smithy-lang · smilkuri · Jun 16, 2025 · Jun 17, 2025 · Jun 17, 2025 · Jun 17, 2025
@@ -0,0 +1,5 @@
+---
+"@smithy/credential-provider-imds": minor
+---
+
+Add support for account ID in IMDS credentials
@@ -15,7 +15,9 @@
     "lint": "eslint -c ../../.eslintrc.js \"src/**/*.ts\"",
     "format": "prettier --config ../../prettier.config.js --ignore-path ../../.prettierignore --write \"**/*.{ts,md,json}\"",
     "test": "yarn g:vitest run",
-    "test:watch": "yarn g:vitest watch"
+    "test:e2e": "yarn g:vitest run -c vitest.config.e2e.ts --mode development",
+    "test:watch": "yarn g:vitest watch",
+    "test:e2e:watch": "yarn g:vitest watch -c vitest.config.e2e.ts"
   },
   "keywords": [
     "aws",

@@ -5,7 +5,7 @@ import { parse } from "url";
 
 import { httpRequest } from "./remoteProvider/httpRequest";
 import { fromImdsCredentials, isImdsCredentials } from "./remoteProvider/ImdsCredentials";
-import { providerConfigFromInit, RemoteProviderInit } from "./remoteProvider/RemoteProviderInit";
+import { DEFAULT_MAX_RETRIES, DEFAULT_TIMEOUT, RemoteProviderInit } from "./remoteProvider/RemoteProviderInit";
 import { retry } from "./remoteProvider/retry";
 
 /**
@@ -28,7 +28,7 @@ export const ENV_CMDS_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
  * Container Metadata Service
  */
 export const fromContainerMetadata = (init: RemoteProviderInit = {}): AwsCredentialIdentityProvider => {
-  const { timeout, maxRetries } = providerConfigFromInit(init);
+  const { timeout = DEFAULT_TIMEOUT, maxRetries = DEFAULT_MAX_RETRIES } = init;
   return () =>
     retry(async () => {
       const requestOptions = await getCmdsUri({ logger: init.logger });

@@ -0,0 +1,126 @@
+import { afterEach, beforeEach, describe, expect, test as it } from "vitest";
+
+import { fromInstanceMetadata, getMetadataToken } from "./fromInstanceMetadata";
+import { getInstanceMetadataEndpoint } from "./utils/getInstanceMetadataEndpoint";
+
+describe("fromInstanceMetadata (Live EC2 E2E Tests)", () => {
+  const originalEnv = { ...process.env };
+  let imdsAvailable = false;
+
+  beforeEach(async () => {
+    process.env = { ...originalEnv };
+
+    // Check IMDS availability
+    try {
+      const testProvider = fromInstanceMetadata({ timeout: 9000 });
+      await testProvider();
+      imdsAvailable = true;
+    } catch (err) {
+      imdsAvailable = false;
+    }
+  });
+
+  afterEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  it("should fetch metadata token successfully", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+
+    const endpoint = await getInstanceMetadataEndpoint();
+    const token = await getMetadataToken(endpoint);
+    expect(token).toBeDefined();
+    expect(typeof token).toBe("string");
+    expect(token.length).toBeGreaterThan(0);
+  });
+
+  it("retrieves credentials successfully", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+
+    const provider = fromInstanceMetadata();
+    const credentials = await provider();
+
+    expect(credentials).toHaveProperty("accessKeyId");
+    expect(credentials).toHaveProperty("secretAccessKey");
+    expect(typeof credentials.accessKeyId).toBe("string");
+    expect(typeof credentials.secretAccessKey).toBe("string");
+  });
+
+  it("retrieves credentials with account ID on allowlisted instances", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+
+    const provider = fromInstanceMetadata();
+    const credentials = await provider();
+
+    if (!credentials.accountId) {
+      context.skip();
+    }
+
+    expect(credentials.accountId).toBeDefined();
+    expect(typeof credentials.accountId).toBe("string");
+  });
+
+  it("IMDS access disabled via AWS_EC2_METADATA_DISABLED", async () => {
+    process.env.AWS_EC2_METADATA_DISABLED = "true";
+
+    const provider = fromInstanceMetadata();
+
+    await expect(provider()).rejects.toThrow("IMDS credential fetching is disabled");
+  });
+
+  it("Empty configured profile name should throw error", async () => {
+    process.env.AWS_EC2_INSTANCE_PROFILE_NAME = "   ";
+
+    const provider = fromInstanceMetadata();
+
+    await expect(provider()).rejects.toThrow();
+  });
+
+  it("Uses configured profile name from env", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+
+    const provider = fromInstanceMetadata();
+
+    try {
+      const credentials = await provider();
+      expect(credentials).toHaveProperty("accessKeyId");
+    } catch (error) {
+      expect(error).toBeDefined();
+    }
+  });
+
+  it("Multiple calls return stable results", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+
+    const provider = fromInstanceMetadata();
+    const creds1 = await provider();
+    const creds2 = await provider();
+
+    expect(creds1.accessKeyId).toBeTruthy();
+    expect(creds2.accessKeyId).toBeTruthy();
+    expect(creds1.accessKeyId).toBe(creds2.accessKeyId);
+  });
+
+  /**
+   * The IMDS may respond too quickly to test this,
+   * even with 1ms timeout.
+   */
+  it.skip("should timeout as expected when a request exceeds the specified duration", async (context) => {
+    if (!imdsAvailable) {
+      return context.skip();
+    }
+    const provider = fromInstanceMetadata({ timeout: 1 });
+
+    await expect(provider()).rejects.toThrow(/timeout|timed out|TimeoutError/i);
+  });
+});