Add static stability support to IMDS credentials provider (#2258)

* Add static stability support to ImdsCredentialsProvider This commit adds static stability support to `ImdsCredentialsProvider`. Static stability refers to continued availability of a service in the face of impaired dependencies. In case IMDS is not available, we still allow requests to be dispatched with expired credentials. This, in turn, allows the target service to makes the ultimate decision as to whether requests sent are valid or not instead of the client SDK determining their validity. The way it is implemented is `ImdsCredentialsProvider` now stores a last retrieved credentials which will later be served when IMDS is unreachable. * Add tests to IMDS credentials provider This commit adds tests to IMDS credentials providers for static stability support. These tests are prescribed in #2117. From an IMDS credentials provider' perspective, however, some of the tests are considered to fall under the same equivalence class with others. Therefore, a single test can cover multiple test cases. * Update CHANGELOG.next.toml * Update CHANGELOG.next.toml Co-authored-by: John DiSanti <jdisanti@amazon.com> --------- Co-authored-by: Yuki Saito <awsaito@amazon.com> Co-authored-by: John DiSanti <jdisanti@amazon.com>
smithy-lang · Feb 2, 2023 · d1c5e43 · d1c5e43
1 parent 8854830
commit d1c5e43
Show file tree

Hide file tree

Showing 6 changed files with 314 additions and 42 deletions.
diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
@@ -62,3 +62,11 @@ message = "The [`@uniqueItems`](https://smithy.io/2.0/spec/constraint-traits.htm
 references = ["smithy-rs#2232", "smithy-rs#1670"]
 meta = { "breaking" = false, "tada" = true, "bug" = false, "target" = "server"}
 author = "david-perez"
+
+[[aws-sdk-rust]]
+message = """
+Add static stability support to IMDS credentials provider. It does not alter common use cases for the provider, but allows the provider to serve expired credentials in case IMDS is unreachable. This allows requests to be dispatched to a target service with expired credentials. This, in turn, allows the target service to make the ultimate decision as to whether requests sent are valid or not.
+"""
+references = ["smithy-rs#2258"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "ysaito1001"
diff --git a/aws/rust-runtime/aws-config/Cargo.toml b/aws/rust-runtime/aws-config/Cargo.toml
@@ -38,6 +38,9 @@ ring = "0.16"
 hex = "0.4.3"
 zeroize = "1"
 
+# implementation detail of IMDS credentials provider
+fastrand = "1"
+
 bytes = "1.1.0"
 http = "0.2.4"
 tower = { version = "0.4.8" }

diff --git a/aws/rust-runtime/aws-config/src/default_provider/credentials.rs b/aws/rust-runtime/aws-config/src/default_provider/credentials.rs
@@ -236,14 +236,22 @@ mod test {
             make_test!($name, execute_from_live_traffic);
         };
         ($name: ident, $func: ident) => {
+            make_test!($name, $func, std::convert::identity);
+        };
+        ($name: ident, $provider_config_builder: expr) => {
+            make_test!($name, execute, $provider_config_builder);
+        };
+        ($name: ident, $func: ident, $provider_config_builder: expr) => {
             #[traced_test]
             #[tokio::test]
             async fn $name() {
                 crate::test_case::TestEnvironment::from_dir(concat!(
                     "./test-data/default-provider-chain/",
                     stringify!($name)
                 ))
+                .await
                 .unwrap()
+                .with_provider_config($provider_config_builder)
                 .$func(|conf| async {
                     crate::default_provider::credentials::Builder::default()
                         .configure(conf)
@@ -269,12 +277,23 @@ mod test {
 
     make_test!(imds_no_iam_role);
     make_test!(imds_default_chain_error);
-    make_test!(imds_default_chain_success);
+    make_test!(imds_default_chain_success, |config| {
+        config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+            &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+        ))
+    });
     make_test!(imds_assume_role);
-    make_test!(imds_config_with_no_creds);
+    make_test!(imds_config_with_no_creds, |config| {
+        config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+            &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+        ))
+    });
     make_test!(imds_disabled);
-    make_test!(imds_default_chain_retries);
-
+    make_test!(imds_default_chain_retries, |config| {
+        config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+            &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+        ))
+    });
     make_test!(ecs_assume_role);
     make_test!(ecs_credentials);
     make_test!(ecs_credentials_invalid_profile);
@@ -284,11 +303,12 @@ mod test {
 
     #[tokio::test]
     async fn profile_name_override() {
-        let (_, conf) =
+        let conf =
             TestEnvironment::from_dir("./test-data/default-provider-chain/profile_static_keys")
+                .await
                 .unwrap()
                 .provider_config()
-                .await;
+                .clone();
         let provider = DefaultCredentialsChain::builder()
             .profile_name("secondary")
             .configure(conf)