implement IMDSv2 (#1380)

* implement IMDS version 2 in instance provider

* fallback to IMDSv1

Author: DavidBadura

docs/authentication/ec2-metadata.md

@@ -10,5 +10,4 @@ When you run code within an EC2 instance (or EKS, Lambda), AsyncAws is able to f
 When running a single application on the Server, this is the simplest way to grant permissions to the application. You
 have nothing to configure on the application, you only grant permissions on the Role attached to the instance.
 
-AsyncAWS uses the IMDSv1 protocol to read instance metadata. So this authentication method won't work if the v1
-protocol is disabled.
+AsyncAWS uses the IMDSv2 protocol to read instance metadata and fallback to the IMDSv1 protocol if it isn't supported.

src/Core/src/Credentials/InstanceProvider.php

@@ -17,38 +17,55 @@
 use Symfony\Contracts\HttpClient\ResponseInterface;
 
 /**
- * Provides Credentials from the running EC2 metadata server using the IMDS version 1.
+ * Provides Credentials from the running EC2 metadata server using the IMDSv1 and IMDSv2.
  *
  * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
  *
  * @author Jérémy Derussé <jeremy@derusse.com>
  */
 final class InstanceProvider implements CredentialProvider
 {
-    private const ENDPOINT = 'http://169.254.169.254/latest/meta-data/iam/security-credentials';
+    private const TOKEN_ENDPOINT = 'http://169.254.169.254/latest/api/token';
+    private const METADATA_ENDPOINT = 'http://169.254.169.254/latest/meta-data/iam/security-credentials';
 
     private $logger;
 
     private $httpClient;
 
     private $timeout;
 
-    public function __construct(?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null, float $timeout = 1.0)
+    private $tokenTtl;
+
+    public function __construct(?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null, float $timeout = 1.0, int $tokenTtl = 21600)
     {
         $this->logger = $logger ?? new NullLogger();
         $this->httpClient = $httpClient ?? HttpClient::create();
         $this->timeout = $timeout;
+        $this->tokenTtl = $tokenTtl;
     }
 
     public function getCredentials(Configuration $configuration): ?Credentials
     {
+        $token = $this->getToken();
+        $headers = [];
+
+        if (null !== $token) {
+            $headers = ['X-aws-ec2-metadata-token' => $token];
+        }
+
         try {
             // Fetch current Profile
-            $response = $this->httpClient->request('GET', self::ENDPOINT, ['timeout' => $this->timeout]);
+            $response = $this->httpClient->request('GET', self::METADATA_ENDPOINT, [
+                'timeout' => $this->timeout,
+                'headers' => $headers,
+            ]);
             $profile = $response->getContent();
 
             // Fetch credentials from profile
-            $response = $this->httpClient->request('GET', self::ENDPOINT . '/' . $profile, ['timeout' => $this->timeout]);
+            $response = $this->httpClient->request('GET', self::METADATA_ENDPOINT . '/' . $profile, [
+                'timeout' => $this->timeout,
+                'headers' => $headers,
+            ]);
             $result = $this->toArray($response);
 
             if ('Success' !== $result['Code']) {
@@ -106,4 +123,22 @@ private function toArray(ResponseInterface $response): array
 
         return $content;
     }
+
+    private function getToken(): ?string
+    {
+        try {
+            $response = $this->httpClient->request('PUT', self::TOKEN_ENDPOINT,
+                [
+                    'timeout' => $this->timeout,
+                    'headers' => ['X-aws-ec2-metadata-token-ttl-seconds' => $this->tokenTtl],
+                ]
+            );
+
+            return $response->getContent();
+        } catch (TransportExceptionInterface|HttpExceptionInterface $e) {
+            $this->logger->info('Failed to fetch metadata token for IMDSv2, fallback to IMDSv1.', ['exception' => $e]);
+
+            return null;
+        }
+    }
 }