Skip to content
Unverified Commit c624a84d authored by ysaito1001's avatar ysaito1001 Committed by GitHub
Browse files

Add support for version 2.1 of the IMDS credentials provider (#4109) 

**DO NOT MERGE THIS PR UNTIL READY TO RELEASE**

## Description
This PR adds support for version 2.1 of the IMDS credentials provider.
With this update, if the underlying EC2 instance's IMDS supports it, the
provider can now retrieve credentials that include an account ID. This
account ID can then be used by [account-based
endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-account-endpoints.html).

To support this functionality, the credentials provider first attempts
to access the extended API endpoint, which ends with `-extended` (e.g.,
`http://169.254.169.254/latest/meta-data/iam/security-credentials-extended`).
If this endpoint returns a 404, the provider falls back to the legacy
API endpoint—the same one used in the IMDS credentials provider v2.0.

This "try extended API, then fall back to legacy API" pattern is applied
to both retrieving the IMDS instance profile name and fetching
credentials. Importantly:
- Once the provider determines that a specific API version (extended or
legacy) is supported, it will stick to that version.
- Only the extended API can return credentials that include an account
ID.

The PR also made the following IMDS credentials providers options
configurable:
- `Disable IMDS credentials fetching`
- `IMDS instance profile name`

Both options can be configured via environment variables or a shared
config file, with environment variables taking precedence over the
config file.

**Note:** Feature tracking for this functionality will be handled in a
separate PR.

## Testing
- Updated connection recordings in `aws-config/test-data/` to reflect
changes in the execution flow within `.retrieve_credentials` (Note: This
update is not intended to add new test coverage, but to align recordings
with the updated flow.)
- Added unit tests to verify the behavior of the extended API, including
falling back to the legacy API when necessary.
- Added unit tests to verify the configuration options for disabling
IMDS credentials fetching and specifying the IMDS instance profile name.

## Checklist
- [x] For changes to the AWS SDK, generated SDK code, or SDK runtime
crates, I have created a changelog entry Markdown file in the
`.changelog` directory, specifying "aws-sdk-rust" in the `applies_to`
key.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
parent ff30ec01
Expand all Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment