addressing PR feedback:

* close auto-created ImdsClient in default creds chain
* adding support for profile settings
* removing println calls leftover from debug
* rename resolveUnderLock to resolveSingleFlight
* add FIXME for static stability messaging/caching in
  CachedCredentialsProvider
* re-adding removed/broken members for API compatibility

Author: ianbotsf

aws-runtime/aws-config/api/aws-config.api

@@ -82,6 +82,9 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/ImdsCredentialsProvid
 	public fun <init> (Ljava/lang/String;Lkotlin/Lazy;Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;Laws/smithy/kotlin/runtime/time/Clock;)V
 	public synthetic fun <init> (Ljava/lang/String;Lkotlin/Lazy;Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;Laws/smithy/kotlin/runtime/time/Clock;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public fun close ()V
+	public final fun getClient ()Lkotlin/Lazy;
+	public final fun getPlatformProvider ()Laws/smithy/kotlin/runtime/util/PlatformEnvironProvider;
+	public final fun getProfileOverride ()Ljava/lang/String;
 	public fun resolve (Laws/smithy/kotlin/runtime/collections/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public fun toString ()Ljava/lang/String;
 }
@@ -324,8 +327,10 @@ public final class aws/sdk/kotlin/runtime/config/endpoints/ResolversKt {
 }
 
 public final class aws/sdk/kotlin/runtime/config/imds/EC2MetadataError : aws/sdk/kotlin/runtime/AwsServiceException {
+	public fun <init> (ILjava/lang/String;)V
 	public fun <init> (Laws/smithy/kotlin/runtime/http/HttpStatusCode;Ljava/lang/String;)V
-	public final fun getStatusCode ()Laws/smithy/kotlin/runtime/http/HttpStatusCode;
+	public final fun getStatus ()Laws/smithy/kotlin/runtime/http/HttpStatusCode;
+	public final fun getStatusCode ()I
 }
 
 public abstract class aws/sdk/kotlin/runtime/config/imds/EndpointConfiguration {
@@ -394,6 +399,13 @@ public final class aws/sdk/kotlin/runtime/config/imds/ImdsClient$Companion {
 	public final fun invoke (Lkotlin/jvm/functions/Function1;)Laws/sdk/kotlin/runtime/config/imds/ImdsClient;
 }
 
+public final class aws/sdk/kotlin/runtime/config/imds/ImdsResolversKt {
+	public static final fun resolveDisableEc2Metadata (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static synthetic fun resolveDisableEc2Metadata$default (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
+	public static final fun resolveEc2InstanceProfileName (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static synthetic fun resolveEc2InstanceProfileName$default (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
+}
+
 public abstract interface class aws/sdk/kotlin/runtime/config/imds/InstanceMetadataProvider : java/io/Closeable {
 	public abstract fun get (Ljava/lang/String;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 }
@@ -494,6 +506,8 @@ public final class aws/sdk/kotlin/runtime/config/profile/AwsProfileKt {
 	public static synthetic fun getBooleanOrNull$default (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;Ljava/lang/String;Ljava/lang/String;ILjava/lang/Object;)Ljava/lang/Boolean;
 	public static final fun getCredentialProcess (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;
 	public static final fun getDisableRequestCompression (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/Boolean;
+	public static final fun getEc2InstanceProfileName (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/String;
+	public static final fun getEc2MetadataDisabled (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/Boolean;
 	public static final fun getEndpointUrl (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Laws/smithy/kotlin/runtime/net/url/Url;
 	public static final fun getIgnoreEndpointUrls (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;)Ljava/lang/Boolean;
 	public static final fun getIntOrNull (Laws/sdk/kotlin/runtime/config/profile/ConfigSection;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Integer;

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/DefaultChainCredentialsProvider.kt

@@ -51,6 +51,11 @@ public class DefaultChainCredentialsProvider(
     private val manageEngine = httpClient == null
     private val engine = httpClient ?: DefaultHttpEngine()
 
+    private val imdsClient = ImdsClient {
+        platformProvider = this@DefaultChainCredentialsProvider.platformProvider
+        engine = this@DefaultChainCredentialsProvider.engine
+    }
+
     private val chain = CredentialsProviderChain(
         SystemPropertyCredentialsProvider(platformProvider::getProperty),
         EnvironmentCredentialsProvider(platformProvider::getenv),
@@ -59,10 +64,7 @@ public class DefaultChainCredentialsProvider(
         ProfileCredentialsProvider(profileName = profileName, platformProvider = platformProvider, httpClient = engine, region = region),
         EcsCredentialsProvider(platformProvider, engine),
         ImdsCredentialsProvider(
-            client = ImdsClient {
-                platformProvider = this@DefaultChainCredentialsProvider.platformProvider
-                engine = this@DefaultChainCredentialsProvider.engine
-            },
+            client = imdsClient,
             platformProvider = platformProvider,
         ),
     )
@@ -73,6 +75,7 @@ public class DefaultChainCredentialsProvider(
 
     override fun close() {
         provider.close()
+        imdsClient.close()
         if (manageEngine) {
             engine.closeIfCloseable()
         }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ImdsCredentialsProvider.kt

@@ -6,15 +6,11 @@
 package aws.sdk.kotlin.runtime.auth.credentials
 
 import aws.sdk.kotlin.runtime.auth.credentials.internal.credentials
-import aws.sdk.kotlin.runtime.config.AwsSdkSetting
-import aws.sdk.kotlin.runtime.config.imds.EC2MetadataError
-import aws.sdk.kotlin.runtime.config.imds.ImdsClient
-import aws.sdk.kotlin.runtime.config.imds.InstanceMetadataProvider
+import aws.sdk.kotlin.runtime.config.imds.*
 import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
 import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.withBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.collections.Attributes
-import aws.smithy.kotlin.runtime.config.resolve
 import aws.smithy.kotlin.runtime.http.HttpStatusCode
 import aws.smithy.kotlin.runtime.io.IOException
 import aws.smithy.kotlin.runtime.serde.json.JsonDeserializer
@@ -23,6 +19,7 @@ import aws.smithy.kotlin.runtime.time.Clock
 import aws.smithy.kotlin.runtime.util.PlatformEnvironProvider
 import aws.smithy.kotlin.runtime.util.PlatformProvider
 import aws.smithy.kotlin.runtime.util.SingleFlightGroup
+import aws.smithy.kotlin.runtime.util.asyncLazy
 import kotlin.coroutines.coroutineContext
 
 private const val CODE_ASSUME_ROLE_UNAUTHORIZED_ACCESS: String = "AssumeRoleUnauthorizedAccess"
@@ -43,7 +40,7 @@ private const val PROVIDER_NAME = "IMDSv2"
 public class ImdsCredentialsProvider(
     instanceProfileName: String? = null,
     client: InstanceMetadataProvider? = null,
-    private val platformProvider: PlatformProvider = PlatformProvider.System,
+    platformProvider: PlatformProvider = PlatformProvider.System,
 ) : CloseableCredentialsProvider {
 
     @Deprecated("This constructor supports parameters which are no longer used in the implementation. It will be removed in version 1.5.")
@@ -52,20 +49,37 @@ public class ImdsCredentialsProvider(
         client: Lazy<InstanceMetadataProvider> = lazy { ImdsClient() },
         platformProvider: PlatformEnvironProvider = PlatformProvider.System,
         @Suppress("UNUSED_PARAMETER") clock: Clock = Clock.System,
-    ) : this(profileOverride, client.value, platformProvider = platformProvider as? PlatformProvider ?: PlatformProvider.System)
+    ) : this(
+        profileOverride,
+        client.value,
+        platformProvider = platformProvider as? PlatformProvider ?: PlatformProvider.System,
+    )
+
+    private val actualPlatformProvider = platformProvider
+
+    @Deprecated("This property is retained for backwards compatibility but no longer needs to be public and will be removed in version 1.5.")
+    public val platformProvider: PlatformEnvironProvider = actualPlatformProvider
 
     private val manageClient: Boolean = client == null
 
-    private val client: InstanceMetadataProvider = client ?: ImdsClient {
-        this.platformProvider = this@ImdsCredentialsProvider.platformProvider
+    private val actualClient = client ?: ImdsClient {
+        this.platformProvider = actualPlatformProvider
     }
 
-    // FIXME This only resolves from env vars and sys props but we need to resolve from profiles too
-    private val instanceProfileName = instanceProfileName
-        ?: AwsSdkSetting.AwsEc2InstanceProfileName.resolve(platformProvider)
+    @Deprecated("This property is retained for backwards compatibility but no longer needs to be public and will be removed in version 1.5.")
+    public val client: Lazy<InstanceMetadataProvider>
+        get() = lazyOf(actualClient)
+
+    private val instanceProfileName = asyncLazy {
+        instanceProfileName ?: resolveEc2InstanceProfileName(platformProvider)
+    }
 
-    // FIXME This only resolves from env vars and sys props but we need to resolve from profiles too
-    private val providerDisabled = AwsSdkSetting.AwsEc2MetadataDisabled.resolve(platformProvider) == true
+    @Deprecated("This property is retained for backwards compatibility but no longer needs to be public and will be removed in version 1.5.")
+    public val profileOverride: String? = instanceProfileName
+
+    private val providerDisabled = asyncLazy {
+        resolveDisableEc2Metadata(platformProvider) ?: false
+    }
 
     /**
      * Tracks the known-good version of IMDS APIs available in the local environment. This starts as `null` and will be
@@ -89,33 +103,29 @@ public class ImdsCredentialsProvider(
      */
     private val sfg = SingleFlightGroup<Credentials>()
 
-    override suspend fun resolve(attributes: Attributes): Credentials = sfg.singleFlight { resolveUnderLock() }
-
-    private suspend fun resolveUnderLock(): Credentials {
-        println("**** Resolving creds (instanceProfileName=$instanceProfileName; apiVersion=$apiVersion; urlBase=$urlBase)")
+    override suspend fun resolve(attributes: Attributes): Credentials = sfg.singleFlight(::resolveSingleFlight)
 
-        if (providerDisabled) {
-            println("**** Explicitly disabled")
+    private suspend fun resolveSingleFlight(): Credentials {
+        if (providerDisabled.get()) {
             throw CredentialsNotLoadedException("AWS EC2 metadata is explicitly disabled; credentials not loaded")
         }
 
-        val profileName = instanceProfileName ?: resolvedProfileName ?: try {
-            println("**** Resolving profile")
-            client.get(urlBase).also {
+        val profileName = instanceProfileName.get() ?: resolvedProfileName ?: try {
+            actualClient.get(urlBase).also {
                 if (apiVersion == null) {
                     // Tried EXTENDED and it worked; remember that for the future
                     apiVersion = ApiVersion.EXTENDED
                 }
             }
         } catch (ex: EC2MetadataError) {
             when {
-                apiVersion == null && ex.statusCode == HttpStatusCode.NotFound -> {
+                apiVersion == null && ex.status == HttpStatusCode.NotFound -> {
                     // Tried EXTENDED and that didn't work; fallback to LEGACY
                     apiVersion = ApiVersion.LEGACY
-                    return resolveUnderLock()
+                    return resolveSingleFlight()
                 }
 
-                ex.statusCode == HttpStatusCode.NotFound -> {
+                ex.status == HttpStatusCode.NotFound -> {
                     coroutineContext.info<ImdsCredentialsProvider> {
                         "Received 404 when loading profile name. This instance may not have an associated profile."
                     }
@@ -132,19 +142,19 @@ public class ImdsCredentialsProvider(
         }
 
         val credsPayload = try {
-            client.get("$urlBase$profileName")
+            actualClient.get("$urlBase$profileName")
         } catch (ex: EC2MetadataError) {
             when {
-                apiVersion == null && ex.statusCode == HttpStatusCode.NotFound -> {
+                apiVersion == null && ex.status == HttpStatusCode.NotFound -> {
                     // Tried EXTENDED and that didn't work; fallback to LEGACY
                     apiVersion = ApiVersion.LEGACY
-                    return resolveUnderLock()
+                    return resolveSingleFlight()
                 }
 
-                instanceProfileName == null && ex.statusCode == HttpStatusCode.NotFound -> {
+                instanceProfileName.get() == null && ex.status == HttpStatusCode.NotFound -> {
                     // A previously-resolved profile is now invalid; forget the resolved name and re-resolve
                     resolvedProfileName = null
-                    return resolveUnderLock()
+                    return resolveSingleFlight()
                 }
 
                 else -> return usePreviousCredentials()
@@ -157,7 +167,7 @@ public class ImdsCredentialsProvider(
             throw ImdsCredentialsException(profileName, ex).wrapAsCredentialsProviderException()
         }
 
-        if (instanceProfileName == null) {
+        if (instanceProfileName.get() == null) {
             // No profile name was provided at construction time; cache the resolved name
             resolvedProfileName = profileName
         }
@@ -186,7 +196,7 @@ public class ImdsCredentialsProvider(
 
     override fun close() {
         if (manageClient) {
-            client.close()
+            actualClient.close()
         }
     }
 

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsClient.kt

@@ -228,7 +228,13 @@ public enum class EndpointMode(internal val defaultEndpoint: Endpoint) {
 
 /**
  * Exception thrown when an error occurs retrieving metadata from IMDS
- * @param statusCode The HTTP status code of the response
+ * @param status The HTTP status code of the response
  * @param message The error message
  */
-public class EC2MetadataError(public val statusCode: HttpStatusCode, message: String) : AwsServiceException(message)
+public class EC2MetadataError(public val status: HttpStatusCode, message: String) : AwsServiceException(message) {
+    @Deprecated("This constructor passes HTTP status as an Int instead of as HttpStatusCode")
+    public constructor(statusCode: Int, message: String) : this(HttpStatusCode.fromValue(statusCode), message)
+
+    @Deprecated("This property is now deprecated and should be fetched from status.value")
+    public val statusCode: Int = status.value
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsResolvers.kt

@@ -0,0 +1,29 @@
+package aws.sdk.kotlin.runtime.config.imds
+
+import aws.sdk.kotlin.runtime.InternalSdkApi
+import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.config.profile.AwsProfile
+import aws.sdk.kotlin.runtime.config.profile.ec2InstanceProfileName
+import aws.sdk.kotlin.runtime.config.profile.ec2MetadataDisabled
+import aws.sdk.kotlin.runtime.config.profile.loadAwsSharedConfig
+import aws.smithy.kotlin.runtime.config.resolve
+import aws.smithy.kotlin.runtime.util.LazyAsyncValue
+import aws.smithy.kotlin.runtime.util.PlatformProvider
+import aws.smithy.kotlin.runtime.util.asyncLazy
+
+/**
+ * Attempts to resolve a named EC2 instance profile to use which allows bypassing auto-discovery
+ */
+@InternalSdkApi
+public suspend fun resolveEc2InstanceProfileName(
+    provider: PlatformProvider = PlatformProvider.System,
+    profile: LazyAsyncValue<AwsProfile> = asyncLazy { loadAwsSharedConfig(provider).activeProfile },
+): String? = AwsSdkSetting.AwsEc2InstanceProfileName.resolve(provider) ?: profile.get().ec2InstanceProfileName
+
+/**
+ * Attempts to resolve the flag which disables the use of IMDS for credentials
+ */
+public suspend fun resolveDisableEc2Metadata(
+    provider: PlatformProvider = PlatformProvider.System,
+    profile: LazyAsyncValue<AwsProfile> = asyncLazy { loadAwsSharedConfig(provider).activeProfile },
+): Boolean? = AwsSdkSetting.AwsEc2MetadataDisabled.resolve(provider) ?: profile.get().ec2MetadataDisabled

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/imds/ImdsRetryPolicy.kt

@@ -23,7 +23,7 @@ internal class ImdsRetryPolicy(
 
     private fun evaluate(throwable: Throwable): RetryDirective = when (throwable) {
         is EC2MetadataError -> {
-            val status = throwable.statusCode
+            val status = throwable.status
             when {
                 status.category() == HttpStatusCode.Category.SERVER_ERROR -> RetryDirective.RetryError(RetryErrorType.ServerSide)
                 // 401 indicates the token has expired, this is retryable

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/config/profile/AwsProfile.kt

@@ -169,6 +169,20 @@ public val AwsProfile.requestChecksumCalculation: RequestHttpChecksumConfig?
 public val AwsProfile.responseChecksumValidation: ResponseHttpChecksumConfig?
     get() = getEnumOrNull<ResponseHttpChecksumConfig>("response_checksum_validation")
 
+/**
+ * Specifies a named EC2 instance profile to use which allows bypassing auto-discovery
+ */
+@InternalSdkApi
+public val AwsProfile.ec2InstanceProfileName: String?
+    get() = getOrNull("ec2_instance_profile_name")
+
+/**
+ * The flag which disables the use of IMDS for credentials
+ */
+@InternalSdkApi
+public val AwsProfile.ec2MetadataDisabled: Boolean?
+    get() = getBooleanOrNull("disable_ec2_metadata")
+
 /**
  * Parse a config value as a boolean, ignoring case.
  */

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/config/imds/ImdsClientTest.kt

@@ -203,7 +203,7 @@ class ImdsClientTest {
             client.get("/latest/metadata")
         }
 
-        assertEquals(HttpStatusCode.Forbidden, ex.statusCode)
+        assertEquals(HttpStatusCode.Forbidden, ex.status)
         connection.assertRequests()
     }
 

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/util/VerifyingInstanceMetadataProvider.kt

@@ -12,7 +12,6 @@ class VerifyingInstanceMetadataProvider(expectations: List<Pair<String, () -> St
 
     override suspend fun get(path: String): String {
         val trimmedPath = path.trimEnd('/') // remove trailing slashes to simplify testing
-        println("**** IMDS: $trimmedPath")
         val next = assertNotNull(expectations.removeFirstOrNull(), "Call to \"$trimmedPath\" was unexpected!")
         val (expectedPath, result) = next
         assertEquals(trimmedPath, expectedPath, "Expected call to \"$expectedPath\" but got \"$trimmedPath\" instead!")