Skip to content

[DO NOT MERGE] EC2 IMDS Changes to Support Account ID #6176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

[DO NOT MERGE] EC2 IMDS Changes to Support Account ID #6176

wants to merge 12 commits into from

Conversation

S-Saranya1
Copy link
Contributor

@S-Saranya1 S-Saranya1 commented Jun 12, 2025
edited
Loading

Add support for extracting account ID from Instance Metadata Credentials Provider

Motivation and Context

Add support in IMDS credentials provider to retrieve accountID.

Modifications

  • Added support for new /latest/meta-data/iam/security-credentials-extended/ IMDS endpoint
  • Added fallback logic to legacy endpoint '/latest/meta-data/iam/security-credentials/{ROLE}'
  • Added support for AccountId to extract it from IMDS response.

Testing

Added unit tests using WireMock to verify:

  • Successful retrieval of credentials with account ID from extended endpoint
  • Proper fallback to legacy endpoint when extended endpoint returns 404

Performed integration testing on EC2:

  • Verified successful account ID resolution on allowlisted instances
  • Confirmed fallback to legacy endpoint on non-allowlisted instances

Screenshots (if appropriate)

Tested Code:

public class ImdsAccountIdTest {
    public static void main(String[] args) {
        try {
            InstanceProfileCredentialsProvider provider = InstanceProfileCredentialsProvider.create();
            AwsCredentials credentials = provider.resolveCredentials();
            System.out.println("Successfully resolved credentials!");
            System.out.println("Access Key ID: " + credentials.accessKeyId().substring(0, 5) + "...");
            System.out.println("Account ID: " + credentials.accountId().orElse("Not available"));

        } catch (Exception e) {
            System.err.println("Error: " + e.getMessage());
            e.printStackTrace();
            System.exit(1);
        }
    }
}

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@S-Saranya1 S-Saranya1 requested a review from a team as a code owner June 12, 2025 15:49
zoewangg
zoewangg requested changes Jun 13, 2025
View reviewed changes
@S-Saranya1
Additional Changes
4a76367 
-created a new integration test file for IMDS extended url separating it from legacy
-Included the status code to the fallback logic
@S-Saranya1
Additional Changes
c3d02a5 
- Removed the duplicate test files
- Make ApiVersion Volatile
zoewangg
zoewangg reviewed Jun 17, 2025
View reviewed changes
@S-Saranya1
Additional Changes:
e42ad38 
-Adding additional tests
-Updating to use AtomicReference
dagnir
dagnir requested changes Jun 17, 2025
View reviewed changes
@S-Saranya1
Address PR feedback:
c5e41b5 
Updating the debug logging message
Modified the fallback logic in refresh credentials
@S-Saranya1
Replacing AtomicReference fields and updating test file
f41795b
alextwoods
alextwoods approved these changes Jun 18, 2025
View reviewed changes
Copy link
Contributor

@alextwoods alextwoods left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
12 New issues
0 Accepted issues

Measures
0 Security Hotspots
86.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@S-Saranya1 S-Saranya1 added the api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team label Jun 19, 2025
@S-Saranya1 S-Saranya1 changed the title EC2 IMDS Changes to Support Account ID [DO NOT MERGE] EC2 IMDS Changes to Support Account ID Jun 19, 2025
@S-Saranya1 S-Saranya1 added no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required and removed api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team labels Jun 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@L-Applin L-Applin L-Applin left review comments

@dagnir dagnir dagnir approved these changes

@zoewangg zoewangg zoewangg approved these changes

@alextwoods alextwoods alextwoods approved these changes

Assignees
No one assigned
Labels
no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@S-Saranya1 @dagnir @L-Applin @zoewangg @alextwoods