Add support for IMDS over IPv6 (#2585)

This changes implements support for the 'AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE'
environment variable and 'ec2_metadata_service_endpoint' profile file property.

When no endpoint override is set using 'AWS_EC2_METADATA_SERVICE_ENDPOINT', this
configuration controls which of the default IMDS endpoints the client will use.
Valid values are 'IPv4' or 'IPv6'.

Author: dagnir

.changes/next-release/feature-AWSSDKforJavav2-7e9ac2d.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "This changes implements support for the `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` environment variable and\n`ec2_metadata_service_endpoint` profile file property.\n\nWhen no endpoint override is set using `AWS_EC2_METADATA_SERVICE_ENDPOINT`, this configuration controls which of the default\nIMDS endpoints the client will use.  Valid values are `IPv4` or `IPv6`"
+}

buildspecs/release-to-maven.yml

@@ -26,7 +26,7 @@ phases:
       if ! curl -f --head $SONATYPE_URL; then
         mkdir -p $CREDENTIALS
         aws s3 cp s3://aws-java-sdk-release-credentials/ $CREDENTIALS/ --recursive
-        mvn clean deploy -B -s $SETTINGS_XML -Dgpg.homedir=$GPG_HOME -Ppublishing -DperformRelease -Dspotbugs.skip -DskipTests -Dcheckstyle.skip -Djapicmp.skip -Ddoclint=none -pl !:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:module-path-tests,!:tests-coverage-reporting,!:stability-tests,!:sdk-native-image-test -DautoReleaseAfterClose=true -DstagingProgressTimeoutMinutes=30
+        mvn clean deploy -B -s $SETTINGS_XML -Dgpg.homedir=$GPG_HOME -Ppublishing -DperformRelease -Dspotbugs.skip -DskipTests -Dcheckstyle.skip -Djapicmp.skip -Ddoclint=none -pl !:protocol-tests,!:protocol-tests-core,!:codegen-generated-classes-test,!:sdk-benchmarks,!:module-path-tests,!:tests-coverage-reporting,!:stability-tests,!:sdk-native-image-test,!:auth-sts-testing -DautoReleaseAfterClose=true -DstagingProgressTimeoutMinutes=30
       else
         echo "This version was already released."
       fi

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -20,10 +20,11 @@
 import java.util.HashMap;
 import java.util.Map;
 import software.amazon.awssdk.annotations.SdkPublicApi;
+import software.amazon.awssdk.auth.credentials.internal.Ec2MetadataConfigProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.exception.SdkServiceException;
 import software.amazon.awssdk.core.internal.util.UserAgentUtils;
-import software.amazon.awssdk.regions.internal.util.EC2MetadataUtils;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
 import software.amazon.awssdk.utils.ToString;
@@ -41,11 +42,15 @@ public final class InstanceProfileCredentialsProvider extends HttpCredentialsPro
 
     private static final String SECURITY_CREDENTIALS_RESOURCE = "/latest/meta-data/iam/security-credentials/";
 
+    private final String endpoint;
+    private final Ec2MetadataConfigProvider configProvider = Ec2MetadataConfigProvider.builder().build();
+
     /**
      * @see #builder()
      */
     private InstanceProfileCredentialsProvider(BuilderImpl builder) {
         super(builder);
+        this.endpoint = builder.endpoint;
     }
 
     /**
@@ -66,7 +71,7 @@ public static InstanceProfileCredentialsProvider create() {
 
     @Override
     protected ResourcesEndpointProvider getCredentialsEndpointProvider() {
-        return new InstanceProviderCredentialsEndpointProvider(getToken());
+        return new InstanceProviderCredentialsEndpointProvider(getImdsEndpoint(), getToken());
     }
 
     @Override
@@ -80,7 +85,24 @@ public String toString() {
     }
 
     private String getToken() {
-        return EC2MetadataUtils.getToken();
+        try {
+            return HttpResourcesUtils.instance()
+                    .readResource(new TokenEndpointProvider(getImdsEndpoint()), "PUT");
+        } catch (Exception e) {
+
+            boolean is400ServiceException = e instanceof SdkServiceException
+                    && ((SdkServiceException) e).statusCode() == 400;
+
+            // metadata resolution must not continue to the token-less flow for a 400
+            if (is400ServiceException) {
+                throw SdkClientException.builder()
+                        .message("Unable to fetch metadata token")
+                        .cause(e)
+                        .build();
+            }
+
+            return null;
+        }
     }
 
     private static ResourcesEndpointProvider includeTokenHeader(ResourcesEndpointProvider provider, String token) {
@@ -99,18 +121,26 @@ public Map<String, String> headers() {
         };
     }
 
+    private String getImdsEndpoint() {
+        if (endpoint != null) {
+            return endpoint;
+        }
+
+        return configProvider.getEndpoint();
+    }
+
     private static final class InstanceProviderCredentialsEndpointProvider implements ResourcesEndpointProvider {
+        private final String imdsEndpoint;
         private final String metadataToken;
 
-        private InstanceProviderCredentialsEndpointProvider(String metadataToken) {
+        private InstanceProviderCredentialsEndpointProvider(String imdsEndpoint, String metadataToken) {
+            this.imdsEndpoint = imdsEndpoint;
             this.metadataToken = metadataToken;
         }
 
         @Override
         public URI endpoint() throws IOException {
-            String host = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getStringValueOrThrow();
-
-            URI endpoint = URI.create(host + SECURITY_CREDENTIALS_RESOURCE);
+            URI endpoint = URI.create(imdsEndpoint + SECURITY_CREDENTIALS_RESOURCE);
             ResourcesEndpointProvider endpointProvider = () -> endpoint;
 
             if (metadataToken != null) {
@@ -124,7 +154,7 @@ public URI endpoint() throws IOException {
                 throw SdkClientException.builder().message("Unable to load credentials path").build();
             }
 
-            return URI.create(host + SECURITY_CREDENTIALS_RESOURCE + securityCredentials[0]);
+            return URI.create(imdsEndpoint + SECURITY_CREDENTIALS_RESOURCE + securityCredentials[0]);
         }
 
         @Override
@@ -142,12 +172,46 @@ public Map<String, String> headers() {
         }
     }
 
+    private static final class TokenEndpointProvider implements ResourcesEndpointProvider {
+        private static final String TOKEN_RESOURCE_PATH = "/latest/api/token";
+        private static final String EC2_METADATA_TOKEN_TTL_HEADER = "x-aws-ec2-metadata-token-ttl-seconds";
+        private static final String DEFAULT_TOKEN_TTL = "21600";
+
+        private final String host;
+
+        private TokenEndpointProvider(String host) {
+            this.host = host;
+        }
+
+        @Override
+        public URI endpoint() {
+            String finalHost = host;
+            if (finalHost.endsWith("/")) {
+                finalHost = finalHost.substring(0, finalHost.length() - 1);
+            }
+            return URI.create(finalHost + TOKEN_RESOURCE_PATH);
+        }
+
+        @Override
+        public Map<String, String> headers() {
+            Map<String, String> requestHeaders = new HashMap<>();
+            requestHeaders.put("User-Agent", UserAgentUtils.getUserAgent());
+            requestHeaders.put("Accept", "*/*");
+            requestHeaders.put("Connection", "keep-alive");
+            requestHeaders.put(EC2_METADATA_TOKEN_TTL_HEADER, DEFAULT_TOKEN_TTL);
+
+            return requestHeaders;
+        }
+    }
+
 
     /**
      * A builder for creating a custom a {@link InstanceProfileCredentialsProvider}.
      */
     public interface Builder extends HttpCredentialsProvider.Builder<InstanceProfileCredentialsProvider, Builder> {
 
+        Builder endpoint(String endpoint);
+
         /**
          * Build a {@link InstanceProfileCredentialsProvider} from the provided configuration.
          */
@@ -159,10 +223,18 @@ private static final class BuilderImpl
         extends HttpCredentialsProvider.BuilderImpl<InstanceProfileCredentialsProvider, Builder>
         implements Builder {
 
+        private String endpoint;
+
         private BuilderImpl() {
             super.asyncThreadName("instance-profile-credentials-provider");
         }
 
+        @Override
+        public Builder endpoint(String endpoint) {
+            this.endpoint = endpoint;
+            return this;
+        }
+
         @Override
         public InstanceProfileCredentialsProvider build() {
             return new InstanceProfileCredentialsProvider(this);

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ProfileCredentialsProvider.java

@@ -69,7 +69,8 @@ private ProfileCredentialsProvider(BuilderImpl builder) {
             ProfileFile finalProfileFile = profileFile;
             credentialsProvider =
                     profileFile.profile(profileName)
-                               .flatMap(p -> new ProfileCredentialsUtils(p, finalProfileFile::profile).credentialsProvider())
+                               .flatMap(p -> new ProfileCredentialsUtils(finalProfileFile, p, finalProfileFile::profile)
+                                       .credentialsProvider())
                                .orElseThrow(() -> {
                                    String errorMessage = String.format("Profile file contained no credentials for " +
                                                                        "profile '%s': %s", finalProfileName, finalProfileFile);

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/Ec2MetadataConfigProvider.java

@@ -0,0 +1,161 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.auth.credentials.internal;
+
+import java.util.Optional;
+import java.util.function.Supplier;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.SdkSystemSetting;
+import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.profiles.Profile;
+import software.amazon.awssdk.profiles.ProfileFile;
+import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
+import software.amazon.awssdk.profiles.ProfileProperty;
+
+@SdkInternalApi
+// TODO: Remove or consolidate this class with the one from the regions module.
+// There's currently no good way for both auth and regions to share the same
+// class since there's no suitable common dependency between the two where this
+// can live. Ideally, we can do this when the EC2MetadataUtils is replaced with
+// the IMDS client.
+public final class Ec2MetadataConfigProvider {
+    /** Default IPv4 endpoint for the Amazon EC2 Instance Metadata Service. */
+    private static final String EC2_METADATA_SERVICE_URL_IPV4 = "http://169.254.169.254";
+
+    /** Default IPv6 endpoint for the Amazon EC2 Instance Metadata Service. */
+    private static final String EC2_METADATA_SERVICE_URL_IPV6 = "http://[fd00:ec2::254]";
+
+    private final Supplier<ProfileFile> profileFile;
+    private final String profileName;
+
+    private Ec2MetadataConfigProvider(Builder builder) {
+        this.profileFile = builder.profileFile;
+        this.profileName = builder.profileName;
+    }
+
+    public enum EndpointMode {
+        IPV4,
+        IPV6,
+        ;
+
+        public static EndpointMode fromValue(String s) {
+            if (s == null) {
+                return null;
+            }
+
+            for (EndpointMode value : EndpointMode.values()) {
+                if (value.name().equalsIgnoreCase(s)) {
+                    return value;
+                }
+            }
+
+            throw new IllegalArgumentException("Unrecognized value for endpoint mode: " + s);
+        }
+    }
+
+    public String getEndpoint() {
+        String endpointOverride = getEndpointOverride();
+        if (endpointOverride != null) {
+            return endpointOverride;
+        }
+
+        EndpointMode endpointMode = getEndpointMode();
+        switch (endpointMode) {
+            case IPV4:
+                return EC2_METADATA_SERVICE_URL_IPV4;
+            case IPV6:
+                return EC2_METADATA_SERVICE_URL_IPV6;
+            default:
+                throw SdkClientException.create("Unknown endpoint mode: " + endpointMode);
+        }
+    }
+
+    public EndpointMode getEndpointMode() {
+        Optional<String> endpointMode = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.getNonDefaultStringValue();
+        if (endpointMode.isPresent()) {
+            return EndpointMode.fromValue(endpointMode.get());
+        }
+
+        return configFileEndpointMode().orElseGet(() ->
+                EndpointMode.fromValue(SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.defaultValue()));
+    }
+
+    public String getEndpointOverride() {
+        Optional<String> endpointOverride = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT.getNonDefaultStringValue();
+        if (endpointOverride.isPresent()) {
+            return endpointOverride.get();
+        }
+
+        Optional<String> configFileValue = configFileEndpointOverride();
+
+        return configFileValue.orElse(null);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    private Optional<EndpointMode> configFileEndpointMode() {
+        return resolveProfile().flatMap(p -> p.property(ProfileProperty.EC2_METADATA_SERVICE_ENDPOINT_MODE))
+                               .map(EndpointMode::fromValue);
+    }
+
+    private Optional<String> configFileEndpointOverride() {
+        return resolveProfile().flatMap(p -> p.property(ProfileProperty.EC2_METADATA_SERVICE_ENDPOINT));
+    }
+
+    private Optional<Profile> resolveProfile() {
+        ProfileFile profileFileToUse = resolveProfileFile();
+        String profileNameToUse = resolveProfileName();
+
+        return profileFileToUse.profile(profileNameToUse);
+    }
+
+    private ProfileFile resolveProfileFile() {
+        if (profileFile != null) {
+            return profileFile.get();
+        }
+
+        return ProfileFile.defaultProfileFile();
+    }
+
+    private String resolveProfileName() {
+        if (profileName != null) {
+            return profileName;
+        }
+
+        return ProfileFileSystemSetting.AWS_PROFILE.getStringValueOrThrow();
+    }
+
+    public static class Builder {
+        private Supplier<ProfileFile> profileFile;
+        private String profileName;
+
+        public Builder profileFile(Supplier<ProfileFile> profileFile) {
+            this.profileFile = profileFile;
+            return this;
+        }
+
+        public Builder profileName(String profileName) {
+            this.profileName = profileName;
+            return this;
+        }
+
+        public Ec2MetadataConfigProvider build() {
+            return new Ec2MetadataConfigProvider(this);
+        }
+    }
+}