Remove deprecated IMDSv1 support (#3664)

Author: normj

generator/.DevConfigs/321FCC2C-F938-46E4-BF84-29E947716685.json

@@ -0,0 +1,9 @@
+{
+    "core": {
+      "changeLogMessages": [
+        "[Breaking Change] Remove support for deprecated IMDS v1."
+      ],
+      "type": "patch",
+      "updateMinimum": true
+    }
+  }

sdk/src/Core/Amazon.Runtime/CredentialManagement/CredentialProfile.cs

@@ -120,14 +120,6 @@ internal Dictionary<string, Dictionary<string, string>> NestedProperties
         /// </summary>
         public EC2MetadataServiceEndpointMode? EC2MetadataServiceEndpointMode { get; set; }
 
-        /// <summary>
-        /// If set to true the SDK logic for falling back to V1 will be disabled.
-        /// When using the SDK on an EC2 instance that has configured instance metadata service to 
-        /// use V1 only, a InvalidOperationException exception will be thrown when attempting to access
-        /// the metadata in EC2 instance metadata.This includes AWS credentials and region information.
-        /// </summary>
-        public bool? EC2MetadataV1Disabled { get; set; }
-
         /// <summary>
         /// Configures the endpoint calculation to go to a dual stack (ipv6 enabled) endpoint
         /// for the configured region.

sdk/src/Core/Amazon.Runtime/CredentialManagement/SharedCredentialsFile.cs

@@ -60,7 +60,6 @@ public class SharedCredentialsFile : ICredentialProfileStore
         private const string SsoSession = "sso_session";
         private const string EC2MetadataServiceEndpointField = "ec2_metadata_service_endpoint";
         private const string EC2MetadataServiceEndpointModeField = "ec2_metadata_service_endpoint_mode";
-        private const string EC2MetadataV1DisabledField = "ec2_metadata_v1_disabled";
         private const string UseDualstackEndpointField = "use_dualstack_endpoint";
         private const string UseFIPSEndpointField = "use_fips_endpoint";
         private const string EndpointUrlField = "endpoint_url";
@@ -94,7 +93,6 @@ public class SharedCredentialsFile : ICredentialProfileStore
             SsoSession,
             EC2MetadataServiceEndpointField,
             EC2MetadataServiceEndpointModeField,
-            EC2MetadataV1DisabledField,
             UseDualstackEndpointField,
             UseFIPSEndpointField,
             DefaultConfigurationModeField,
@@ -415,9 +413,6 @@ private void RegisterProfileInternal(CredentialProfile profile)
             if (profile.EC2MetadataServiceEndpointMode != null)
                 reservedProperties[EC2MetadataServiceEndpointModeField] = profile.EC2MetadataServiceEndpointMode.ToString().ToLowerInvariant();
 
-            if (profile.EC2MetadataV1Disabled != null)
-                reservedProperties[EC2MetadataV1DisabledField] = profile.EC2MetadataV1Disabled.ToString().ToLowerInvariant();
-
             if (profile.UseDualstackEndpoint != null)
                 reservedProperties[UseDualstackEndpointField] = profile.UseDualstackEndpoint.ToString().ToLowerInvariant();
 
@@ -794,20 +789,6 @@ private bool TryGetProfile(string profileName, bool doRefresh, bool isSsoSession
                     }
                 }
 
-                string ec2MetadataV1DisabledString;
-                bool? ec2MetadataV1Disabled = null;
-                if (reservedProperties.TryGetValue(EC2MetadataV1DisabledField, out ec2MetadataV1DisabledString))
-                {
-                    bool ec2MetadataV1DisabledOut;
-                    if (!bool.TryParse(ec2MetadataV1DisabledString, out ec2MetadataV1DisabledOut))
-                    {
-                        Logger.GetLogger(GetType()).InfoFormat("Invalid value {0} for {1} in profile {2}. A boolean true/false is expected.", ec2MetadataV1DisabledString, EC2MetadataV1DisabledField, profileName);
-                        profile = null;
-                        return false;
-                    }
-                    ec2MetadataV1Disabled = ec2MetadataV1DisabledOut;
-                }
-
                 string useDualstackEndpointString;
                 bool? useDualstackEndpoint = null;
                 if (reservedProperties.TryGetValue(UseDualstackEndpointField, out useDualstackEndpointString))
@@ -966,7 +947,6 @@ private bool TryGetProfile(string profileName, bool doRefresh, bool isSsoSession
                     MaxAttempts = maxAttempts,
                     EC2MetadataServiceEndpoint = ec2MetadataServiceEndpoint,
                     EC2MetadataServiceEndpointMode = ec2MetadataServiceEndpointMode,
-                    EC2MetadataV1Disabled = ec2MetadataV1Disabled,
                     UseDualstackEndpoint = useDualstackEndpoint,
                     UseFIPSEndpoint = useFIPSEndpoint,
                     NestedProperties = nestedProperties,

sdk/src/Core/Amazon.Runtime/Credentials/InstanceProfileAWSCredentials.cs

@@ -79,7 +79,6 @@ protected override CredentialsRefreshState GenerateNewCredentials()
 
                 if (httpStatusCode == HttpStatusCode.Unauthorized)
                 {
-                    EC2InstanceMetadata.ClearTokenFlag();
                     Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
                     throw;
                 }
@@ -136,7 +135,6 @@ protected override CredentialsRefreshState GenerateNewCredentials()
 
                     if (httpStatusCode == HttpStatusCode.Unauthorized)
                     {
-                        EC2InstanceMetadata.ClearTokenFlag();
                         Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
                     }
 
@@ -231,7 +229,6 @@ public static IEnumerable<string> GetAvailableRoles(IWebProxy proxy)
 
                 if (httpStatusCode == HttpStatusCode.Unauthorized)
                 {
-                    EC2InstanceMetadata.ClearTokenFlag();
                     Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
                 }
 

sdk/src/Core/Amazon.Runtime/Internal/InternalConfiguration.cs

@@ -51,11 +51,6 @@ public class InternalConfiguration
         /// </summary>
         public string EC2MetadataServiceEndpoint { get; set; }
 
-        /// <summary>
-        /// Controls whether request EC2 metadata v1 fallback is disabled.
-        /// </summary>
-        public bool? EC2MetadataV1Disabled { get; set; }
-
         /// <summary>
         /// Internet protocol version to be used for communicating with the EC2 Instance Metadata Service
         /// </summary>
@@ -134,7 +129,6 @@ public class EnvironmentVariableInternalConfiguration : InternalConfiguration
         public const string ENVIRONMENT_VARIABLE_AWS_RETRY_MODE = "AWS_RETRY_MODE";
         public const string ENVIRONMENT_VARIABLE_AWS_EC2_METADATA_SERVICE_ENDPOINT = "AWS_EC2_METADATA_SERVICE_ENDPOINT";
         public const string ENVIRONMENT_VARIABLE_AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE = "AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE";
-        public const string ENVIRONMENT_VARIABLE_AWS_EC2_METADATA_V1_DISABLED = "AWS_EC2_METADATA_V1_DISABLED";
         public const string ENVIRONMENT_VARIABLE_AWS_USE_DUALSTACK_ENDPOINT = "AWS_USE_DUALSTACK_ENDPOINT";
         public const string ENVIRONMENT_VARIABLE_AWS_USE_FIPS_ENDPOINT = "AWS_USE_FIPS_ENDPOINT";
         public const string ENVIRONMENT_VARIABLE_AWS_IGNORE_CONFIGURED_ENDPOINT_URLS = "AWS_IGNORE_CONFIGURED_ENDPOINT_URLS";
@@ -160,7 +154,6 @@ public EnvironmentVariableInternalConfiguration()
             RetryMode = GetEnvironmentVariable<RequestRetryMode>(ENVIRONMENT_VARIABLE_AWS_RETRY_MODE);
             EC2MetadataServiceEndpoint = GetEC2MetadataEndpointEnvironmentVariable();
             EC2MetadataServiceEndpointMode = GetEnvironmentVariable<EC2MetadataServiceEndpointMode>(ENVIRONMENT_VARIABLE_AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE);
-            EC2MetadataV1Disabled = GetEnvironmentVariable<bool>(ENVIRONMENT_VARIABLE_AWS_EC2_METADATA_V1_DISABLED);
             UseDualstackEndpoint = GetEnvironmentVariable<bool>(ENVIRONMENT_VARIABLE_AWS_USE_DUALSTACK_ENDPOINT);
             UseFIPSEndpoint = GetEnvironmentVariable<bool>(ENVIRONMENT_VARIABLE_AWS_USE_FIPS_ENDPOINT);
             IgnoreConfiguredEndpointUrls = GetEnvironmentVariable(ENVIRONMENT_VARIABLE_AWS_IGNORE_CONFIGURED_ENDPOINT_URLS, false);
@@ -336,7 +329,6 @@ private void Setup(ICredentialProfileSource source, string profileName)
                 MaxAttempts = profile.MaxAttempts;
                 EC2MetadataServiceEndpoint = profile.EC2MetadataServiceEndpoint;
                 EC2MetadataServiceEndpointMode = profile.EC2MetadataServiceEndpointMode;
-                EC2MetadataV1Disabled = profile.EC2MetadataV1Disabled;
                 UseDualstackEndpoint = profile.UseDualstackEndpoint;
                 UseFIPSEndpoint = profile.UseFIPSEndpoint;
                 IgnoreConfiguredEndpointUrls = profile.IgnoreConfiguredEndpointUrls;
@@ -361,7 +353,6 @@ private void Setup(ICredentialProfileSource source, string profileName)
                 new KeyValuePair<string, object>("max_attempts", profile.MaxAttempts),
                 new KeyValuePair<string, object>("ec2_metadata_service_endpoint", profile.EC2MetadataServiceEndpoint),
                 new KeyValuePair<string, object>("ec2_metadata_service_endpoint_mode", profile.EC2MetadataServiceEndpointMode),
-                new KeyValuePair<string, object>("ec2_metadata_v1_disabled", profile.EC2MetadataV1Disabled),
                 new KeyValuePair<string, object>("use_dualstack_endpoint", profile.UseDualstackEndpoint),
                 new KeyValuePair<string, object>("use_fips_endpoint", profile.UseFIPSEndpoint),
                 new KeyValuePair<string,object>( "ignore_configured_endpoint_urls", profile.IgnoreConfiguredEndpointUrls),
@@ -433,7 +424,6 @@ public static void Reset()
             _cachedConfiguration.MaxAttempts = SeekValue(standardGenerators, (c) => c.MaxAttempts);
             _cachedConfiguration.EC2MetadataServiceEndpoint = SeekString(standardGenerators, (c) => c.EC2MetadataServiceEndpoint);
             _cachedConfiguration.EC2MetadataServiceEndpointMode = SeekValue(standardGenerators, (c) => c.EC2MetadataServiceEndpointMode);
-            _cachedConfiguration.EC2MetadataV1Disabled = SeekValue(standardGenerators, (c) => c.EC2MetadataV1Disabled);
             _cachedConfiguration.UseDualstackEndpoint = SeekValue(standardGenerators, (c) => c.UseDualstackEndpoint);
             _cachedConfiguration.UseFIPSEndpoint = SeekValue(standardGenerators, (c) => c.UseFIPSEndpoint);
             _cachedConfiguration.IgnoreConfiguredEndpointUrls = SeekValue(standardGenerators, (c) => c.IgnoreConfiguredEndpointUrls);
@@ -525,17 +515,6 @@ public static string EC2MetadataServiceEndpoint
             }
         }
 
-        /// <summary>
-        /// Controls whether request EC2 metadata v1 fallback is disabled.
-        /// </summary>
-        public static bool? EC2MetadataV1Disabled
-        {
-            get
-            {
-                return _cachedConfiguration.EC2MetadataV1Disabled;
-            }
-        }
-
         /// <summary>
         /// Internet protocol version to be used for communicating with the EC2 Instance Metadata Service
         /// </summary>

sdk/src/Core/Amazon.Util/EC2InstanceMetadata.cs

@@ -63,8 +63,6 @@ private static int
 
         private static Dictionary<string, string> _cache = new Dictionary<string, string>();
 
-        private static bool useNullToken = false;
-
         private static ReaderWriterLockSlim metadataLock = new ReaderWriterLockSlim(); // Lock to control getting metadata across multiple threads.
         private static readonly TimeSpan metadataLockTimeout = TimeSpan.FromMilliseconds(5000);
         private static readonly string _userAgent = InternalSDKUtils.BuildUserAgentString(string.Empty, string.Empty);
@@ -116,10 +114,7 @@ public static string ServiceEndpoint
         public static string EC2ApiTokenUrl => ServiceEndpoint + LATEST + "/api/token";
 
         /// <summary>
-        /// If set to true the SDK logic for falling back to V1 will be disabled.
-        /// When using the SDK on an EC2 instance that has configured instance metadata service to 
-        /// use V1 only, a InvalidOperationException exception will be thrown when attempting to access
-        /// the metadata in EC2 instance metadata.This includes AWS credentials and region information.
+        /// Disable accessing EC2 instance metadata service (IMDS).
         /// The default value is false.
         /// </summary>
         public static bool IsIMDSEnabled
@@ -136,23 +131,6 @@ public static bool IsIMDSEnabled
             }
         }
 
-        private static bool? _ec2MetadataV1Disabled;
-        
-        /// <summary>
-        /// Controls whether request EC2 metadata v1 fallback is disabled.
-        /// </summary>
-        public static bool EC2MetadataV1Disabled
-        {
-            get
-            {
-                if (_ec2MetadataV1Disabled.HasValue)
-                    return _ec2MetadataV1Disabled.Value;
-                return FallbackInternalConfigurationFactory.EC2MetadataV1Disabled.GetValueOrDefault();
-            }
-            set { _ec2MetadataV1Disabled = value; }
-        }
-
-
         /// <summary>
         /// Allows to configure the proxy used for HTTP requests. The default value is null.
         /// </summary>
@@ -647,9 +625,11 @@ public static string FetchApiToken()
         /// <returns>The API token or null if an API token couldn't be obtained and doesn't need to be used</returns>
         private static string FetchApiToken(int tries)
         {
+            const string errorFailFastMessage = "IMDS rejected request to get API token.";
+            const string errorMessage = "Unable to retrieve token for use in IMDSv2.";
             for (int retry = 1; retry <= tries; retry++)
             {
-                if (!IsIMDSEnabled || useNullToken)
+                if (!IsIMDSEnabled)
                 {
                     return null;
                 }
@@ -672,55 +652,26 @@ private static string FetchApiToken(int tries)
                         || httpStatusCode == HttpStatusCode.MethodNotAllowed
                         || httpStatusCode == HttpStatusCode.Forbidden)
                     {
-                        if (EC2MetadataV1Disabled)
-                        {
-                            throw new InvalidOperationException("Unable to retrieve token for use in IMDSv2 call and IMDSv1 has been disabled.");
-                        }
-
-                        useNullToken = true;
-                        return null;
+                        throw new InvalidOperationException(errorFailFastMessage);
                     }
 
                     if (retry >= tries)
                     {
                         if (httpStatusCode == HttpStatusCode.BadRequest)
                         {
-                            Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "Unable to contact EC2 Metadata service to obtain a metadata token.");
+                            Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, errorMessage);
                             throw;
                         }
 
-                        Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "Unable to contact EC2 Metadata service to obtain a metadata token. Attempting to access IMDS without a token.");
-
-                        //If there isn't a status code, it was a failure to contact the server which would be
-                        //a request failure, a network issue, or a timeout. Cache this response and fallback
-                        //to IMDS flow without a token unless EC2MetadataV1Disabled is set to true. If the non
-                        //token IMDS flow returns unauthorized, the useNullToken flag will be cleared and the IMDS
-                        //flow will attempt to obtain another token.
-
-                        if (EC2MetadataV1Disabled)
-                        {
-                            throw new InvalidOperationException("Unable to retrieve token for use in IMDSv2 call and IMDSv1 has been disabled.");
-                        }
-
-                        if (httpStatusCode == null)
-                        {
-                            useNullToken = true;
-                        }
-
-                        //Return null to fallback to the IMDS flow without using a token.                    
-                        return null;
+                        Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, errorMessage);
+                        throw new InvalidOperationException(errorMessage);
                     }
 
                     PauseExponentially(retry - 1);
                 }
             }
 
-            return null;
-        }
-
-        public static void ClearTokenFlag()
-        {
-            useNullToken = false;
+            throw new InvalidOperationException(errorMessage);
         }
 
         private static List<string> GetItems(string relativeOrAbsolutePath, int tries, bool slurp)
@@ -735,16 +686,20 @@ private static List<string> GetItems(string relativeOrAbsolutePath, int tries, b
             //token cannot be obtained we will fallback to not using a token.
             if (token == null)
             {
-                token = FetchApiToken(DEFAULT_RETRIES);
+                try
+                {
+                    token = FetchApiToken(DEFAULT_RETRIES);
+                }
+                catch(InvalidOperationException e)
+                {
+                    Logger.GetLogger(typeof(EC2InstanceMetadata)).InfoFormat("Failed to retrieve IMDS data \"{0}\" because IMDS API token could not be retrieved: {1}", relativeOrAbsolutePath, e.Message);
+                    return null; // If we could not get a token then assume we are not running in an EC2 instance and return null.
+                }
             }
 
             var headers = new Dictionary<string, string>();
             headers.Add(HeaderKeys.UserAgentHeader, _userAgent);
-
-            if (!string.IsNullOrEmpty(token))
-            {
-                headers.Add(HeaderKeys.XAwsEc2MetadataToken, token);
-            }
+            headers.Add(HeaderKeys.XAwsEc2MetadataToken, token);
 
             try
             {
@@ -792,7 +747,6 @@ private static List<string> GetItems(string relativeOrAbsolutePath, int tries, b
                 }
                 else if (httpStatusCode == HttpStatusCode.Unauthorized)
                 {
-                    ClearTokenFlag();
                     Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
                     throw;
                 }