feat: add support for accountId in imds #1621

smilkuri · 2025-06-16T19:47:51Z

Issue #, if available:
Internal JS-5966

Description of changes:

This PR adds support for version 2.1 of the IMDS credentials provider. With this update, the provider can now retrieve credentials that include an account ID.

To support this functionality, the credentials provider first attempts to access the extended API endpoint, which ends with -extended. If this endpoint returns a 404, the provider falls back to the legacy API endpoint—the same one used in the IMDS credentials provider v2.0.

This "try extended API, then fall back to legacy API" pattern is applied to both retrieving the IMDS instance profile name and fetching credentials.
Only the extended API can return credentials that include an account ID.

The PR also made the following IMDS credentials providers options configurable:

Disable IMDS credentials fetching
IMDS instance profile name

Both options can be configured via environment variables or a shared config file, with environment variables taking precedence over the config file.

ToDo:

Add support for feature Id tracking

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

kuhe · 2025-06-18T15:21:59Z

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

  });

  beforeEach(() => {
    vi.mocked(staticStabilityProvider).mockImplementation((input) => input);
    vi.mocked(getInstanceMetadataEndpoint).mockResolvedValue({ hostname } as any);
+    vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(false));


this is hard to understand because the mock is too broad. What config property is being targeted by this mock return value?

Can the mock be made more specific so we can tell what config property it is trying to intercept?

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

packages/credential-provider-imds/src/fromInstanceMetadata.ts

kuhe · 2025-06-18T15:43:15Z

create e2e test suite runnable in an EC2 instance. Extra testing is important for credentials-related code

packages/credential-provider-imds/src/fromInstanceMetadata.ts

packages/credential-provider-imds/src/fromInstanceMetadata.e2e.spec.ts

packages/credential-provider-imds/src/fromInstanceMetadata.ts

kuhe · 2025-06-26T17:26:34Z

comments for the PR as of June 26:

variable names need to differentiate "AWS_PROFILE" init.profile, "imdsProfile", and "ec2InstanceProfile". How do these conceptually relate to each other? Are profile and imds profile separate? Is ec2InstanceProfile a subset of imdsProfile?
I updated the PR to not use positional arguments. There were too many redundancies between elements of the RemoteProviderInit and positional args like maxRetries, logger, "profile" etc. and the use of "profile" as an argument name was too ambiguous.
more tests are needed to cover variations in inputs/config

kuhe

the PR is on hold

smilkuri force-pushed the imds2.1 branch from b9ce699 to ba11080 Compare June 17, 2025 16:45

kuhe reviewed Jun 18, 2025

View reviewed changes

smilkuri force-pushed the imds2.1 branch 2 times, most recently from ae61133 to 1b4f991 Compare June 23, 2025 15:43

kuhe marked this pull request as ready for review June 24, 2025 14:04

kuhe requested a review from a team as a code owner June 24, 2025 14:04

kuhe changed the title ~~[Draft] feat: add support for accountId in imds~~ feat: add support for accountId in imds Jun 24, 2025