Set read timeout for fetching IMDSv2 token (#104253)

Use the timeout set by AWS_METADATA_SERVICE_TIMEOUT environment variable both as connect and read timeout analogous to the AWS SDK.

See https://docs.aws.amazon.com/sdkref/latest/guide/feature-ec2-instance-metadata.html

Resolves #104244

Author: arteam

docs/changelog/104253.yaml

@@ -0,0 +1,6 @@
+pr: 104253
+summary: Set read timeout for fetching IMDSv2 token
+area: Discovery-Plugins
+type: enhancement
+issues:
+ - 104244

plugins/discovery-ec2/build.gradle

@@ -102,6 +102,9 @@ tasks.named("test").configure {
   } else {
     nonInputProperties.systemProperty 'java.security.policy', "file://${buildDir}/tmp/java.policy"
   }
+  if (BuildParams.random.nextBoolean()) {
+    env 'AWS_METADATA_SERVICE_TIMEOUT', '1'
+  }
 }
 
 tasks.named("check").configure {

plugins/discovery-ec2/src/main/java/org/elasticsearch/discovery/ec2/AwsEc2Utils.java

@@ -8,6 +8,9 @@
 
 package org.elasticsearch.discovery.ec2;
 
+import com.amazonaws.SDKGlobalConfiguration;
+import com.amazonaws.util.StringUtils;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.Strings;
@@ -24,7 +27,11 @@
 class AwsEc2Utils {
 
     private static final Logger logger = LogManager.getLogger(AwsEc2Utils.class);
-    private static final int CONNECT_TIMEOUT = 2000;
+    // The timeout can be configured via the AWS_METADATA_SERVICE_TIMEOUT environment variable
+    private static final int TIMEOUT = Optional.ofNullable(System.getenv(SDKGlobalConfiguration.AWS_METADATA_SERVICE_TIMEOUT_ENV_VAR))
+        .filter(StringUtils::hasValue)
+        .map(s -> Integer.parseInt(s) * 1000)
+        .orElse(2000);
     private static final int METADATA_TOKEN_TTL_SECONDS = 10;
     static final String X_AWS_EC_2_METADATA_TOKEN = "X-aws-ec2-metadata-token";
 
@@ -39,7 +46,10 @@ static Optional<String> getMetadataToken(String metadataTokenUrl) {
             try {
                 urlConnection = (HttpURLConnection) new URL(metadataTokenUrl).openConnection();
                 urlConnection.setRequestMethod("PUT");
-                urlConnection.setConnectTimeout(CONNECT_TIMEOUT);
+                // Use both timeout for connect and read timeout analogous to AWS SDK.
+                // See com.amazonaws.internal.HttpURLConnection#connectToEndpoint
+                urlConnection.setConnectTimeout(TIMEOUT);
+                urlConnection.setReadTimeout(TIMEOUT);
                 urlConnection.setRequestProperty("X-aws-ec2-metadata-token-ttl-seconds", String.valueOf(METADATA_TOKEN_TTL_SECONDS));
             } catch (IOException e) {
                 logger.warn("Unable to access the IMDSv2 URI: " + metadataTokenUrl, e);

plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPluginTests.java

@@ -121,6 +121,19 @@ public void testTokenMetadataApiIsMisbehaving() throws Exception {
         }
     }
 
+    public void testTokenMetadataApiDoesNotRespond() throws Exception {
+        try (var metadataServer = new MetadataServer("/metadata", exchange -> {
+            assertNull(exchange.getRequestHeaders().getFirst("X-aws-ec2-metadata-token"));
+            exchange.sendResponseHeaders(200, 0);
+            exchange.getResponseBody().write("us-east-1c".getBytes(StandardCharsets.UTF_8));
+            exchange.close();
+        }, "/latest/api/token", ex -> {
+            // Intentionally don't close the connection, so the client has to time out
+        })) {
+            assertNodeAttributes(Settings.EMPTY, metadataServer.metadataUri(), metadataServer.tokenUri(), "us-east-1c");
+        }
+    }
+
     public void testTokenMetadataApiIsNotAvailable() throws Exception {
         try (var metadataServer = metadataServerWithoutToken()) {
             assertNodeAttributes(Settings.EMPTY, metadataServer.metadataUri(), metadataServer.tokenUri(), "us-east-1c");