Clean up IMDS provider

gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -19,6 +19,8 @@ class InstanceProfileCredentials
     include CredentialProvider
     include RefreshingCredentials
 
+    # Raised when the metadata path with profile name was not found.
+    # @api private
     class InvalidProfile < RuntimeError; end
 
     # Path base for GET request for profile and credentials
@@ -27,7 +29,8 @@ class InvalidProfile < RuntimeError; end
 
     # Extended path base for GET request for profile and credentials
     # @api private
-    METADATA_EXTENDED_PATH = '/latest/meta-data/iam/security-credentials-extended/'
+    METADATA_EXTENDED_PATH =
+      '/latest/meta-data/iam/security-credentials-extended/'
 
     # @param [Hash] options
     # @option options [Aws::EC2Metadata] :client A custom EC2 metadata client to
@@ -42,7 +45,8 @@ class InvalidProfile < RuntimeError; end
     #   * `~/.aws/config`
     #
     # @option options [Integer] :retries (3) Number of times to retry
-    #   when retrieving credentials.
+    #   when retrieving credentials. Defaults to `1` when resolving from
+    #   the default credential chain
     # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
     #   endpoint. This option has precedence over the `:endpoint_mode`.
     # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for the
@@ -71,29 +75,95 @@ class InvalidProfile < RuntimeError; end
     def initialize(options = {})
       @client = options[:client] ||
                 EC2Metadata.new(resolve_client_opts(options))
-      @disable_ec2_metadata = resolve_disable_ec2_metadata(options)
       @ec2_instance_profile_name = resolve_ec2_instance_profile_name(options)
       @no_refresh_until = nil
       @metrics = ['CREDENTIALS_IMDS']
 
-      # these are internal tracking
       @api_version = :unknown
       @resolved_profile = nil
       super
     end
 
     # @return [Integer] Number of times to retry when retrieving credentials
     #   from the instance metadata service. Defaults to `1` when resolving from
-    #   the default credential chain ({Aws::CredentialProviderChain}).
+    #   the default credential chain.
     def retries
       @client.retries
     end
 
     private
 
+    # tracks which api version is used to call IMDS service
+    # starts as :unknown and updated to either
+    # :extended or :legacy after the first successful call
     attr_accessor :api_version
+
+    # tracks profile name returned from an IMDS call
     attr_accessor :resolved_profile
 
+    def empty_credentials?(creds)
+      return true if creds.nil?
+
+      !creds.set?
+    end
+
+    def fetch_credentials
+      profile_name = resolve_profile_name
+
+      begin
+        creds = @client.get(metadata_path + profile_name)
+        @api_version = :extended if @api_version == :unknown
+        creds
+      rescue EC2Metadata::MetadataNotFoundError
+        if @api_version == :unknown
+          @api_version = :legacy
+          fetch_credentials
+        elsif @ec2_instance_profile_name.nil?
+          # cache profile may have been replaced
+          @resolved_profile = nil
+          fetch_credentials
+        else
+          raise InvalidProfile
+        end
+      end
+    rescue StandardError => e
+      raise if e.is_a?(InvalidProfile)
+
+      warn("Error retrieving instance profile credentials: #{e}")
+      '{}'
+    end
+
+    def metadata_path
+      case @api_version
+      when :legacy then METADATA_LEGACY_PATH
+      else METADATA_EXTENDED_PATH
+      end
+    end
+
+    def refresh
+      if @no_refresh_until && @no_refresh_until > Time.now
+        warn_expired_credentials
+        return
+      end
+
+      new_creds = Aws::Json.load(fetch_credentials)
+      if !empty_credentials?(@credentials) &&
+         (!new_creds['AccessKeyId'] || new_creds['AccessKeyId'].empty?)
+        # credentials are already set
+        # error getting new credentials
+        # so don't update the credentials
+        @no_refresh_until = Time.now + refresh_offset
+        warn_expired_credentials
+      else
+        update_credentials(new_creds)
+      end
+    end
+
+    # Compute an offset for refresh with jitter
+    def refresh_offset
+      rand(300..360)
+    end
+
     def resolve_client_opts(options)
       opts = options.dup
       opts[:backoff] = opts[:delay] if opts[:delay]
@@ -105,14 +175,6 @@ def resolve_client_opts(options)
       )
     end
 
-    def resolve_disable_ec2_metadata(options)
-      value =
-        ENV['AWS_EC2_METADATA_DISABLED'] ||
-        Aws.shared_config.disable_ec2_metadata(profile: options[:profile]) ||
-        'false'
-      Aws::Util.str_2_bool(value)
-    end
-
     def resolve_ec2_instance_profile_name(options)
       value =
         options[:ec2_instance_profile_name] ||
@@ -139,79 +201,27 @@ def resolve_endpoint_mode(options)
         ) || 'IPv4'
     end
 
-    def refresh
-      if @no_refresh_until && @no_refresh_until > Time.now
-        warn_expired_credentials
-        return
-      end
-
-      new_creds = Aws::Json.load(fetch_credentials)
-      if !empty_credentials?(@credentials) && # not empty
-         (!new_creds['AccessKeyId'] || new_creds['AccessKeyId'].empty?)
-        # credentials are already set
-        # error getting new credentials
-        # don't update the credentials
-        @no_refresh_until = Time.now + refresh_offset
-        warn_expired_credentials
-      else
-        update_credentials(new_creds)
-      end
-    end
-
     def resolve_profile_name
       if @ec2_instance_profile_name
         @ec2_instance_profile_name
       elsif @resolved_profile
         @resolved_profile
       else
         begin
-          metadata = @client.get(path)
-          @resolved_profile = JSON.parse(metadata.lines.first.strip)
+          metadata = @client.get(metadata_path)
+          @resolved_profile = Aws::Json.load(metadata.lines.first.strip)
           @api_version = :extended if @api_version == :unknown
           @resolved_profile
         rescue EC2Metadata::MetadataNotFoundError
           raise unless @api_version == :unknown
 
+          # fall back to legacy api
           @api_version = :legacy
           resolve_profile_name
         end
       end
     end
 
-    def path
-      case @api_version
-      when :legacy then METADATA_LEGACY_PATH
-      else METADATA_EXTENDED_PATH
-      end
-    end
-
-    def fetch_credentials
-      return '{}' if @disable_ec2_metadata
-
-      profile_name = resolve_profile_name
-      # use profile name
-      begin
-        creds = @client.get(path + profile_name)
-        @api_version = :extended if @api_version == :unknown
-        creds
-      rescue EC2Metadata::MetadataNotFoundError
-        if @api_version == :unknown
-          @api_version = :legacy
-          fetch_credentials
-        elsif @ec2_instance_profile_name.nil?
-          @resolved_profile = nil
-          fetch_credentials
-        else
-          raise InvalidProfile
-        end
-      end
-    rescue StandardError => e
-      raise if e.is_a?(InvalidProfile)
-
-      warn("Error retrieving instance profile credentials: #{e}")
-      '{}'
-    end
-
     def update_credentials(creds)
       @credentials = Credentials.new(
         creds['AccessKeyId'],
@@ -228,20 +238,11 @@ def update_credentials(creds)
     end
 
     def warn_expired_credentials
-      warn('Attempting credential expiration extension due to a credential '\
-             'service availability issue. A refresh of these credentials '\
-             'will be attempted again in 5 minutes.')
-    end
-
-    def empty_credentials?(creds)
-      return true if creds.nil?
-
-      !creds.set?
-    end
-
-    # Compute an offset for refresh with jitter
-    def refresh_offset
-      rand(300..360)
+      warn(
+        'Attempting credential expiration extension due to a credential '\
+        'service availability issue. A refresh of these credentials '\
+        'will be attempted again in 5 minutes.'
+      )
     end
   end
 end