Add support for the profile key credential_source (#2968)

Author: abrooksv

.changes/next-release/feature-9f214357-c223-4a3d-b7bb-6f4f28b488f6.json

@@ -0,0 +1,4 @@
+{
+  "type" : "feature",
+  "description" : "Added support for AWS profiles that use the `credential_source` key"
+}

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/CredentialSourceType.kt

@@ -0,0 +1,21 @@
+// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.profiles
+
+enum class CredentialSourceType {
+    EC2_INSTANCE_METADATA, ECS_CONTAINER, ENVIRONMENT;
+
+    companion object {
+        fun parse(value: String): CredentialSourceType {
+            if (value.equals("Ec2InstanceMetadata", ignoreCase = true)) {
+                return EC2_INSTANCE_METADATA
+            } else if (value.equals("EcsContainer", ignoreCase = true)) {
+                return ECS_CONTAINER
+            } else if (value.equals("Environment", ignoreCase = true)) {
+                return ENVIRONMENT
+            }
+            throw IllegalArgumentException("'$value' is not a valid credential_source")
+        }
+    }
+}

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/Ec2MetadataConfigProvider.kt

@@ -0,0 +1,63 @@
+// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.profiles
+
+import software.amazon.awssdk.core.SdkSystemSetting
+import software.amazon.awssdk.profiles.Profile
+import software.amazon.awssdk.profiles.ProfileProperty
+
+/**
+ * Retrieves the EC2 metadata endpoint based on profile file, env var, and Java system properties
+ *
+ * https://github.com/aws/aws-sdk-java-v2/blob/5fb447594313ab1ab9b9c0ead0ed7cb906b06e93/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/internal/Ec2MetadataConfigProviderEndpointResolutionTest.java
+ */
+object Ec2MetadataConfigProvider {
+    /**
+     * Default IPv4 endpoint for the Amazon EC2 Instance Metadata Service.
+     */
+    private const val EC2_METADATA_SERVICE_URL_IPV4 = "http://169.254.169.254"
+
+    /**
+     * Default IPv6 endpoint for the Amazon EC2 Instance Metadata Service.
+     */
+    private const val EC2_METADATA_SERVICE_URL_IPV6 = "http://[fd00:ec2::254]"
+
+    private enum class EndpointMode {
+        IPV4, IPV6;
+
+        companion object {
+            fun fromValue(s: String?): EndpointMode = s?.let { _ ->
+                values().find { it.name.equals(s, ignoreCase = true) }
+            } ?: throw IllegalArgumentException("Unrecognized value for endpoint mode: '$s'")
+        }
+    }
+
+    fun Profile.getEc2MedataEndpoint(): String = this.getEndpointOverride() ?: when (this.getEndpointMode()) {
+        EndpointMode.IPV4 -> EC2_METADATA_SERVICE_URL_IPV4
+        EndpointMode.IPV6 -> EC2_METADATA_SERVICE_URL_IPV6
+    }
+
+    private fun Profile.getEndpointMode(): EndpointMode {
+        val endpointMode = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.nonDefaultStringValue
+        val endpointModeString = if (endpointMode.isPresent) {
+            endpointMode.get()
+        } else {
+            configFileEndpointMode(this) ?: SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.defaultValue()
+        }
+        return EndpointMode.fromValue(endpointModeString)
+    }
+
+    private fun Profile.getEndpointOverride(): String? {
+        val endpointOverride = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.nonDefaultStringValue
+        return if (endpointOverride.isPresent) {
+            endpointOverride.get()
+        } else {
+            configFileEndpointOverride(this)
+        }
+    }
+
+    private fun configFileEndpointMode(profile: Profile): String? = profile.property(ProfileProperty.EC2_METADATA_SERVICE_ENDPOINT_MODE).orElse(null)
+
+    private fun configFileEndpointOverride(profile: Profile): String? = profile.property(ProfileProperty.EC2_METADATA_SERVICE_ENDPOINT).orElse(null)
+}

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileAssumeRoleProvider.kt

@@ -3,6 +3,7 @@
 
 package software.aws.toolkits.jetbrains.core.credentials.profiles
 
+import org.jetbrains.annotations.TestOnly
 import software.amazon.awssdk.auth.credentials.AwsCredentials
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
 import software.amazon.awssdk.profiles.Profile
@@ -17,7 +18,7 @@ import software.aws.toolkits.jetbrains.core.AwsClientManager
 import software.aws.toolkits.jetbrains.core.credentials.promptForMfaToken
 import java.util.function.Supplier
 
-class ProfileAssumeRoleProvider(private val parentProvider: AwsCredentialsProvider, region: AwsRegion, profile: Profile) :
+class ProfileAssumeRoleProvider(@get:TestOnly internal val parentProvider: AwsCredentialsProvider, region: AwsRegion, profile: Profile) :
     AwsCredentialsProvider, SdkAutoCloseable {
     private val stsClient: StsClient
     private val credentialsProvider: StsAssumeRoleCredentialsProvider
@@ -31,7 +32,7 @@ class ProfileAssumeRoleProvider(private val parentProvider: AwsCredentialsProvid
         // https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-duration_seconds.html
         val durationSecs = profile.property(ProfileProperty.DURATION_SECONDS).map { it.toIntOrNull() }.orElse(null) ?: 3600
 
-        stsClient = AwsClientManager.getInstance().createUnmanagedClient(parentProvider, Region.of(region.id),)
+        stsClient = AwsClientManager.getInstance().createUnmanagedClient(parentProvider, Region.of(region.id))
 
         credentialsProvider = StsAssumeRoleCredentialsProvider.builder()
             .stsClient(stsClient)

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileCredentialProviderFactory.kt

@@ -8,8 +8,13 @@ import com.intellij.openapi.actionSystem.AnActionEvent
 import com.intellij.openapi.project.DumbAwareAction
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials
+import software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider
+import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider
+import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
+import software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider
 import software.amazon.awssdk.profiles.Profile
 import software.amazon.awssdk.profiles.ProfileProperty
 import software.aws.toolkits.core.credentials.CredentialIdentifier
@@ -24,6 +29,7 @@ import software.aws.toolkits.jetbrains.core.credentials.MfaRequiredInteractiveCr
 import software.aws.toolkits.jetbrains.core.credentials.SsoRequiredInteractiveCredentials
 import software.aws.toolkits.jetbrains.core.credentials.ToolkitCredentialProcessProvider
 import software.aws.toolkits.jetbrains.core.credentials.diskCache
+import software.aws.toolkits.jetbrains.core.credentials.profiles.Ec2MetadataConfigProvider.getEc2MedataEndpoint
 import software.aws.toolkits.jetbrains.core.credentials.sso.SsoCache
 import software.aws.toolkits.jetbrains.settings.AwsSettings
 import software.aws.toolkits.jetbrains.settings.ProfilesNotification
@@ -172,7 +178,7 @@ class ProfileCredentialProviderFactory(private val ssoCache: SsoCache = diskCach
 
         // Some profiles failed to load
         if (newProfiles.invalidProfiles.isNotEmpty()) {
-            val message = newProfiles.invalidProfiles.values.joinToString("\n") { it.message ?: it::class.java.name }
+            val message = newProfiles.invalidProfiles.values.joinToString("\n")
 
             val errorDialogTitle = message("credentials.profile.failed_load")
             val numErrorMessage = message("credentials.profile.refresh_errors", newProfiles.invalidProfiles.size)
@@ -215,14 +221,42 @@ class ProfileCredentialProviderFactory(private val ssoCache: SsoCache = diskCach
     private fun createSsoProvider(profile: Profile): AwsCredentialsProvider = ProfileSsoProvider(profile)
 
     private fun createAssumeRoleProvider(profile: Profile, region: AwsRegion): AwsCredentialsProvider {
-        val sourceProfileName = profile.requiredProperty(ProfileProperty.SOURCE_PROFILE)
-        val sourceProfile = profileHolder.getProfile(sourceProfileName)
-            ?: throw IllegalStateException("Profile $sourceProfileName looks to have been removed")
-        val parentCredentialProvider = createAwsCredentialProvider(sourceProfile, region)
+        val sourceProfileName = profile.property(ProfileProperty.SOURCE_PROFILE)
+        val credentialSource = profile.property(ProfileProperty.CREDENTIAL_SOURCE)
+
+        val parentCredentialProvider = when {
+            sourceProfileName.isPresent -> {
+                val sourceProfile = profileHolder.getProfile(sourceProfileName.get())
+                    ?: throw IllegalStateException("Profile $sourceProfileName looks to have been removed")
+                createAwsCredentialProvider(sourceProfile, region)
+            }
+            credentialSource.isPresent -> {
+                // Can we parse the credential_source
+                credentialSourceCredentialProvider(CredentialSourceType.parse(credentialSource.get()), profile)
+            }
+            else -> {
+                throw IllegalArgumentException(message("credentials.profile.assume_role.missing_source", profile.name()))
+            }
+        }
 
         return ProfileAssumeRoleProvider(parentCredentialProvider, region, profile)
     }
 
+    private fun credentialSourceCredentialProvider(credentialSource: CredentialSourceType, profile: Profile): AwsCredentialsProvider =
+        when (credentialSource) {
+            CredentialSourceType.ECS_CONTAINER -> ContainerCredentialsProvider.builder().build()
+            CredentialSourceType.EC2_INSTANCE_METADATA -> {
+                // The IMDS credentials provider should source the endpoint config properties from the currently active profile
+                InstanceProfileCredentialsProvider.builder()
+                    .endpoint(profile.getEc2MedataEndpoint())
+                    .build()
+            }
+            CredentialSourceType.ENVIRONMENT -> AwsCredentialsProviderChain.builder()
+                .addCredentialsProvider(SystemPropertyCredentialsProvider.create())
+                .addCredentialsProvider(EnvironmentVariableCredentialsProvider.create())
+                .build()
+        }
+
     private fun createBasicProvider(profile: Profile) = StaticCredentialsProvider.create(
         AwsBasicCredentials.create(
             profile.requiredProperty(ProfileProperty.AWS_ACCESS_KEY_ID),

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileReader.kt

@@ -54,7 +54,17 @@ fun validateSsoProfile(profile: Profile) {
 
 private fun validateAssumeRoleProfile(profile: Profile, allProfiles: Map<String, Profile>) {
     val rootProfile = profile.traverseCredentialChain(allProfiles).last()
-    validateProfile(rootProfile, allProfiles)
+    val credentialSource = rootProfile.property(ProfileProperty.CREDENTIAL_SOURCE)
+
+    if (credentialSource.isPresent) {
+        try {
+            CredentialSourceType.parse(credentialSource.get())
+        } catch (e: Exception) {
+            throw IllegalArgumentException(message("credentials.profile.assume_role.invalid_credential_source", rootProfile.name()))
+        }
+    } else {
+        validateProfile(rootProfile, allProfiles)
+    }
 }
 
 private fun validateStaticSessionProfile(profile: Profile) {

jetbrains-core/src/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileUtils.kt

@@ -21,17 +21,30 @@ fun Profile.traverseCredentialChain(profiles: Map<String, Profile>): Sequence<Pr
             throw IllegalArgumentException(message("credentials.profile.circular_profiles", name(), chain))
         }
 
-        val sourceProfile = currentProfile.requiredProperty(ProfileProperty.SOURCE_PROFILE)
-        currentProfile = profiles[sourceProfile]
-            ?: throw IllegalArgumentException(
-                message(
-                    "credentials.profile.source_profile_not_found",
-                    currentProfileName,
-                    sourceProfile
+        val sourceProfile = currentProfile.property(ProfileProperty.SOURCE_PROFILE)
+        val credentialSource = currentProfile.property(ProfileProperty.CREDENTIAL_SOURCE)
+
+        if (sourceProfile.isPresent && credentialSource.isPresent) {
+            throw IllegalArgumentException(message("credentials.profile.assume_role.duplicate_source", currentProfileName))
+        }
+
+        if (sourceProfile.isPresent) {
+            val sourceProfileName = sourceProfile.get()
+            currentProfile = profiles[sourceProfileName]
+                ?: throw IllegalArgumentException(
+                    message(
+                        "credentials.profile.source_profile_not_found",
+                        currentProfileName,
+                        sourceProfileName
+                    )
                 )
-            )
 
-        yield(currentProfile)
+            yield(currentProfile)
+        } else if (credentialSource.isPresent) {
+            return@sequence
+        } else {
+            throw IllegalArgumentException(message("credentials.profile.assume_role.missing_source", currentProfileName))
+        }
     }
 }
 

jetbrains-core/tst/software/aws/toolkits/jetbrains/core/credentials/profiles/Ec2MetadataConfigProviderTest.kt

@@ -0,0 +1,102 @@
+// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.profiles
+
+import org.assertj.core.api.Assertions.assertThat
+import org.assertj.core.api.Assertions.assertThatThrownBy
+import org.junit.Rule
+import org.junit.Test
+import software.aws.toolkits.core.rules.EnvironmentVariableHelper
+import software.aws.toolkits.core.rules.SystemPropertyHelper
+import software.aws.toolkits.core.utils.test.aString
+import software.aws.toolkits.jetbrains.core.credentials.profiles.Ec2MetadataConfigProvider.getEc2MedataEndpoint
+import software.aws.toolkits.jetbrains.utils.isInstanceOf
+
+class Ec2MetadataConfigProviderTest {
+    @Rule
+    @JvmField
+    val sysProps = SystemPropertyHelper()
+
+    @Rule
+    @JvmField
+    val envVars = EnvironmentVariableHelper()
+
+    @Test
+    fun `endpoint can be overridden with system property`() {
+        val endpoint = aString()
+        System.setProperty("aws.ec2MetadataServiceEndpoint", endpoint)
+
+        assertThat(profile().getEc2MedataEndpoint()).isEqualTo(endpoint)
+    }
+
+    @Test
+    fun `endpoint can be overridden with env var`() {
+        val endpoint = aString()
+        envVars["AWS_EC2_METADATA_SERVICE_ENDPOINT"] = endpoint
+
+        assertThat(profile().getEc2MedataEndpoint()).isEqualTo(endpoint)
+    }
+
+    @Test
+    fun `endpoint can be overridden with profile`() {
+        val endpoint = aString()
+        val profile = profile {
+            put("ec2_metadata_service_endpoint", endpoint)
+        }
+
+        assertThat(profile.getEc2MedataEndpoint()).isEqualTo(endpoint)
+    }
+
+    @Test
+    fun `endpoint defaults to ipv4 endpoint if nothing is specified`() {
+        assertThat(profile().getEc2MedataEndpoint()).isEqualTo("http://169.254.169.254")
+    }
+
+    @Test
+    fun `endpoint defaults to default endpoint if ipv6 is specified`() {
+        val profile = profile {
+            put("ec2_metadata_service_endpoint_mode", "ipv6")
+        }
+
+        assertThat(profile.getEc2MedataEndpoint()).isEqualTo("http://[fd00:ec2::254]")
+    }
+
+    @Test
+    fun `mode is case insensitive`() {
+        val profile = profile {
+            put("ec2_metadata_service_endpoint_mode", "ipv6")
+        }
+
+        assertThat(profile.getEc2MedataEndpoint()).isEqualTo("http://[fd00:ec2::254]")
+
+        val profile2 = profile {
+            put("ec2_metadata_service_endpoint_mode", "iPv6")
+        }
+
+        assertThat(profile2.getEc2MedataEndpoint()).isEqualTo("http://[fd00:ec2::254]")
+    }
+
+    @Test
+    fun `mode can be overridden with system property`() {
+        System.setProperty("aws.ec2MetadataServiceEndpointMode", "ipv6")
+
+        assertThat(profile().getEc2MedataEndpoint()).isEqualTo("http://[fd00:ec2::254]")
+    }
+
+    @Test
+    fun `mode can be overridden with env var`() {
+        envVars["AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE"] = "ipv6"
+
+        assertThat(profile().getEc2MedataEndpoint()).isEqualTo("http://[fd00:ec2::254]")
+    }
+
+    @Test
+    fun `invalid mode fails`() {
+        val profile = profile {
+            put("ec2_metadata_service_endpoint_mode", "badMode")
+        }
+
+        assertThatThrownBy { profile.getEc2MedataEndpoint() }.isInstanceOf<IllegalArgumentException>()
+    }
+}

jetbrains-core/tst/software/aws/toolkits/jetbrains/core/credentials/profiles/ProfileAssumeRoleProviderTest.kt

@@ -19,7 +19,6 @@ import org.mockito.kotlin.mock
 import org.mockito.kotlin.stub
 import org.mockito.kotlin.verify
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
-import software.amazon.awssdk.profiles.Profile
 import software.amazon.awssdk.profiles.ProfileProperty
 import software.amazon.awssdk.services.sts.StsClient
 import software.amazon.awssdk.services.sts.model.AssumeRoleRequest
@@ -190,9 +189,4 @@ class ProfileAssumeRoleProviderTest {
         verify(stsClient).close()
         verify(parentProvider as SdkAutoCloseable).close()
     }
-
-    private fun profile(properties: MutableMap<String, String>.() -> Unit) = Profile.builder()
-        .name(aString())
-        .properties(mutableMapOf<String, String>().apply { properties(this) })
-        .build()
 }