Fixed an issue where we were refreshing IMDS too aggressively.

millems · millems · commit 9e1ce1b47172 · 2022-07-08T11:19:30.000-07:00
diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java
@@ -16,7 +16,7 @@
 package software.amazon.awssdk.auth.credentials;
 
 import static java.time.temporal.ChronoUnit.MINUTES;
-import static software.amazon.awssdk.utils.ComparableUtils.minimum;
+import static software.amazon.awssdk.utils.ComparableUtils.maximum;
 
 import java.io.IOException;
 import java.net.URI;
@@ -191,7 +191,7 @@ private Instant prefetchTime(Instant expiration) {
             return now.plus(5, MINUTES);
         }
 
-        return now.plus(minimum(timeUntilExpiration.abs().dividedBy(2), Duration.ofMinutes(5)));
+        return now.plus(maximum(timeUntilExpiration.abs().dividedBy(2), Duration.ofMinutes(5)));
     }
 
     @Override
diff --git a/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java b/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java
@@ -41,6 +41,7 @@
 import java.time.Instant;
 import java.time.ZoneId;
 import java.time.ZoneOffset;
+import java.time.temporal.ChronoUnit;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.Rule;
@@ -377,6 +378,42 @@ public void resolveCredentials_callsImdsIfCredentialsWithin5MinutesOfExpiration(
         assertThat(credentials10SecondsAgo.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY2");
     }
 
+    @Test
+    public void imdsCallFrequencyIsLimited() {
+        // Requires running the test multiple times to account for refresh jitter
+        for (int i = 0; i < 10; i++) {
+            AdjustableClock clock = new AdjustableClock();
+            AwsCredentialsProvider credentialsProvider = credentialsProviderWithClock(clock);
+            Instant now = Instant.now();
+            String successfulCredentialsResponse1 =
+                "{"
+                + "\"AccessKeyId\":\"ACCESS_KEY_ID\","
+                + "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\","
+                + "\"Expiration\":\"" + DateUtils.formatIso8601Date(now) + '"'
+                + "}";
+
+            String successfulCredentialsResponse2 =
+                "{"
+                + "\"AccessKeyId\":\"ACCESS_KEY_ID2\","
+                + "\"SecretAccessKey\":\"SECRET_ACCESS_KEY2\","
+                + "\"Expiration\":\"" + DateUtils.formatIso8601Date(now.plus(6, HOURS)) + '"'
+                + "}";
+
+            // Set the time to 5 minutes before expiration and call IMDS
+            clock.time = now.minus(5, MINUTES);
+            stubCredentialsResponse(aResponse().withBody(successfulCredentialsResponse1));
+            AwsCredentials credentials5MinutesAgo = credentialsProvider.resolveCredentials();
+
+            // Set the time to 1 second before expiration, and verify that do not call IMDS because it hasn't been 5 minutes yet
+            clock.time = now.minus(1, SECONDS);
+            stubCredentialsResponse(aResponse().withBody(successfulCredentialsResponse2));
+            AwsCredentials credentials1SecondsAgo = credentialsProvider.resolveCredentials();
+
+            assertThat(credentials5MinutesAgo).isEqualTo(credentials1SecondsAgo);
+            assertThat(credentials5MinutesAgo.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        }
+    }
+
     private AwsCredentialsProvider credentialsProviderWithClock(Clock clock) {
         InstanceProfileCredentialsProvider.BuilderImpl builder =
             (InstanceProfileCredentialsProvider.BuilderImpl) InstanceProfileCredentialsProvider.builder();
diff --git a/utils/src/main/java/software/amazon/awssdk/utils/ComparableUtils.java b/utils/src/main/java/software/amazon/awssdk/utils/ComparableUtils.java
@@ -57,4 +57,15 @@ public static <T extends Comparable<T>> T minimum(T... values) {
         return values == null ? null : Stream.of(values).min(Comparable::compareTo).orElse(null);
     }
 
+    /**
+     * Get the maximum value from a list of comparable vales.
+     *
+     * @param values The values from which the maximum should be extracted.
+     * @return The maximum value in the list.
+     */
+    @SafeVarargs
+    public static <T extends Comparable<T>> T maximum(T... values) {
+        return values == null ? null : Stream.of(values).max(Comparable::compareTo).orElse(null);
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`package software.amazon.awssdk.auth.credentials;`
`17`	`17`
`18`	`18`	`import static java.time.temporal.ChronoUnit.MINUTES;`
`19`		`-import static software.amazon.awssdk.utils.ComparableUtils.minimum;`
	`19`	`+import static software.amazon.awssdk.utils.ComparableUtils.maximum;`
`20`	`20`
`21`	`21`	`import java.io.IOException;`
`22`	`22`	`import java.net.URI;`
`@@ -191,7 +191,7 @@ private Instant prefetchTime(Instant expiration) {`
`191`	`191`	`return now.plus(5, MINUTES);`
`192`	`192`	`}`
`193`	`193`
`194`		`- return now.plus(minimum(timeUntilExpiration.abs().dividedBy(2), Duration.ofMinutes(5)));`
	`194`	`+ return now.plus(maximum(timeUntilExpiration.abs().dividedBy(2), Duration.ofMinutes(5)));`
`195`	`195`	`}`
`196`	`196`
`197`	`197`	`@Override`