
-                                         expiration != null ? expiration.text() : null,
-                                         providerName);
+                                       secretKey.text(),
+                                       token != null ? token.text() : null,
+                                       expiration != null ? expiration.text() : null,
+                                       accountId != null ? accountId.text() : null,
+                                       providerName);
         } catch (SdkClientException e) {
             throw e;
         } catch (RuntimeException | IOException e) {
@@ -89,12 +91,15 @@ public static final class LoadedCredentials {
         private final String token;
         private final Instant expiration;
         private final String providerName;
+        private final String accountId;
 
-        private LoadedCredentials(String accessKeyId, String secretKey, String token, String expiration, String providerName) {
+        private LoadedCredentials(String accessKeyId, String secretKey, String token,
+                                  String expiration, String accountId, String providerName) {
             this.accessKeyId = Validate.paramNotBlank(accessKeyId, "accessKeyId");
             this.secretKey = Validate.paramNotBlank(secretKey, "secretKey");
             this.token = token;
             this.expiration = expiration == null ? null : parseExpiration(expiration);
+            this.accountId = accountId;
             this.providerName = providerName;
         }
 
@@ -105,11 +110,13 @@ public AwsCredentials getAwsCredentials() {
                                         .secretAccessKey(secretKey)
                                         .sessionToken(token)
                                         .providerName(providerName)
+                                        .accountId(accountId)
                                         .build() :
                    AwsBasicCredentials.builder()
                                       .accessKeyId(accessKeyId)
                                       .secretAccessKey(secretKey)
                                       .providerName(providerName)
+                                      .accountId(accountId)
                                       .build();
         }
 

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderAccountIDTest.java

@@ -0,0 +1,181 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.get;
+import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.put;
+import static com.github.tomakehurst.wiremock.client.WireMock.putRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
+import com.github.tomakehurst.wiremock.junit5.WireMockTest;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.testutils.EnvironmentVariableHelper;
+import software.amazon.awssdk.utils.DateUtils;
+
+import java.time.Duration;
+import java.time.Instant;
+
+/**
+ * Tests verifying IMDS credential resolution with account ID support.
+ */
+@WireMockTest
+public class InstanceProfileCredentialsProviderAccountIDTest {
+    private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
+    private static final String CREDENTIALS_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials/";
+    private static final String CREDENTIALS_EXTENDED_RESOURCE_PATH = "/latest/meta-data/iam/security-credentials-extended/";
+    private static final String TOKEN_HEADER = "x-aws-ec2-metadata-token";
+    private static final String TOKEN_STUB = "some-token";
+    private static final String PROFILE_NAME = "some-profile";
+    private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
+    private static final String ACCOUNT_ID = "123456789012";
+    private static final EnvironmentVariableHelper environmentVariableHelper = new EnvironmentVariableHelper();
+
+    @RegisterExtension
+    static WireMockExtension wireMockServer = WireMockExtension.newInstance()
+                                                              .options(wireMockConfig().dynamicPort())
+                                                              .configureStaticDsl(true)
+                                                              .build();
+
+    @BeforeEach
+    public void methodSetup() {
+        environmentVariableHelper.reset();
+        System.setProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property(),
+                          "http://localhost:" + wireMockServer.getPort());
+    }
+
+    @AfterAll
+    public static void teardown() {
+        System.clearProperty(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.property());
+        environmentVariableHelper.reset();
+    }
+
+    @Test
+    void resolveCredentials_usesExtendedEndpoint_withAccountId() {
+        String credentialsWithAccountId = String.format(
+            "{\"AccessKeyId\":\"ACCESS_KEY_ID\"," +
+            "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
+            "\"Token\":\"SESSION_TOKEN\"," +
+            "\"Expiration\":\"%s\"," +
+            "\"AccountId\":\"%s\"}",
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1))),
+            ACCOUNT_ID
+        );
+
+        stubSecureCredentialsResponse(aResponse().withBody(credentialsWithAccountId), true);
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        AwsCredentials credentials = provider.resolveCredentials();
+
+        assertThat(credentials.accessKeyId()).isEqualTo("ACCESS_KEY_ID");
+        assertThat(credentials.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        assertThat(((AwsSessionCredentials)credentials).sessionToken()).isEqualTo("SESSION_TOKEN");
+        assertThat(credentials.accountId()).hasValue(ACCOUNT_ID);
+        verifyImdsCallWithToken(true);
+    }
+
+    @Test
+    void resolveCredentials_fallsBackToLegacy_noAccountId() {
+        String credentialsWithoutAccountId = String.format(
+            "{\"AccessKeyId\":\"ACCESS_KEY_ID\"," +
+            "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
+            "\"Token\":\"SESSION_TOKEN\"," +
+            "\"Expiration\":\"%s\"," +
+            "\"Code\":\"Success\"}",  // No AccountId field at all
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
+        );
+
+        stubSecureCredentialsResponse(aResponse().withBody(credentialsWithoutAccountId), false);
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        AwsCredentials credentials = provider.resolveCredentials();
+
+        assertThat(credentials.accessKeyId()).isEqualTo("ACCESS_KEY_ID");
+        assertThat(credentials.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        assertThat(((AwsSessionCredentials)credentials).sessionToken()).isEqualTo("SESSION_TOKEN");
+        verifyImdsCallWithToken(false);
+    }
+
+    @Test
+    void resolveCredentials_cachesProfile_maintainsAccountId() {
+        String credentialsWithAccountId = String.format(
+            "{\"AccessKeyId\":\"ACCESS_KEY_ID\"," +
+            "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
+            "\"Token\":\"SESSION_TOKEN\"," +
+            "\"Expiration\":\"%s\"," +
+            "\"AccountId\":\"%s\"}",
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1))),
+            ACCOUNT_ID
+        );
+
+        stubSecureCredentialsResponse(aResponse().withBody(credentialsWithAccountId), true);
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        // First call
+        AwsCredentials creds1 = provider.resolveCredentials();
+        assertThat(creds1.accountId()).hasValue(ACCOUNT_ID);
+
+        // Second call - should use cached profile
+        AwsCredentials creds2 = provider.resolveCredentials();
+        assertThat(creds2.accountId()).hasValue(ACCOUNT_ID);
+
+        // Verify profile discovery only called once
+        verify(1, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
+    }
+
+    private void stubSecureCredentialsResponse(com.github.tomakehurst.wiremock.client.ResponseDefinitionBuilder responseDefinitionBuilder, boolean useExtended) {
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH)).willReturn(aResponse().withBody(TOKEN_STUB)));
+        String path = useExtended ? CREDENTIALS_EXTENDED_RESOURCE_PATH : CREDENTIALS_RESOURCE_PATH;
+        
+        if (useExtended) {
+            wireMockServer.stubFor(get(urlPathEqualTo(path)).willReturn(aResponse().withBody(PROFILE_NAME)));
+            wireMockServer.stubFor(get(urlPathEqualTo(path + PROFILE_NAME)).willReturn(responseDefinitionBuilder));
+        } else {
+            // Extended endpoint fails, fallback to legacy
+            wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+                .willReturn(aResponse().withStatus(404)));
+            wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + PROFILE_NAME))
+                .willReturn(aResponse().withStatus(404)));
+            wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)).willReturn(aResponse().withBody(PROFILE_NAME)));
+            wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + PROFILE_NAME)).willReturn(responseDefinitionBuilder));
+        }
+    }
+
+    private void verifyImdsCallWithToken(boolean useExtended) {
+        verify(putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .withHeader(EC2_METADATA_TOKEN_TTL_HEADER, equalTo("21600")));
+
+        String path = useExtended ? CREDENTIALS_EXTENDED_RESOURCE_PATH : CREDENTIALS_RESOURCE_PATH;
+        verify(getRequestedFor(urlPathEqualTo(path))
+            .withHeader(TOKEN_HEADER, equalTo(TOKEN_STUB)));
+        verify(getRequestedFor(urlPathEqualTo(path + PROFILE_NAME))
+            .withHeader(TOKEN_HEADER, equalTo(TOKEN_STUB)));
+
+        if (useExtended) {
+            // Verify extended endpoint was tried first
+            verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
+            verify(getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + PROFILE_NAME)));
+        }
+    }
+}