Skip to content

Add ec2InstanceProfileName configuration #6208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: feature/master/IMDS-AccountID-Support
Choose a base branch
from
Open

Add ec2InstanceProfileName configuration #6208

wants to merge 4 commits into from
+435 −8

Conversation

S-Saranya1
Copy link
Contributor

@S-Saranya1 S-Saranya1 commented Jun 25, 2025
edited
Loading

Adding ec2InstanceProfileName configuration to specify IMDS instance profile.

Motivation and Context

Adding ec2InstanceProfileName configuration to specify IMDS instance profile for retrieving credentials. This improves performance by skipping the profile discovery step, eliminating one IMDS call.

Modifications

  • Added the ec2InstanceProfileName config in provider configuration, system properties, environment variables and in configuration files.
  • Modified Ec2MetadataConfigProvider to parse ec2InstanceProfileName configuration.
  • Modified the credentials fetching logic in InstanceProfileCredentialsProvider to include this new configuration.
  • Added unit tests to test the new config.

Testing

  • Added unit tests for all supported configuration methods.
  • Added tests in the ExtendedApiTest file to verify the new profile name works with the Extended API.
  • Added few test cases from the IMDS SEP which tests with ec2InstanceProfileName config.
  • Performed one-off integration testing.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@S-Saranya1 S-Saranya1 requested a review from a team as a code owner June 25, 2025 17:27
@S-Saranya1 S-Saranya1 changed the title Adding ec2InstanceProfileName configuration to specify IMDS instance … Adding ec2InstanceProfileName configuration Jun 25, 2025
@S-Saranya1 S-Saranya1 changed the title Adding ec2InstanceProfileName configuration Add ec2InstanceProfileName configuration Jun 25, 2025
@S-Saranya1
Add ec2InstanceProfileName additional changes:
7636c42 
- Refactor the code to resolve profile name
millems
millems reviewed Jun 26, 2025
View reviewed changes
...rc/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java
@@ -118,6 +121,13 @@ private InstanceProfileCredentialsProvider(BuilderImpl builder) {
.orElseGet(() -> ProfileFileSupplier.fixedProfileFile(ProfileFile.defaultProfileFile()));
this.profileName = Optional.ofNullable(builder.profileName)
.orElseGet(ProfileFileSystemSetting.AWS_PROFILE::getStringValueOrThrow);
this.ec2InstanceProfileName = builder.ec2InstanceProfileName;

if (isBlank(ec2InstanceProfileName) && ec2InstanceProfileName != null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to StringUtils.isWhitespace(ec2InstanceProfileName)

Copy link
Contributor Author

@S-Saranya1 S-Saranya1 Jun 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, the StringUtils(software.amazon.awssdk.utils.StringUtils) doesn't have "isWhitespace" method, it only has "isBlank" method.
Apache Commons Lang StringUtils (from org.apache.commons.lang3.StringUtils) does have an isWhitespace method, but it's not available for this module.

...rc/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java
Comment on lines +187 to +189
if (apiVersion == ApiVersion.UNKNOWN) {
apiVersion = ApiVersion.EXTENDED;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of this change?

Copy link
Contributor Author

@S-Saranya1 S-Saranya1 Jun 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially, apiVersion is set to UNKNOWN. When ec2InstanceProfileName is set by the user, we skip the first GET request to IMDS in the getSecurityCredentials() method. In refreshCredentials(), the code attempts to load credentials using the extended API endpoint first. If successful, we update apiVersion to EXTENDED. This serves two purposes - It records that the extended API is supported for future reference so it prevents unnecessary attempts to use the legacy API in subsequent calls, as we now know the extended API works.(This is from IMDS SEP 2.1)

...rc/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java Outdated
Comment on lines 218 to 221
throw SdkClientException.builder()
.message("Invalid profile name")
.cause(e)
.build();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we expand on this error message a bit? Specifically, what's the invalid value and what should they do about it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated it.

...rc/main/java/software/amazon/awssdk/auth/credentials/internal/Ec2MetadataConfigProvider.java
Comment on lines +204 to +206
} catch (Exception e) {
return Optional.empty();
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What case is this guarding against?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is guarding against exceptions from aggregated profile suppliers, particularly NoSuchElementException like when there are invalid profiles or when suppliers throw exceptions during normal operation.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
14 New issues
0 Accepted issues

Measures
0 Security Hotspots
81.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@millems millems millems left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@S-Saranya1 @millems