Addition additional tests and replacing initialization

Author: S-Saranya1

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -44,7 +44,6 @@
 import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
-import software.amazon.awssdk.utils.Lazy;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.ToString;
 import software.amazon.awssdk.utils.Validate;
@@ -83,8 +82,8 @@ private enum ApiVersion {
 
     private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
     private static final String DEFAULT_TOKEN_TTL = "21600";
-    private Lazy<ApiVersion> apiVersion = new Lazy<>(() -> ApiVersion.UNKNOWN);
-    private Lazy<String> resolvedProfile = new Lazy<>(() -> null);
+    private ApiVersion apiVersion = ApiVersion.UNKNOWN;
+    private String resolvedProfile = null;
 
     private final Clock clock;
     private final String endpoint;
@@ -169,9 +168,8 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
 
         try {
             LoadedCredentials credentials = httpCredentialsLoader.loadCredentials(createEndpointProvider());
-            ApiVersion currentVersion = apiVersion.getValue();
-            if (currentVersion == ApiVersion.UNKNOWN) {
-                apiVersion = Lazy.withValue(ApiVersion.EXTENDED);
+            if (apiVersion == ApiVersion.UNKNOWN) {
+                apiVersion = ApiVersion.EXTENDED;
             }
 
             Instant expiration = credentials.getExpiration().orElse(null);
@@ -182,14 +180,13 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
                                 .prefetchTime(prefetchTime(expiration))
                                 .build();
         } catch (Ec2MetadataClientException e) {
-            if (apiVersion.getValue() == ApiVersion.UNKNOWN) {
-                apiVersion = Lazy.withValue(ApiVersion.LEGACY);
-                resolvedProfile = new Lazy<>(() -> null);
+            if (apiVersion == ApiVersion.UNKNOWN) {
+                apiVersion = ApiVersion.LEGACY;
+                resolvedProfile = null;
                 return refreshCredentials();
             }
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);
         } catch (RuntimeException e) {
-            resolvedProfile = new Lazy<>(() -> null);
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);
         }
     }
@@ -233,7 +230,7 @@ public String toString() {
     }
 
     private String getSecurityCredentialsResource() {
-        return apiVersion.getValue() == ApiVersion.LEGACY ?
+        return apiVersion == ApiVersion.LEGACY ?
                SECURITY_CREDENTIALS_RESOURCE :
                SECURITY_CREDENTIALS_EXTENDED_RESOURCE;
     }
@@ -316,8 +313,8 @@ private boolean isInsecureFallbackDisabled() {
     }
 
     private String[] getSecurityCredentials(String imdsHostname, String metadataToken) {
-        if (resolvedProfile.hasValue()) {
-            return new String[]{resolvedProfile.getValue()};
+        if (resolvedProfile != null) {
+            return new String[]{resolvedProfile};
         }
 
         String urlBase = getSecurityCredentialsResource();
@@ -337,16 +334,15 @@ private String[] getSecurityCredentials(String imdsHostname, String metadataToke
                 throw SdkClientException.builder().message("Unable to load credentials path").build();
             }
 
-            ApiVersion currentVersion = apiVersion.getValue();
-            if (currentVersion == ApiVersion.UNKNOWN) {
-                apiVersion = Lazy.withValue(ApiVersion.EXTENDED);
+            if (apiVersion == ApiVersion.UNKNOWN) {
+                apiVersion = ApiVersion.EXTENDED;
             }
-            resolvedProfile = new Lazy<>(() -> securityCredentials[0]);
+            resolvedProfile = securityCredentials[0];
             return securityCredentials;
 
         } catch (Ec2MetadataClientException e) {
-            if (apiVersion.getValue() == ApiVersion.UNKNOWN) {
-                apiVersion = Lazy.withValue(ApiVersion.LEGACY);
+            if (apiVersion == ApiVersion.UNKNOWN) {
+                apiVersion = ApiVersion.LEGACY;
                 return getSecurityCredentials(imdsHostname, metadataToken);
             }
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderAccountIDTest.java

@@ -25,6 +25,7 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.verify;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
 import com.github.tomakehurst.wiremock.junit5.WireMockTest;
@@ -33,6 +34,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.testutils.EnvironmentVariableHelper;
 import software.amazon.awssdk.utils.DateUtils;
 
@@ -117,6 +119,134 @@ void resolveCredentials_fallsBackToLegacy_noAccountId() {
         verifyImdsCallWithToken(false);
     }
 
+    @Test
+    void resolveCredentials_withImdsDisabled_returnsNoCredentials() {
+        environmentVariableHelper.set(SdkSystemSetting.AWS_EC2_METADATA_DISABLED.environmentVariable(), "true");
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        assertThatThrownBy(() -> provider.resolveCredentials())
+            .isInstanceOf(SdkClientException.class)
+            .hasMessageContaining("IMDS credentials have been disabled");
+
+        verify(0, putRequestedFor(urlPathEqualTo(TOKEN_RESOURCE_PATH)));
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)));
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
+    }
+
+
+    @Test
+    void resolveCredentials_withInvalidProfile_throwsException() {
+        String invalidProfile = "my-profile-0004";
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(invalidProfile)));
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(invalidProfile)));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + invalidProfile))
+            .willReturn(aResponse().withStatus(404)));
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + invalidProfile))
+            .willReturn(aResponse().withStatus(404)));
+
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(TOKEN_STUB)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        assertThatThrownBy(() -> provider.resolveCredentials())
+            .isInstanceOf(SdkClientException.class)
+            .hasMessageContaining("Failed to load credentials from IMDS.");
+    }
+
+    @Test
+    void resolveCredentials_withUnstableProfile_noAccountId_refreshesCredentials() {
+        String firstCredentials = String.format(
+            "{\"AccessKeyId\":\"ASIAIOSFODNN7EXAMPLE\"," +
+            "\"SecretAccessKey\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"," +
+            "\"Token\":\"AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKw\"," +
+            "\"Expiration\":\"%s\"," +
+            "\"Code\":\"Success\"," +
+            "\"Type\":\"AWS-HMAC\"," +
+            "\"LastUpdated\":\"2025-03-18T20:53:17.832308Z\"," +
+            "\"UnexpectedElement7\":{\"Name\":\"ignore-me-7\"}}",
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
+        );
+
+        String secondCredentials = String.format(
+            "{\"AccessKeyId\":\"ASIAIOSFODNN7EXAMPLE\"," +
+            "\"SecretAccessKey\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"," +
+            "\"Token\":\"AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKw\"," +
+            "\"Expiration\":\"%s\"," +
+            "\"Code\":\"Success\"," +
+            "\"Type\":\"AWS-HMAC\"," +
+            "\"LastUpdated\":\"2025-03-18T20:53:17.832308Z\"," +
+            "\"UnexpectedElement7\":{\"Name\":\"ignore-me-7\"}}",
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
+        );
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+            .inScenario("Profile Change No AccountId")
+            .whenScenarioStateIs("Started")
+            .willReturn(aResponse().withBody("my-profile-0007"))
+            .willSetStateTo("First Profile"));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007"))
+            .inScenario("Profile Change No AccountId")
+            .whenScenarioStateIs("First Profile")
+            .willReturn(aResponse().withBody(firstCredentials))
+            .willSetStateTo("First Profile Done"));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007"))
+            .inScenario("Profile Change No AccountId")
+            .whenScenarioStateIs("First Profile Done")
+            .willReturn(aResponse().withStatus(404))
+            .willSetStateTo("Profile Changed"));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+            .inScenario("Profile Change No AccountId")
+            .whenScenarioStateIs("Profile Changed")
+            .willReturn(aResponse().withBody("my-profile-0007-b")));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007-b"))
+            .willReturn(aResponse().withBody(secondCredentials)));
+
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(TOKEN_STUB)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        AwsCredentials creds1 = provider.resolveCredentials();
+        assertThat(creds1.accountId()).isEmpty();
+        assertThat(creds1.accessKeyId()).isEqualTo("ASIAIOSFODNN7EXAMPLE");
+
+        AwsCredentials creds2 = provider.resolveCredentials();
+        assertThat(creds2.accountId()).isEmpty();
+        assertThat(creds2.accessKeyId()).isEqualTo("ASIAIOSFODNN7EXAMPLE");
+    }
+
+    @Test
+    void resolveCredentials_withDiscoveredInvalidProfile_noAccountId_throwsException() {
+        String invalidProfile = "my-profile-0008";
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(invalidProfile)));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + invalidProfile))
+            .willReturn(aResponse().withStatus(404)));
+
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + invalidProfile))
+            .willReturn(aResponse().withStatus(404)));
+
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(TOKEN_STUB)));
+
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+
+        assertThatThrownBy(() -> provider.resolveCredentials())
+            .isInstanceOf(SdkClientException.class)
+            .hasMessageContaining("Failed to load credentials from IMDS");
+    }
+
     @Test
     void resolveCredentials_cachesProfile_maintainsAccountId() {
         String credentialsWithAccountId = String.format(