fix: add trailing slash to endpoint and disable proxying of requests to IMDS (#1320)

Author: lauzadis

.changes/16007c74-7831-42d2-8a3b-01e4868da600.json

@@ -0,0 +1,8 @@
+{
+    "id": "16007c74-7831-42d2-8a3b-01e4868da600",
+    "type": "bugfix",
+    "description": "Disable proxying of requests made to EC2 IMDS",
+    "issues": [
+        "https://github.com/awslabs/aws-sdk-kotlin/issues/1315"
+    ]
+}

.changes/8248143a-7a11-46c0-a44d-7bbeabe34c82.json

@@ -0,0 +1,8 @@
+{
+    "id": "8248143a-7a11-46c0-a44d-7bbeabe34c82",
+    "type": "misc",
+    "description": "Add trailing slash to base IMDS endpoint",
+    "issues": [
+        "https://github.com/awslabs/aws-sdk-kotlin/issues/1303"
+    ]
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ImdsCredentialsProvider.kt

@@ -30,7 +30,7 @@ import kotlinx.coroutines.sync.withLock
 import kotlin.coroutines.coroutineContext
 import kotlin.time.Duration.Companion.seconds
 
-private const val CREDENTIALS_BASE_PATH: String = "/latest/meta-data/iam/security-credentials"
+private const val CREDENTIALS_BASE_PATH: String = "/latest/meta-data/iam/security-credentials/"
 private const val CODE_ASSUME_ROLE_UNAUTHORIZED_ACCESS: String = "AssumeRoleUnauthorizedAccess"
 private const val PROVIDER_NAME = "IMDSv2"
 
@@ -43,7 +43,7 @@ private const val PROVIDER_NAME = "IMDSv2"
  * information.
  *
  * @param profileOverride override the instance profile name. When retrieving credentials, a call must first be made to
- * `<IMDS_BASE_URL>/latest/meta-data/iam/security-credentials`. This returns the instance profile used. If
+ * `<IMDS_BASE_URL>/latest/meta-data/iam/security-credentials/`. This returns the instance profile used. If
  * [profileOverride] is set, the initial call to retrieve the profile is skipped and the provided value is used instead.
  * @param client the IMDS client to use to resolve credentials information with. This provider takes ownership over
  * the lifetime of the given [ImdsClient] and will close it when the provider is closed.

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsClient.kt

@@ -16,6 +16,7 @@ import aws.smithy.kotlin.runtime.http.*
 import aws.smithy.kotlin.runtime.http.HttpCall
 import aws.smithy.kotlin.runtime.http.engine.DefaultHttpEngine
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
+import aws.smithy.kotlin.runtime.http.engine.ProxySelector
 import aws.smithy.kotlin.runtime.http.operation.*
 import aws.smithy.kotlin.runtime.io.Closeable
 import aws.smithy.kotlin.runtime.io.closeIfCloseable
@@ -72,6 +73,9 @@ public class ImdsClient private constructor(builder: Builder) : InstanceMetadata
         engine = builder.engine ?: DefaultHttpEngine {
             connectTimeout = 1.seconds
             socketReadTimeout = 1.seconds
+
+            // don't proxy IMDS requests. https://github.com/awslabs/aws-sdk-kotlin/issues/1315
+            proxySelector = ProxySelector.NoProxy
         }
 
         httpClient = SdkHttpClient(engine)
@@ -114,7 +118,7 @@ public class ImdsClient private constructor(builder: Builder) : InstanceMetadata
                         val payload = response.body.readAll() ?: throw EC2MetadataError(response.status.value, "no metadata payload")
                         return payload.decodeToString()
                     } else {
-                        throw EC2MetadataError(response.status.value, "error retrieving instance metadata")
+                        throw EC2MetadataError(response.status.value, "error retrieving instance metadata: ${response.status.description}")
                     }
                 }
             }

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/ImdsCredentialsProviderTest.kt

@@ -59,7 +59,7 @@ class ImdsCredentialsProviderTest {
                 tokenResponse(DEFAULT_TOKEN_TTL_SECONDS, "TOKEN_A"),
             )
             expect(
-                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials", "TOKEN_A"),
+                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials/", "TOKEN_A"),
                 imdsResponse("imds-test-role"),
             )
             expect(
@@ -84,7 +84,7 @@ class ImdsCredentialsProviderTest {
 
             // verify that profile is re-retrieved after credentials expiration
             expect(
-                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials", "TOKEN_A"),
+                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials/", "TOKEN_A"),
                 imdsResponse("imds-test-role-2"),
             )
             expect(
@@ -235,7 +235,7 @@ class ImdsCredentialsProviderTest {
                 tokenResponse(DEFAULT_TOKEN_TTL_SECONDS, "TOKEN_A"),
             )
             expect(
-                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials", "TOKEN_A"),
+                imdsRequest("http://169.254.169.254/latest/meta-data/iam/security-credentials/", "TOKEN_A"),
                 HttpResponse(
                     HttpStatusCode.NotFound,
                     Headers.Empty,