# frozen_string_literal: true require 'time' require 'net/http' module Aws # An auto-refreshing credential provider that loads credentials from EC2 instances. # # instance_credentials = Aws::InstanceProfileCredentials.new # ec2 = Aws::EC2::Client.new(credentials: instance_credentials) # # ## Retries # When initialized from the default credential chain, this provider defaults to `0` retries. # Breakdown of retries is as follows: # # * **Configurable retries** (defaults to `1`): these retries handle errors when communicating # with the IMDS endpoint. There are two separate retry mechanisms within the provider: # * Entire token fetch and credential retrieval process # * Token fetching # * **JSON parsing retries**: Fixed at 3 attempts to handle cases when IMDS returns malformed JSON # responses. These retries are separate from configurable retries. # # @see https://docs.aws.amazon.com/sdkref/latest/guide/feature-imds-credentials.html IMDS Credential Provider class InstanceProfileCredentials include CredentialProvider include RefreshingCredentials # @api private class Non200Response < RuntimeError attr_reader :status_code, :body def initialize(status_code, body = nil) @status_code = status_code @body = body msg = "HTTP #{status_code}" msg += ": #{body}" if body && !body.empty? super(msg) end end # @api private class TokenRetrivalError < RuntimeError; end # @api private class TokenExpiredError < RuntimeError; end # These are the errors we trap when attempting to talk to the instance metadata service. # Any of these imply the service is not present, no responding or some other non-recoverable error. # @api private NETWORK_ERRORS = [ Errno::EHOSTUNREACH, Errno::ECONNREFUSED, Errno::EHOSTDOWN, Errno::ENETUNREACH, SocketError, Timeout::Error, Non200Response ].freeze # Path base for GET request for profile and credentials # @api private METADATA_PATH_BASE = '/latest/meta-data/iam/security-credentials/'.freeze # Path for PUT request for token # @api private METADATA_TOKEN_PATH = '/latest/api/token'.freeze # @param [Hash] options # @option options [Integer] :retries (1) Number of times to retry when retrieving credentials. # @option options [Numeric, Proc] :backoff By default, failures are retried with exponential back-off, i.e. # `lambda { |num_failures| sleep(1.2 ** num_failures) }`. You can pass a number of seconds to sleep # between failed attempts, or a Proc that accepts the number of failures. # @option options [String] :endpoint ('http://169.254.169.254') The IMDS endpoint. This option has precedence # over the `:endpoint_mode`. # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for the instance metadata service. This is # either 'IPv4' (`169.254.169.254`) or IPv6' (`[fd00:ec2::254]`). # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the legacy EC2 Metadata Service v1. # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use `:endpoint` instead. # The IP address for the endpoint. # @option options [Integer] :port (80) # @option options [Float] :http_open_timeout (1) # @option options [Float] :http_read_timeout (1) # @option options [IO] :http_debug_output (nil) HTTP wire traces are sent to this object. # You can specify something like `$stdout`. # @option options [Integer] :token_ttl (21600) Time-to-Live in seconds for EC2 Metadata Token used for fetching # Metadata Profile Credentials. # @option options [Proc] :before_refresh A Proc called before credentials are refreshed. `:before_refresh` # is called with an instance of this object when AWS credentials are required and need to be refreshed. def initialize(options = {}) @backoff = resolve_backoff(options[:backoff]) @disable_imds_v1 = resolve_disable_v1(options) @endpoint = resolve_endpoint(options) @http_open_timeout = options[:http_open_timeout] || 1 @http_read_timeout = options[:http_read_timeout] || 1 @http_debug_output = options[:http_debug_output] @port = options[:port] || 80 @retries = options[:retries] || 1 @token_ttl = options[:token_ttl] || 21_600 @async_refresh = false @imds_v1_fallback = false @no_refresh_until = nil @token = nil @metrics = ['CREDENTIALS_IMDS'] super end # @return [Boolean] attr_reader :disable_imds_v1 # @return [Integer] attr_reader :token_ttl # @return [Integer] attr_reader :retries # @return [Proc] attr_reader :backoff # @return [String] attr_reader :endpoint # @return [Integer] attr_reader :port # @return [Integer] attr_reader :http_open_timeout # @return [Integer] attr_reader :http_read_timeout # @return [IO, nil] attr_reader :http_debug_output private def resolve_endpoint_mode(options) options[:endpoint_mode] || ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE'] || Aws.shared_config.ec2_metadata_service_endpoint_mode(profile: options[:profile]) || 'IPv4' end def resolve_endpoint(options) if (value = options[:ip_address]) warn('The `:ip_address` option is deprecated. Use `:endpoint` instead.') return value end value = options[:endpoint] || ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT'] || Aws.shared_config.ec2_metadata_service_endpoint(profile: options[:profile]) || nil return value if value endpoint_mode = resolve_endpoint_mode(options) case endpoint_mode.downcase when 'ipv4' then 'http://169.254.169.254' when 'ipv6' then 'http://[fd00:ec2::254]' else raise ArgumentError, ":endpoint_mode is not valid, expected IPv4 or IPv6, got: #{endpoint_mode}" end end def resolve_disable_v1(options) value = options[:disable_imds_v1] || ENV['AWS_EC2_METADATA_V1_DISABLED'] || Aws.shared_config.ec2_metadata_v1_disabled(profile: options[:profile]) || 'false' Aws::Util.str_2_bool(value.to_s.downcase) end def resolve_backoff(backoff) case backoff when Proc then backoff when Numeric then ->(_) { sleep(backoff) } else ->(num_failures) { Kernel.sleep(1.2**num_failures) } end end def refresh if @no_refresh_until && @no_refresh_until > Time.now warn_expired_credentials return end new_creds = begin # Retry loading credentials up to 3 times is the instance metadata # service is responding but is returning invalid JSON documents # in response to the GET profile credentials call. retry_errors([Aws::Json::ParseError], max_retries: 3) do Aws::Json.load(retrieve_credentials.to_s) end rescue Aws::Json::ParseError raise Aws::Errors::MetadataParserError end if @credentials&.set? && empty_credentials?(new_creds) # credentials are already set, but there was an error getting new credentials # so don't update the credentials and use stale ones (static stability) @no_refresh_until = Time.now + rand(300..360) warn_expired_credentials else # credentials are empty or successfully retrieved, update them update_credentials(new_creds) end end def retrieve_credentials # Retry loading credentials a configurable number of times if # the instance metadata service is not responding. begin retry_errors(NETWORK_ERRORS, max_retries: @retries) do open_connection do |conn| # attempt to fetch token to start secure flow first # and rescue to failover fetch_token(conn) unless @imds_v1_fallback || (@token && !@token.expired?) # disable insecure flow if we couldn't get token and imds v1 is disabled raise TokenRetrivalError if @token.nil? && @disable_imds_v1 fetch_credentials(conn) end end rescue StandardError => e warn("Error retrieving instance profile credentials: #{e}") '{}' end end def update_credentials(creds) @credentials = Credentials.new(creds['AccessKeyId'], creds['SecretAccessKey'], creds['Token']) @expiration = creds['Expiration'] ? Time.iso8601(creds['Expiration']) : nil return unless @expiration && @expiration < Time.now @no_refresh_until = Time.now + rand(300..360) warn_expired_credentials end def fetch_token(conn) created_time = Time.now token_value, ttl = http_put(conn) @token = Token.new(token_value, ttl, created_time) if token_value && ttl rescue *NETWORK_ERRORS # token attempt failed, reset token # fallback to non-token mode @imds_v1_fallback = true end def fetch_credentials(conn) metadata = http_get(conn, METADATA_PATH_BASE) profile_name = metadata.lines.first.strip http_get(conn, METADATA_PATH_BASE + profile_name) rescue TokenExpiredError # Token has expired, reset it # The next retry should fetch it @token = nil @imds_v1_fallback = false raise Non200Response.new(401, 'Token expired') end def token_set? @token && !@token.expired? end def open_connection uri = URI.parse(@endpoint) http = Net::HTTP.new(uri.hostname || @endpoint, uri.port || @port) http.open_timeout = @http_open_timeout http.read_timeout = @http_read_timeout http.set_debug_output(@http_debug_output) if @http_debug_output http.start yield(http).tap { http.finish } end # GET request fetch profile and credentials def http_get(connection, path) headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" } headers['x-aws-ec2-metadata-token'] = @token.value if @token response = connection.request(Net::HTTP::Get.new(path, headers)) case response.code.to_i when 200 response.body when 401 raise TokenExpiredError else raise Non200Response.new(response.code.to_i, response.body) end end # PUT request fetch token with ttl def http_put(connection) headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}", 'x-aws-ec2-metadata-token-ttl-seconds' => @token_ttl.to_s } response = connection.request(Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)) case response.code.to_i when 200 [ response.body, response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i ] when 400 raise TokenRetrivalError else raise Non200Response.new(response.code.to_i, response.body) end end def retry_errors(error_classes, options = {}, &_block) max_retries = options[:max_retries] retries = 0 begin yield rescue *error_classes raise unless retries < max_retries @backoff.call(retries) retries += 1 retry end end def warn_expired_credentials warn('Attempting credential expiration extension due to a credential service availability issue. '\ 'A refresh of these credentials will be attempted again in 5 minutes.') end def empty_credentials?(creds_hash) !creds_hash['AccessKeyId'] || creds_hash['AccessKeyId'].empty? end # @api private # Token used to fetch IMDS profile and credentials class Token def initialize(value, ttl, created_time = Time.now) @ttl = ttl @value = value @created_time = created_time end # [String] token value attr_reader :value def expired? Time.now - @created_time > @ttl end end end end