aws
diff --git a/‎CHANGELOG.md‎
Lines changed: 0 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb‎
Lines changed: 8 additions & 102 deletions b/‎aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb‎
Lines changed: 8 additions & 102 deletions
diff --git a/‎aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb‎
Lines changed: 27 additions & 44 deletions b/‎aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb‎
Lines changed: 27 additions & 44 deletions
@@ -1,8 +1,6 @@
 Unreleased Changes
 ------------------
 
-* Feature = Aws::Core - Support EC2 IMDS updates.
-
 2.11.400 (2019-11-18)
 ------------------
 
 
@@ -11,15 +11,6 @@ class InstanceProfileCredentials
     # @api private
     class Non200Response < RuntimeError; end
 
-    # @api private
-    class TokenRetrivalError < RuntimeError; end
-
-    # @api private
-    class TokenExpiredError < RuntimeError; end
-
-    # @api private
-    class TokenRetrivalUnavailableError < RuntimeError; end
-
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -35,14 +26,6 @@ class TokenRetrivalUnavailableError < RuntimeError; end
       Non200Response,
     ]
 
-    # Path base for GET request for profile and credentials
-    # @api private
-    METADATA_PATH_BASE = '/latest/meta-data/iam/security-credentials/'
-
-    # Path for PUT request for token
-    # @api private
-    METADATA_TOKEN_PATH = '/latest/api/token'
-
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
@@ -57,8 +40,6 @@ class TokenRetrivalUnavailableError < RuntimeError; end
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
-    # @option options [Integer] :token_ttl (21600) Time-to-Live in seconds for
-    #   EC2 Metadata Token used for fetching Metadata Profile Credentials.
     def initialize options = {}
       @retries = options[:retries] || 5
       @ip_address = options[:ip_address] || '169.254.169.254'
@@ -67,13 +48,11 @@ def initialize options = {}
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
-      @token_ttl = options[:token_ttl] || 21600
       super
     end
 
-    # @return [Integer] Number of times to retry when retrieving credentials
-    #   from the instance metadata service. Defaults to 0 when resolving from
-    #   the default credential chain ({Aws::CredentialProviderChain}).
+    # @return [Integer] The number of times to retry failed attempts to
+    #   fetch credentials from the instance metadata service. Defaults to 0.
     attr_reader :retries
 
     private
@@ -114,11 +93,9 @@ def get_credentials
         begin
           retry_errors(NETWORK_ERRORS, max_retries: @retries) do
             open_connection do |conn|
-              _token_attempt(conn)
-              token_value = @token.value if token_set?
-              profile_name = http_get(conn, METADATA_PATH_BASE, token_value)
-                .lines.first.strip
-              http_get(conn, METADATA_PATH_BASE + profile_name, token_value)
+              path = '/latest/meta-data/iam/security-credentials/'
+              profile_name = http_get(conn, path).lines.first.strip
+              http_get(conn, path + profile_name)
             end
           end
         rescue
@@ -127,28 +104,6 @@ def get_credentials
       end
     end
 
-    def token_set?
-      @token && !@token.expired?
-    end
-
-    # attempt to fetch token with retries baked in
-    # would be skipped if token already set
-    def _token_attempt(conn)
-      begin
-        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-          unless token_set?
-            token_value, ttl = http_put(conn, METADATA_TOKEN_PATH, @token_ttl)
-            @token = Token.new(token_value, ttl) if token_value && ttl
-          end
-        end
-      rescue *NETWORK_ERRORS, TokenRetrivalUnavailableError
-        # token attempt failed with allowable errors (those indicating
-        # token retrieval not available on the instance), reset token to
-        # allow safe failover to non-token mode
-        @token = nil
-      end
-    end
-
     def _metadata_disabled?
       flag = ENV["AWS_EC2_METADATA_DISABLED"]
       !flag.nil? && flag.downcase == "true"
@@ -163,40 +118,10 @@ def open_connection
       yield(http).tap { http.finish }
     end
 
-    # GET request fetch profile and credentials
-    def http_get(connection, path, token=nil)
-      headers = {"User-Agent" => "aws-sdk-ruby2/#{VERSION}"}
-      headers["x-aws-ec2-metadata-token"] = token if token
-      response = connection.request(Net::HTTP::Get.new(path, headers))
-      case response.code.to_i
-      when 200
+    def http_get(connection, path)
+      response = connection.request(Net::HTTP::Get.new(path))
+      if response.code.to_i == 200
         response.body
-      when 401
-        raise TokenExpiredError
-      else
-        raise Non200Response
-      end
-    end
-
-    # PUT request fetch token with ttl
-    def http_put(connection, path, ttl)
-      headers = {
-        "User-Agent" => "aws-sdk-ruby2/#{VERSION}",
-        "x-aws-ec2-metadata-token-ttl-seconds" => ttl.to_s
-      }
-      response = connection.request(Net::HTTP::Put.new(path, headers))
-      case response.code.to_i
-      when 200
-        [
-          response.body,
-          response.header["x-aws-ec2-metadata-token-ttl-seconds"].to_i
-        ]
-      when 400
-        raise TokenRetrivalError
-      when 403
-      when 404
-      when 405
-        raise TokenRetrivalUnavailableError
       else
         raise Non200Response
       end
@@ -218,24 +143,5 @@ def retry_errors(error_classes, options = {}, &block)
       end
     end
 
-    # @api private
-    # Token used to fetch IMDS profile and credentials
-    class Token
-
-      def initialize(value, ttl)
-        @ttl = ttl
-        @value = value
-        @created_time = Time.now
-      end
-
-      # [String] token value
-      attr_reader :value
-
-      def expired?
-        Time.now - @created_time > @ttl
-      end
-
-    end
-
   end
 end
@@ -13,14 +13,6 @@ module Aws
         '..', 'fixtures', 'credentials', 'mock_shared_config'))
     }
 
-    let(:imds_url) {
-      'http://169.254.169.254/latest/meta-data/iam/security-credentials/'
-    }
-
-    let(:imds_token_url) {
-      'http://169.254.169.254/latest/api/token'
-    }
-
     describe "default behavior" do
       before(:each) do
         stub_const('ENV', {})
@@ -64,32 +56,28 @@ module Aws
           "AR_TOKEN"
         )
         client = Aws::S3::Client.new(profile: "ar_plus_creds", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("AR_AKID")
+        expect(client.config.credentials.access_key_id).to eq("AR_AKID")
       end
 
       it 'prefers shared credential file static credentials over shared config' do
         client = Aws::S3::Client.new(profile: "credentials_first", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("ACCESS_KEY_CRD")
+        expect(client.config.credentials.access_key_id).to eq("ACCESS_KEY_CRD")
       end
 
       it 'will source static credentials from shared config after shared credentials' do
         client = Aws::S3::Client.new(profile: "incomplete_cred", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("ACCESS_KEY_SC1")
+        expect(client.config.credentials.access_key_id).to eq("ACCESS_KEY_SC1")
       end
 
       it 'attempts to fetch metadata credentials last' do
-        stub_request(:put, imds_token_url)
-          .to_return(
-            :status => 200,
-            :body => "my-token\n",
-            :headers => {"x-aws-ec2-metadata-token-ttl-seconds": "21600"}
-          )
-        stub_request(:get, imds_url)
-          .with(:headers => {"x-aws-ec2-metadata-token": "my-token"})
-          .to_return(:status => 200, :body => "profile-name\n")
-        stub_request(:get, "#{imds_url}profile-name")
-          .with(:headers => {"x-aws-ec2-metadata-token": "my-token"})
-          .to_return(:status => 200, :body => <<-JSON.strip)
+        stub_request(
+          :get,
+          "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+        ).to_return(:status => 200, :body => "profile-name\n")
+        stub_request(
+          :get,
+          "http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name"
+        ).to_return(:status => 200, :body => <<-JSON.strip)
 {
   "Code" : "Success",
   "LastUpdated" : "2013-11-22T20:03:48Z",
@@ -101,11 +89,11 @@ module Aws
 }
 JSON
         client = Aws::S3::Client.new(profile: "nonexistant", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("akid-md")
+        expect(client.config.credentials.access_key_id).to eq("akid-md")
       end
 
       describe 'Assume Role Resolution' do
-        it 'will not assume a role without a source present' do
+        it 'will not assume a role without source_profile present' do
           expect {
             Aws::S3::Client.new(profile: "ar_no_src", region: "us-east-1")
           }.to raise_error(Errors::NoSourceProfileError)
@@ -126,7 +114,7 @@ module Aws
             "AR_TOKEN"
           )
           client = Aws::S3::Client.new(profile: "assumerole_sc", region: "us-east-1")
-          expect(client.config.credentials.credentials.access_key_id).to eq("AR_AKID")
+          expect(client.config.credentials.access_key_id).to eq("AR_AKID")
         end
 
         it 'will then try to assume a role from shared config' do
@@ -138,7 +126,7 @@ module Aws
             "AR_TOKEN"
           )
           client = Aws::S3::Client.new(profile: "ar_from_self", region: "us-east-1")
-          expect(client.config.credentials.credentials.access_key_id).to eq("AR_AKID")
+          expect(client.config.credentials.access_key_id).to eq("AR_AKID")
         end
 
         it 'will assume a role from config using source credentials in shared credentials' do
@@ -150,10 +138,9 @@ module Aws
             "AR_TOKEN"
           )
           client = Aws::S3::Client.new(profile: "creds_from_sc", region: "us-east-1")
-          expect(client.config.credentials.credentials.access_key_id).to eq("AR_AKID")
+          expect(client.config.credentials.access_key_id).to eq("AR_AKID")
         end
       end
-
     end
 
     describe "AWS_SDK_CONFIG_OPT_OUT set" do
@@ -178,7 +165,7 @@ module Aws
           profile: "fooprofile",
           region: "us-east-1"
         )
-        expect(client.config.credentials.credentials.access_key_id).to eq("ACCESS_DIRECT")
+        expect(client.config.credentials.access_key_id).to eq("ACCESS_DIRECT")
       end
 
       it 'prefers ENV credentials over shared config' do
@@ -187,7 +174,7 @@ module Aws
           "AWS_SECRET_ACCESS_KEY" => "SECRET_ENV_STUB"
         })
         client = Aws::S3::Client.new(profile: "fooprofile", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("AKID_ENV_STUB")
+        expect(client.config.credentials.access_key_id).to eq("AKID_ENV_STUB")
       end
 
       it 'will not load credentials from shared config' do
@@ -201,18 +188,14 @@ module Aws
       end
 
       it 'attempts to fetch metadata credentials last' do
-        stub_request(:put, imds_token_url)
-          .to_return(
-            :status => 200,
-            :body => "my-token\n",
-            :headers => {"x-aws-ec2-metadata-token-ttl-seconds": "21600"}
-          )
-        stub_request(:get, imds_url)
-          .with(:headers => {"x-aws-ec2-metadata-token": "my-token"})
-          .to_return(:status => 200, :body => "profile-name\n")
-        stub_request(:get, "#{imds_url}profile-name")
-          .with(:headers => {"x-aws-ec2-metadata-token": "my-token"})
-          .to_return(:status => 200, :body => <<-JSON.strip)
+        stub_request(
+          :get,
+          "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+        ).to_return(:status => 200, :body => "profile-name\n")
+        stub_request(
+          :get,
+          "http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name"
+        ).to_return(:status => 200, :body => <<-JSON.strip)
 {
   "Code" : "Success",
   "LastUpdated" : "2013-11-22T20:03:48Z",
@@ -224,7 +207,7 @@ module Aws
 }
 JSON
         client = Aws::S3::Client.new(profile: "nonexistant", region: "us-east-1")
-        expect(client.config.credentials.credentials.access_key_id).to eq("akid-md")
+        expect(client.config.credentials.access_key_id).to eq("akid-md")
       end
     end