Additional Changes:

-Adding additional tests
-Updating to use AtomicReference

Author: S-Saranya1

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -27,6 +27,7 @@
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Supplier;
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.annotations.SdkTestInternalApi;
@@ -82,8 +83,8 @@ private enum ApiVersion {
 
     private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
     private static final String DEFAULT_TOKEN_TTL = "21600";
-    private volatile ApiVersion apiVersion = ApiVersion.UNKNOWN;
-    private String resolvedProfile = null;
+    private final AtomicReference<ApiVersion> apiVersion = new AtomicReference<>(ApiVersion.UNKNOWN);
+    private final AtomicReference<String> resolvedProfile = new AtomicReference<>();
 
     private final Clock clock;
     private final String endpoint;
@@ -176,9 +177,9 @@ private RefreshResult<AwsCredentials> refreshCredentials() {
                                 .prefetchTime(prefetchTime(expiration))
                                 .build();
         } catch (Ec2MetadataClientException e) {
-            if (e.statusCode() == 404 && apiVersion == ApiVersion.EXTENDED) {
-                apiVersion = ApiVersion.LEGACY;
-                resolvedProfile = null;
+            if (e.statusCode() == 404 && apiVersion.compareAndSet(ApiVersion.EXTENDED, ApiVersion.LEGACY)) {
+                log.debug(() -> "Unable to load credential path from extended API. Falling back to legacy API.");
+                resolvedProfile.set(null);
                 return refreshCredentials();
             }
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);
@@ -226,7 +227,7 @@ public String toString() {
     }
 
     private String getSecurityCredentialsResource() {
-        return apiVersion == ApiVersion.LEGACY ?
+        return apiVersion.get() == ApiVersion.LEGACY ?
                SECURITY_CREDENTIALS_RESOURCE :
                SECURITY_CREDENTIALS_EXTENDED_RESOURCE;
     }
@@ -309,8 +310,9 @@ private boolean isInsecureFallbackDisabled() {
     }
 
     private String[] getSecurityCredentials(String imdsHostname, String metadataToken) {
-        if (resolvedProfile != null) {
-            return new String[]{resolvedProfile};
+        String profile = resolvedProfile.get();
+        if (profile != null) {
+            return new String[]{profile};
         }
 
         String urlBase = getSecurityCredentialsResource();
@@ -330,15 +332,13 @@ private String[] getSecurityCredentials(String imdsHostname, String metadataToke
                 throw SdkClientException.builder().message("Unable to load credentials path").build();
             }
 
-            if (apiVersion == ApiVersion.UNKNOWN) {
-                apiVersion = ApiVersion.EXTENDED;
-            }
-            resolvedProfile = securityCredentials[0];
+            apiVersion.compareAndSet(ApiVersion.UNKNOWN, ApiVersion.EXTENDED);
+            resolvedProfile.set(securityCredentials[0]);
             return securityCredentials;
 
         } catch (Ec2MetadataClientException e) {
-            if (apiVersion == ApiVersion.UNKNOWN) {
-                apiVersion = ApiVersion.LEGACY;
+            if (e.statusCode() == 404 && apiVersion.compareAndSet(ApiVersion.UNKNOWN, ApiVersion.LEGACY)) {
+                log.debug(() -> "Unable to load credential path from extended API. Falling back to legacy API.");
                 return getSecurityCredentials(imdsHostname, metadataToken);
             }
             throw SdkClientException.create("Failed to load credentials from IMDS.", e);

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/HttpCredentialsLoader.java

@@ -70,11 +70,11 @@ public LoadedCredentials loadCredentials(ResourcesEndpointProvider endpoint) {
             Validate.notNull(secretKey, "Failed to load secret key from metadata service.");
 
             return new LoadedCredentials(accessKey.text(),
-                                       secretKey.text(),
-                                       token != null ? token.text() : null,
-                                       expiration != null ? expiration.text() : null,
-                                       accountId != null ? accountId.text() : null,
-                                       providerName);
+                                         secretKey.text(),
+                                         token != null ? token.text() : null,
+                                         expiration != null ? expiration.text() : null,
+                                         accountId != null ? accountId.text() : null,
+                                         providerName);
         } catch (SdkClientException e) {
             throw e;
         } catch (RuntimeException | IOException e) {

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderExtendedApiTest.java

@@ -105,7 +105,7 @@ void resolveCredentials_fallsBackToLegacy_noAccountId() {
             "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
             "\"Token\":\"SESSION_TOKEN\"," +
             "\"Expiration\":\"%s\"," +
-            "\"Code\":\"Success\"}",  // No AccountId field at all
+            "\"Code\":\"Success\"}",
             DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
         );
 
@@ -159,119 +159,82 @@ void resolveCredentials_withInvalidProfile_throwsException() {
     }
 
     @Test
-    void resolveCredentials_withUnstableProfile_noAccountId_refreshesCredentials() {
-        String firstCredentials = String.format(
-            "{\"AccessKeyId\":\"ASIAIOSFODNN7EXAMPLE\"," +
-            "\"SecretAccessKey\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"," +
-            "\"Token\":\"AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKw\"," +
-            "\"Expiration\":\"%s\"," +
-            "\"Code\":\"Success\"," +
-            "\"Type\":\"AWS-HMAC\"," +
-            "\"LastUpdated\":\"2025-03-18T20:53:17.832308Z\"," +
-            "\"UnexpectedElement7\":{\"Name\":\"ignore-me-7\"}}",
-            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
-        );
-
-        String secondCredentials = String.format(
-            "{\"AccessKeyId\":\"ASIAIOSFODNN7EXAMPLE\"," +
-            "\"SecretAccessKey\":\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\"," +
-            "\"Token\":\"AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKw\"," +
+    void resolveCredentials_cachesProfile_maintainsAccountId() {
+        String credentialsWithAccountId = String.format(
+            "{\"AccessKeyId\":\"ACCESS_KEY_ID\"," +
+            "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
+            "\"Token\":\"SESSION_TOKEN\"," +
             "\"Expiration\":\"%s\"," +
-            "\"Code\":\"Success\"," +
-            "\"Type\":\"AWS-HMAC\"," +
-            "\"LastUpdated\":\"2025-03-18T20:53:17.832308Z\"," +
-            "\"UnexpectedElement7\":{\"Name\":\"ignore-me-7\"}}",
-            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1)))
+            "\"AccountId\":\"%s\"}",
+            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1))),
+            ACCOUNT_ID
         );
 
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
-            .inScenario("Profile Change No AccountId")
-            .whenScenarioStateIs("Started")
-            .willReturn(aResponse().withBody("my-profile-0007"))
-            .willSetStateTo("First Profile"));
-
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007"))
-            .inScenario("Profile Change No AccountId")
-            .whenScenarioStateIs("First Profile")
-            .willReturn(aResponse().withBody(firstCredentials))
-            .willSetStateTo("First Profile Done"));
-
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007"))
-            .inScenario("Profile Change No AccountId")
-            .whenScenarioStateIs("First Profile Done")
-            .willReturn(aResponse().withStatus(404))
-            .willSetStateTo("Profile Changed"));
-
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
-            .inScenario("Profile Change No AccountId")
-            .whenScenarioStateIs("Profile Changed")
-            .willReturn(aResponse().withBody("my-profile-0007-b")));
-
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + "my-profile-0007-b"))
-            .willReturn(aResponse().withBody(secondCredentials)));
-
-        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
-            .willReturn(aResponse().withBody(TOKEN_STUB)));
-
+        stubSecureCredentialsResponse(aResponse().withBody(credentialsWithAccountId), true);
         InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
 
+        // First call
         AwsCredentials creds1 = provider.resolveCredentials();
-        assertThat(creds1.accountId()).isEmpty();
-        assertThat(creds1.accessKeyId()).isEqualTo("ASIAIOSFODNN7EXAMPLE");
+        assertThat(creds1.accountId()).hasValue(ACCOUNT_ID);
 
+        // Second call - should use cached profile
         AwsCredentials creds2 = provider.resolveCredentials();
-        assertThat(creds2.accountId()).isEmpty();
-        assertThat(creds2.accessKeyId()).isEqualTo("ASIAIOSFODNN7EXAMPLE");
+        assertThat(creds2.accountId()).hasValue(ACCOUNT_ID);
+
+        // Verify profile discovery only called once
+        verify(1, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
     }
 
     @Test
-    void resolveCredentials_withDiscoveredInvalidProfile_noAccountId_throwsException() {
-        String invalidProfile = "my-profile-0008";
+    void resolveCredentials_withNon404Error_doesNotFallbackToLegacy() {
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(TOKEN_STUB)));
 
         wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
-            .willReturn(aResponse().withBody(invalidProfile)));
+            .willReturn(aResponse().withBody(PROFILE_NAME)));
 
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + invalidProfile))
-            .willReturn(aResponse().withStatus(404)));
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + PROFILE_NAME))
+            .willReturn(aResponse().withStatus(500).withBody("Internal Server Error")));
 
-        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + invalidProfile))
-            .willReturn(aResponse().withStatus(404)));
-
-        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
-            .willReturn(aResponse().withBody(TOKEN_STUB)));
 
         InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
 
         assertThatThrownBy(() -> provider.resolveCredentials())
             .isInstanceOf(SdkClientException.class)
             .hasMessageContaining("Failed to load credentials from IMDS");
-    }
 
+        // Verify extended endpoint was called
+        verify(1, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
+        verify(1, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + PROFILE_NAME)));
+
+        // Verify legacy endpoint was NOT called
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)));
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + PROFILE_NAME)));
+    }
+    
     @Test
-    void resolveCredentials_cachesProfile_maintainsAccountId() {
-        String credentialsWithAccountId = String.format(
-            "{\"AccessKeyId\":\"ACCESS_KEY_ID\"," +
-            "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\"," +
-            "\"Token\":\"SESSION_TOKEN\"," +
-            "\"Expiration\":\"%s\"," +
-            "\"AccountId\":\"%s\"}",
-            DateUtils.formatIso8601Date(Instant.now().plus(Duration.ofDays(1))),
-            ACCOUNT_ID
-        );
+    void resolveCredentials_withNon404ErrorOnProfileDiscovery_doesNotFallbackToLegacy() {
+        wireMockServer.stubFor(put(urlPathEqualTo(TOKEN_RESOURCE_PATH))
+            .willReturn(aResponse().withBody(TOKEN_STUB)));
 
-        stubSecureCredentialsResponse(aResponse().withBody(credentialsWithAccountId), true);
-        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
+        wireMockServer.stubFor(get(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH))
+            .willReturn(aResponse().withStatus(403).withBody("Forbidden")));
 
-        // First call
-        AwsCredentials creds1 = provider.resolveCredentials();
-        assertThat(creds1.accountId()).hasValue(ACCOUNT_ID);
+        InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.builder().build();
 
-        // Second call - should use cached profile
-        AwsCredentials creds2 = provider.resolveCredentials();
-        assertThat(creds2.accountId()).hasValue(ACCOUNT_ID);
+        assertThatThrownBy(() -> provider.resolveCredentials())
+            .isInstanceOf(SdkClientException.class)
+            .hasMessageContaining("Failed to load credentials from IMDS");
 
-        // Verify profile discovery only called once
+        // Verify extended endpoint was called
         verify(1, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH)));
+        
+        // Verify profile-specific endpoint was NOT called
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_EXTENDED_RESOURCE_PATH + PROFILE_NAME)));
+
+        // Verify legacy endpoint was NOT called
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH)));
+        verify(0, getRequestedFor(urlPathEqualTo(CREDENTIALS_RESOURCE_PATH + PROFILE_NAME)));
     }
 
     private void stubSecureCredentialsResponse(com.github.tomakehurst.wiremock.client.ResponseDefinitionBuilder responseDefinitionBuilder, boolean useExtended) {