protected override CredentialsRefreshState GenerateNewCredentials() { CredentialsRefreshState newState = null; var token = EC2InstanceMetadata.FetchApiToken(); try { // Attempt to get early credentials. OK to fail at this point. newState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials)); logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e); } // If successful, save new credentials if (newState != null) { _currentRefreshState = newState; } // If still not successful (no credentials available at start), attempt once more to // get credentials, but now without swallowing exception if (_currentRefreshState == null) { try { _currentRefreshState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } } // Return credentials that will expire in at most one hour CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState); return(state); }
/// <summary> /// Retrieves a list of all roles available through current InstanceProfile service /// </summary> /// <returns></returns> public static IEnumerable <string> GetAvailableRoles(IWebProxy proxy) { var token = EC2InstanceMetadata.FetchApiToken(); var allAliases = string.Empty; try { allAliases = GetContents(RolesUri, proxy, CreateMetadataTokenHeaders(token)); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } if (string.IsNullOrEmpty(allAliases)) { yield break; } string[] parts = allAliases.Split(AliasSeparators, StringSplitOptions.RemoveEmptyEntries); foreach (var part in parts) { var trim = part.Trim(); if (!string.IsNullOrEmpty(trim)) { yield return(trim); } } }
private static List <string> GetItems(string path, int tries, bool slurp, string token) { var items = new List <string>(); //For all meta-data queries we need to fetch an api token to use. In the event a //token cannot be obtained we will fallback to not using a token. Dictionary <string, string> headers = null; if (token == null) { token = Amazon.Util.EC2InstanceMetadata.FetchApiToken(); } if (!string.IsNullOrEmpty(token)) { headers = new Dictionary <string, string>(); headers.Add(HeaderKeys.XAwsEc2MetadataToken, token); } try { if (!Amazon.Util.EC2InstanceMetadata.IsIMDSEnabled) { throw new IMDSDisabledException(); } HttpWebRequest request; if (path.StartsWith("http", StringComparison.Ordinal)) { request = WebRequest.Create(path) as HttpWebRequest; } else { request = WebRequest.Create(EC2_METADATA_ROOT + path) as HttpWebRequest; } request.Timeout = (int)TimeSpan.FromSeconds(5).TotalMilliseconds; request.UserAgent = _userAgent; if (headers != null) { foreach (var header in headers) { request.Headers.Add(header.Key, header.Value); } } using (var response = request.GetResponse()) { using (var stream = new StreamReader(response.GetResponseStream())) { if (slurp) { items.Add(stream.ReadToEnd()); } else { string line; do { line = stream.ReadLine(); if (line != null) { items.Add(line.Trim()); } }while (line != null); } } } } catch (WebException wex) { var response = wex.Response as HttpWebResponse; if (response != null) { if (response.StatusCode == HttpStatusCode.NotFound) { return(null); } else if (response.StatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } } if (tries <= 1) { Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "Unable to contact EC2 Metadata service."); return(null); } PauseExponentially(tries); return(GetItems(path, tries - 1, slurp, token)); } catch (IMDSDisabledException) { // Keep this behavior identical to when HttpStatusCode.NotFound is returned. return(null); } return(items); }
protected override CredentialsRefreshState GenerateNewCredentials() { CredentialsRefreshState newState = null; var token = EC2InstanceMetadata.FetchApiToken(); try { // Attempt to get early credentials. OK to fail at this point. newState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials)); logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e); // if we already have cached credentials, we'll continue to use those credentials, // but try again to refresh them in 2 minutes. if (null != _currentRefreshState) { #pragma warning disable CS0612 // Type or member is obsolete var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(2); #pragma warning restore CS0612 // Type or member is obsolete _currentRefreshState = new CredentialsRefreshState(_currentRefreshState.Credentials.Copy(), newExpiryTime); return(_currentRefreshState); } } if (newState?.IsExpiredWithin(TimeSpan.Zero) == true) { // special case - credentials returned are expired _logger.InfoFormat(_receivedExpiredCredentialsFromIMDS); // use a custom refresh time #pragma warning disable CS0612 // Type or member is obsolete var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(new Random().Next(5, 16)); #pragma warning restore CS0612 // Type or member is obsolete _currentRefreshState = new CredentialsRefreshState(newState.Credentials.Copy(), newExpiryTime); return(_currentRefreshState); } // If successful, save new credentials if (newState != null) { _currentRefreshState = newState; } // If still not successful (no credentials available at start), attempt once more to // get credentials, but now without swallowing exception if (_currentRefreshState == null) { try { _currentRefreshState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } } // Return credentials that will expire in at most one hour CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState); return(state); }