protected override CredentialsRefreshState GenerateNewCredentials()
{
CredentialsRefreshState newState = null;
var token = EC2InstanceMetadata.FetchApiToken();
try
{
// Attempt to get early credentials. OK to fail at this point.
newState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials));
logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e);
}
// If successful, save new credentials
if (newState != null)
{
_currentRefreshState = newState;
}
// If still not successful (no credentials available at start), attempt once more to
// get credentials, but now without swallowing exception
if (_currentRefreshState == null)
{
try
{
_currentRefreshState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
}
// Return credentials that will expire in at most one hour
CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState);
return(state);
}
/// <summary>
/// Retrieves a list of all roles available through current InstanceProfile service
/// </summary>
/// <returns></returns>
public static IEnumerable <string> GetAvailableRoles(IWebProxy proxy)
{
var token = EC2InstanceMetadata.FetchApiToken();
var allAliases = string.Empty;
try
{
allAliases = GetContents(RolesUri, proxy, CreateMetadataTokenHeaders(token));
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
if (string.IsNullOrEmpty(allAliases))
{
yield break;
}
string[] parts = allAliases.Split(AliasSeparators, StringSplitOptions.RemoveEmptyEntries);
foreach (var part in parts)
{
var trim = part.Trim();
if (!string.IsNullOrEmpty(trim))
{
yield return(trim);
}
}
}
private static List <string> GetItems(string path, int tries, bool slurp, string token)
{
var items = new List <string>();
//For all meta-data queries we need to fetch an api token to use. In the event a
//token cannot be obtained we will fallback to not using a token.
Dictionary <string, string> headers = null;
if (token == null)
{
token = Amazon.Util.EC2InstanceMetadata.FetchApiToken();
}
if (!string.IsNullOrEmpty(token))
{
headers = new Dictionary <string, string>();
headers.Add(HeaderKeys.XAwsEc2MetadataToken, token);
}
try
{
if (!Amazon.Util.EC2InstanceMetadata.IsIMDSEnabled)
{
throw new IMDSDisabledException();
}
HttpWebRequest request;
if (path.StartsWith("http", StringComparison.Ordinal))
{
request = WebRequest.Create(path) as HttpWebRequest;
}
else
{
request = WebRequest.Create(EC2_METADATA_ROOT + path) as HttpWebRequest;
}
request.Timeout = (int)TimeSpan.FromSeconds(5).TotalMilliseconds;
request.UserAgent = _userAgent;
if (headers != null)
{
foreach (var header in headers)
{
request.Headers.Add(header.Key, header.Value);
}
}
using (var response = request.GetResponse())
{
using (var stream = new StreamReader(response.GetResponseStream()))
{
if (slurp)
{
items.Add(stream.ReadToEnd());
}
else
{
string line;
do
{
line = stream.ReadLine();
if (line != null)
{
items.Add(line.Trim());
}
}while (line != null);
}
}
}
}
catch (WebException wex)
{
var response = wex.Response as HttpWebResponse;
if (response != null)
{
if (response.StatusCode == HttpStatusCode.NotFound)
{
return(null);
}
else if (response.StatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
}
if (tries <= 1)
{
Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "Unable to contact EC2 Metadata service.");
return(null);
}
PauseExponentially(tries);
return(GetItems(path, tries - 1, slurp, token));
}
catch (IMDSDisabledException)
{
// Keep this behavior identical to when HttpStatusCode.NotFound is returned.
return(null);
}
return(items);
}
protected override CredentialsRefreshState GenerateNewCredentials()
{
CredentialsRefreshState newState = null;
var token = EC2InstanceMetadata.FetchApiToken();
try
{
// Attempt to get early credentials. OK to fail at this point.
newState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials));
logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e);
// if we already have cached credentials, we'll continue to use those credentials,
// but try again to refresh them in 2 minutes.
if (null != _currentRefreshState)
{
#pragma warning disable CS0612 // Type or member is obsolete
var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(2);
#pragma warning restore CS0612 // Type or member is obsolete
_currentRefreshState = new CredentialsRefreshState(_currentRefreshState.Credentials.Copy(), newExpiryTime);
return(_currentRefreshState);
}
}
if (newState?.IsExpiredWithin(TimeSpan.Zero) == true)
{
// special case - credentials returned are expired
_logger.InfoFormat(_receivedExpiredCredentialsFromIMDS);
// use a custom refresh time
#pragma warning disable CS0612 // Type or member is obsolete
var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(new Random().Next(5, 16));
#pragma warning restore CS0612 // Type or member is obsolete
_currentRefreshState = new CredentialsRefreshState(newState.Credentials.Copy(), newExpiryTime);
return(_currentRefreshState);
}
// If successful, save new credentials
if (newState != null)
{
_currentRefreshState = newState;
}
// If still not successful (no credentials available at start), attempt once more to
// get credentials, but now without swallowing exception
if (_currentRefreshState == null)
{
try
{
_currentRefreshState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
}
// Return credentials that will expire in at most one hour
CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState);
return(state);
}