From 143f2964762e8a6cabd5d3fa82f90bb568d66df2 Mon Sep 17 00:00:00 2001
From: Olli Pottonen <olli.pottonen@silverrailtech.com>
Date: Wed, 28 Feb 2024 16:55:07 +1000
Subject: [PATCH] Validate security credentials obtained from Instance Metadata
 Service

Getting security credentials from Instance Metadata Service fails
when an EC2 instance does not have permissions to assume a role.
When that happens, we get a very unhelpful error message
"Value cannot be null. (Parameter 'awsAccessKeyId')"
Do response validation so that we get better exception message.

See also https://github.com/aws/aws-cli/issues/2060
---
 .../Credentials/URIBasedRefreshingCredentialHelper.cs        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sdk/src/Core/Amazon.Runtime/Credentials/URIBasedRefreshingCredentialHelper.cs b/sdk/src/Core/Amazon.Runtime/Credentials/URIBasedRefreshingCredentialHelper.cs
index 37f11f58161a..9c3d7c7d176d 100644
--- a/sdk/src/Core/Amazon.Runtime/Credentials/URIBasedRefreshingCredentialHelper.cs
+++ b/sdk/src/Core/Amazon.Runtime/Credentials/URIBasedRefreshingCredentialHelper.cs
@@ -85,9 +85,12 @@ protected static T GetObjectFromResponse<T, TC>(Uri uri, IWebProxy proxy, Dictio
                 Amazon.Util.Internal.JsonSerializerContext,
 #endif
                 new()
+            where T : SecurityBase
         {
             string json = GetContents(uri, proxy, headers);
-            return JsonSerializerHelper.Deserialize<T>(json, new TC());
+            var result = JsonSerializerHelper.Deserialize<T>(json, new TC());
+            ValidateResponse(result);
+            return result;
         }
 
         protected static void ValidateResponse(SecurityBase response)