Add static stability support to IMDS credentials provider

aws/rust-runtime/aws-config/Cargo.toml

@@ -38,6 +38,9 @@ ring = "0.16"
 hex = "0.4.3"
 zeroize = "1"
 
+# implementation detail of IMDS credentials provider
+fastrand = "1"
+
 bytes = "1.1.0"
 http = "0.2.4"
 tower = { version = "0.4.8" }

aws/rust-runtime/aws-config/src/default_provider/credentials.rs

@@ -6,6 +6,7 @@
 use std::borrow::Cow;
 
 use aws_credential_types::provider::{self, future, ProvideCredentials};
+use aws_smithy_async::rt::sleep::AsyncSleep;
 use tracing::Instrument;
 
 use crate::environment::credentials::EnvironmentVariableCredentialsProvider;
@@ -74,6 +75,17 @@ impl DefaultCredentialsChain {
  .instrument(tracing::debug_span!("provide_credentials", provider = %"default_chain"))
  .await
  }
+
+ async fn credentials_with_timeout(
+ &self,
+ sleeper: std::sync::Arc<dyn AsyncSleep>,
+ timeout: std::time::Duration,
+ ) -> provider::Result {
+ self.provider_chain
+ .provide_credentials_with_timeout(sleeper, timeout)
+ .instrument(tracing::debug_span!("provide_credentials", provider = %"default_chain"))
+ .await
+ }
 }
 
 impl ProvideCredentials for DefaultCredentialsChain {
@@ -83,6 +95,17 @@ impl ProvideCredentials for DefaultCredentialsChain {
  {
  future::ProvideCredentials::new(self.credentials())
  }
+
+ fn provide_credentials_with_timeout<'a>(
+ &'a self,
+ sleeper: std::sync::Arc<dyn AsyncSleep>,
+ timeout: std::time::Duration,
+ ) -> future::ProvideCredentials<'a>
+ where
+ Self: 'a,
+ {
+ future::ProvideCredentials::new(self.credentials_with_timeout(sleeper, timeout))
+ }
 }
 
 /// Builder for [`DefaultCredentialsChain`](DefaultCredentialsChain)
@@ -238,6 +261,7 @@ mod test {
  "./test-data/default-provider-chain/",
  stringify!($name)
  ))
+ .await
  .unwrap()
  .$func(|conf| async {
  crate::default_provider::credentials::Builder::default()
@@ -248,6 +272,26 @@ mod test {
  .await
  }
  };
+ ($name: ident, $provider_config_builder: expr) => {
+ #[traced_test]
+ #[tokio::test]
+ async fn $name() {
+ crate::test_case::TestEnvironment::from_dir(concat!(
+ "./test-data/default-provider-chain/",
+ stringify!($name)
+ ))
+ .await
+ .unwrap()
+ .with_provider_config($provider_config_builder)
+ .execute(|conf| async {
+ crate::default_provider::credentials::Builder::default()
+ .configure(conf)
+ .build()
+ .await
+ })
+ .await
+ }
+ };
  }
 
  make_test!(prefer_environment);
@@ -264,11 +308,23 @@ mod test {
 
  make_test!(imds_no_iam_role);
  make_test!(imds_default_chain_error);
- make_test!(imds_default_chain_success);
+ make_test!(imds_default_chain_success, |config| {
+ config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+ &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+ ))
+ });
  make_test!(imds_assume_role);
- make_test!(imds_config_with_no_creds);
+ make_test!(imds_config_with_no_creds, |config| {
+ config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+ &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+ ))
+ });
  make_test!(imds_disabled);
- make_test!(imds_default_chain_retries);
+ make_test!(imds_default_chain_retries, |config| {
+ config.with_time_source(aws_credential_types::time_source::TimeSource::testing(
+ &aws_credential_types::time_source::TestingTimeSource::new(std::time::UNIX_EPOCH),
+ ))
+ });
 
  make_test!(ecs_assume_role);
  make_test!(ecs_credentials);
@@ -279,11 +335,12 @@ mod test {
 
  #[tokio::test]
  async fn profile_name_override() {
- let (_, conf) =
+ let conf =
  TestEnvironment::from_dir("./test-data/default-provider-chain/profile_static_keys")
+ .await
  .unwrap()
  .provider_config()
- .await;
+ .clone();
  let provider = DefaultCredentialsChain::builder()
  .profile_name("secondary")
  .configure(conf)