feat(instance metadata service conection) : Added env variable, system and profile file property for AWS EC2 Metatdat Service timeout (#5735)

* feat(instance metadata service conection) : Added env variable and system property for AWS EC2 Metatdat Service timeout

* removed system printhln

* Updated ConnectionUtils to support mock of this class

* Updated the test cases and made constructor private

* Cannot make clas final since its used in mock

* Handled PR comments

* updated the changelogs

* Hanled zoes comments

* Moved IMDS service timeout to Ec2MetaDataConfigProvider class

* Fix sonar quebe issues

* Removing reference of internal class in Public class java docs

Author: joviegas

.changes/next-release/feature-AWSSDKforJavav2-6a32858.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "Added `AWS_METADATA_SERVICE_TIMEOUT` environment variable, System property and `metadata_service_timeout` Profile property to configure connection and read timeouts (in seconds) for both InstanceProfileCredentialsProvider and IMDS client."
+}

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -31,7 +31,6 @@
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.annotations.SdkTestInternalApi;
 import software.amazon.awssdk.auth.credentials.internal.Ec2MetadataConfigProvider;
-import software.amazon.awssdk.auth.credentials.internal.Ec2MetadataDisableV1Resolver;
 import software.amazon.awssdk.auth.credentials.internal.HttpCredentialsLoader;
 import software.amazon.awssdk.auth.credentials.internal.HttpCredentialsLoader.LoadedCredentials;
 import software.amazon.awssdk.auth.credentials.internal.StaticResourcesEndpointProvider;
@@ -78,7 +77,6 @@ public final class InstanceProfileCredentialsProvider
     private final Clock clock;
     private final String endpoint;
     private final Ec2MetadataConfigProvider configProvider;
-    private final Ec2MetadataDisableV1Resolver ec2MetadataDisableV1Resolver;
     private final HttpCredentialsLoader httpCredentialsLoader;
     private final CachedSupplier<AwsCredentials> credentialsCache;
 
@@ -109,7 +107,6 @@ private InstanceProfileCredentialsProvider(BuilderImpl builder) {
                                      .profileFile(profileFile)
                                      .profileName(profileName)
                                      .build();
-        this.ec2MetadataDisableV1Resolver = Ec2MetadataDisableV1Resolver.create(profileFile, profileName);
 
         if (Boolean.TRUE.equals(builder.asyncCredentialUpdateEnabled)) {
             Validate.paramNotBlank(builder.asyncThreadName, "asyncThreadName");
@@ -211,9 +208,13 @@ private ResourcesEndpointProvider createEndpointProvider() {
         String token = getToken(imdsHostname);
         String[] securityCredentials = getSecurityCredentials(imdsHostname, token);
 
-        return new StaticResourcesEndpointProvider(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE +
-                                                              securityCredentials[0]),
-                                                   getTokenHeaders(token));
+        return StaticResourcesEndpointProvider.builder()
+                                              .endpoint(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE
+                                                                   + securityCredentials[0]))
+                                              .headers(getTokenHeaders(token))
+                                              .connectionTimeout(Duration.ofMillis(
+                                                  this.configProvider.serviceTimeout()))
+                                              .build();
     }
 
     private String getImdsEndpoint() {
@@ -226,8 +227,13 @@ private String getImdsEndpoint() {
 
     private String getToken(String imdsHostname) {
         Map<String, String> tokenTtlHeaders = Collections.singletonMap(EC2_METADATA_TOKEN_TTL_HEADER, DEFAULT_TOKEN_TTL);
-        ResourcesEndpointProvider tokenEndpoint = new StaticResourcesEndpointProvider(getTokenEndpoint(imdsHostname),
-                                                                                      tokenTtlHeaders);
+        ResourcesEndpointProvider tokenEndpoint =
+            StaticResourcesEndpointProvider.builder()
+                                           .endpoint(getTokenEndpoint(imdsHostname))
+                                           .headers(tokenTtlHeaders)
+                                           .connectionTimeout(Duration.ofMillis(
+                                               this.configProvider.serviceTimeout()))
+                                           .build();
 
         try {
             return HttpResourcesUtils.instance().readResource(tokenEndpoint, "PUT");
@@ -271,13 +277,16 @@ private String handleTokenErrorResponse(Exception e) {
     }
 
     private boolean isInsecureFallbackDisabled() {
-        return ec2MetadataDisableV1Resolver.resolve();
+        return configProvider.isMetadataV1Disabled();
     }
 
     private String[] getSecurityCredentials(String imdsHostname, String metadataToken) {
         ResourcesEndpointProvider securityCredentialsEndpoint =
-            new StaticResourcesEndpointProvider(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE),
-                                                getTokenHeaders(metadataToken));
+            StaticResourcesEndpointProvider.builder()
+                                           .endpoint(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE))
+                                           .headers(getTokenHeaders(metadataToken))
+                .connectionTimeout(Duration.ofMillis(this.configProvider.serviceTimeout()))
+                                           .build();
 
         String securityCredentialsList =
             invokeSafely(() -> HttpResourcesUtils.instance().readResource(securityCredentialsEndpoint));

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/Ec2MetadataConfigProvider.java

@@ -15,6 +15,7 @@
 
 package software.amazon.awssdk.auth.credentials.internal;
 
+import java.time.Duration;
 import java.util.Optional;
 import java.util.function.Supplier;
 import software.amazon.awssdk.annotations.SdkInternalApi;
@@ -24,6 +25,8 @@
 import software.amazon.awssdk.profiles.ProfileFile;
 import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
 import software.amazon.awssdk.profiles.ProfileProperty;
+import software.amazon.awssdk.utils.Lazy;
+import software.amazon.awssdk.utils.OptionalUtils;
 
 @SdkInternalApi
 // TODO: Remove or consolidate this class with the one from the regions module.
@@ -41,9 +44,14 @@ public final class Ec2MetadataConfigProvider {
     private final Supplier<ProfileFile> profileFile;
     private final String profileName;
 
+    private final Lazy<Boolean> metadataV1Disabled;
+    private final Lazy<Long> serviceTimeout;
+
     private Ec2MetadataConfigProvider(Builder builder) {
         this.profileFile = builder.profileFile;
         this.profileName = builder.profileName;
+        this.metadataV1Disabled = new Lazy<>(this::resolveMetadataV1Disabled);
+        this.serviceTimeout = new Lazy<>(this::resolveServiceTimeout);
     }
 
     public enum EndpointMode {
@@ -104,6 +112,84 @@ public String getEndpointOverride() {
         return configFileValue.orElse(null);
     }
 
+    /**
+     * Resolves whether EC2 Metadata V1 is disabled.
+     * @return true if EC2 Metadata V1 is disabled, false otherwise.
+     */
+    public boolean isMetadataV1Disabled() {
+        return metadataV1Disabled.getValue();
+    }
+
+    /**
+     * Resolves the EC2 Metadata Service Timeout in milliseconds.
+     * @return the timeout value in milliseconds.
+     */
+    public long serviceTimeout() {
+        return serviceTimeout.getValue();
+    }
+
+    // Internal resolution logic for Metadata V1 disabled
+    private boolean resolveMetadataV1Disabled() {
+        return OptionalUtils.firstPresent(
+                                fromSystemSettingsMetadataV1Disabled(),
+                                () -> fromProfileFileMetadataV1Disabled(profileFile, profileName)
+                            )
+                            .orElse(false);
+    }
+
+    // Internal resolution logic for Service Timeout
+    private long resolveServiceTimeout() {
+        return OptionalUtils.firstPresent(
+                                fromSystemSettingsServiceTimeout(),
+                                () -> fromProfileFileServiceTimeout(profileFile, profileName)
+                            )
+                            .orElseGet(() -> parseTimeoutValue(SdkSystemSetting.AWS_METADATA_SERVICE_TIMEOUT.defaultValue()));
+    }
+
+    // System settings resolution for Metadata V1 disabled
+    private static Optional<Boolean> fromSystemSettingsMetadataV1Disabled() {
+        return SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.getBooleanValue();
+    }
+
+    // Profile file resolution for Metadata V1 disabled
+    private static Optional<Boolean> fromProfileFileMetadataV1Disabled(Supplier<ProfileFile> profileFile, String profileName) {
+        return profileFile.get()
+                          .profile(profileName)
+                          .flatMap(p -> p.booleanProperty(ProfileProperty.EC2_METADATA_V1_DISABLED));
+    }
+
+    // System settings resolution for Service Timeout
+    private static Optional<Long> fromSystemSettingsServiceTimeout() {
+        return SdkSystemSetting.AWS_METADATA_SERVICE_TIMEOUT.getNonDefaultStringValue()
+                                                            .map(Ec2MetadataConfigProvider::parseTimeoutValue);
+    }
+
+    // Profile file resolution for Service Timeout
+    private static Optional<Long> fromProfileFileServiceTimeout(Supplier<ProfileFile> profileFile, String profileName) {
+        return profileFile.get()
+                          .profile(profileName)
+                          .flatMap(p -> p.property(ProfileProperty.METADATA_SERVICE_TIMEOUT))
+                          .map(Ec2MetadataConfigProvider::parseTimeoutValue);
+    }
+
+    // Parses a timeout value from a string to milliseconds
+    private static long parseTimeoutValue(String timeoutValue) {
+        try {
+            int timeoutSeconds = Integer.parseInt(timeoutValue);
+            return Duration.ofSeconds(timeoutSeconds).toMillis();
+        } catch (NumberFormatException e) {
+            try {
+                double timeoutSeconds = Double.parseDouble(timeoutValue);
+                return Math.round(timeoutSeconds * 1000);
+            } catch (NumberFormatException ignored) {
+                throw new IllegalStateException(String.format(
+                    "Timeout value '%s' is not a valid integer or double.",
+                    timeoutValue
+                ));
+            }
+        }
+    }
+
     public static Builder builder() {
         return new Builder();
     }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/Ec2MetadataDisableV1Resolver.java

@@ -17,8 +17,11 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.time.Duration;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
+import java.util.Optional;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
 import software.amazon.awssdk.utils.Validate;
@@ -27,14 +30,22 @@
 public final class StaticResourcesEndpointProvider implements ResourcesEndpointProvider {
     private final URI endpoint;
     private final Map<String, String> headers;
+    private final Duration connectionTimeout;
 
-    public StaticResourcesEndpointProvider(URI endpoint,
-                                           Map<String, String> additionalHeaders) {
+    private StaticResourcesEndpointProvider(URI endpoint,
+                                           Map<String, String> additionalHeaders,
+                                           Duration customTimeout) {
         this.endpoint = Validate.paramNotNull(endpoint, "endpoint");
         this.headers = ResourcesEndpointProvider.super.headers();
         if (additionalHeaders != null) {
             this.headers.putAll(additionalHeaders);
         }
+        this.connectionTimeout = customTimeout;
+    }
+
+    @Override
+    public Optional<Duration> connectionTimeout() {
+        return Optional.ofNullable(connectionTimeout);
     }
 
     @Override
@@ -46,4 +57,35 @@ public URI endpoint() throws IOException {
     public Map<String, String> headers() {
         return Collections.unmodifiableMap(headers);
     }
+
+    public static class Builder {
+        private URI endpoint;
+        private Map<String, String> additionalHeaders = new HashMap<>();
+        private Duration customTimeout;
+
+        public Builder endpoint(URI endpoint) {
+            this.endpoint = Validate.paramNotNull(endpoint, "endpoint");
+            return this;
+        }
+
+        public Builder headers(Map<String, String> headers) {
+            if (headers != null) {
+                this.additionalHeaders.putAll(headers);
+            }
+            return this;
+        }
+
+        public Builder connectionTimeout(Duration timeout) {
+            this.customTimeout = timeout;
+            return this;
+        }
+
+        public StaticResourcesEndpointProvider build() {
+            return new StaticResourcesEndpointProvider(endpoint, additionalHeaders, customTimeout);
+        }
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
 }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/StaticResourcesEndpointProvider.java

@@ -144,7 +144,8 @@ private void stubForErrorResponse() {
 
 
     private ResourcesEndpointProvider testEndpointProvider() {
-        return new StaticResourcesEndpointProvider(URI.create("http://localhost:" + mockServer.port() + CREDENTIALS_PATH),
-                                                   null);
+        return  StaticResourcesEndpointProvider.builder()
+                                               .endpoint(URI.create("http://localhost:" + mockServer.port() + CREDENTIALS_PATH))
+                                               .build();
     }
 }