aws: use http async client to fetch metadata credentials (#30626)

Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
envoyproxy · Nov 4, 2023 · 3816b1a · 3816b1a
1 parent 3ff9a59
commit 3816b1a
Show file tree

Hide file tree

Showing 14 changed files with 1,882 additions and 157 deletions.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -15,13 +15,17 @@ behavior_changes:
     <envoy_v3_api_msg_extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig>` extension becomes stable.
 
 minor_behavior_changes:
+# *Changes that may cause incompatibilities for some users, but should not for most*
+- area: aws
+  change: |
+    uses http async client to fetch the credentials from EC2 instance metadata and ECS task metadata providers instead of libcurl
+    which is deprecated. To revert this behavior set ``envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials`` to true.
 - area: upstream
   change: |
     Fixed a reported issue (https://github.com/envoyproxy/envoy/issues/11004) that causes the Least
     Request load balancer policy to be unfair when the number of hosts are very small, when the number
     of hosts is smaller than the choice_count, instead of randomly selection hosts from the list, we
     perform a full scan on it to choose the host with least requests.
-# *Changes that may cause incompatibilities for some users, but should not for most*
 - area: local_rate_limit
   change: |
     Added new configuration field :ref:`rate_limited_as_resource_exhausted

diff --git a/docs/root/configuration/http/http_filters/_include/aws_credentials.rst b/docs/root/configuration/http/http_filters/_include/aws_credentials.rst
@@ -13,4 +13,12 @@ secret access key (the session token is optional).
 
 3. Either EC2 instance metadata or ECS task metadata. For EC2 instance metadata, the fields ``AccessKeyId``, ``SecretAccessKey``, and
    ``Token`` are used, and credentials are cached for 1 hour. For ECS task metadata, the fields ``AccessKeyId``, ``SecretAccessKey``, and
-   ``Token`` are used, and credentials are cached for 1 hour or until they expire (according to the field ``Expiration``).
+   ``Token`` are used, and credentials are cached for 1 hour or until they expire (according to the field ``Expiration``). Note that the
+   latest update on AWS credentials provider utility uses http async client functionality by default instead of libcurl to fetch the
+   credentials. The usage of libcurl is on the deprecation path and will be removed soon. This behavior can be changed by setting
+   ``envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials`` to ``true``. To fetch the credentials from either EC2 instance
+   metadata or ECS task metadata a static cluster is required pointing towards the credentials provider. The static cluster name has to be
+   ``ec2_instance_metadata_server_internal`` for fetching from EC2 instance metadata or ``ecs_task_metadata_server_internal`` for fetching
+   from ECS task metadata. If these clusters are not provided in the bootstrap configuration then either of these will be added by default.
+   The static internal cluster will still be added even if initially ``envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials`` is
+   set to ``true`` so that in future if the reloadable feature is set to ``false`` the cluster config is available to fetch the credentials.
diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -113,6 +113,9 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms);
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_refresh_rtt_after_request);
 // TODO(danzh) false deprecate it once QUICHE has its own enable/disable flag.
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_reject_all);
+// TODO(suniltheta): Once the newly added http async technique proves effective and
+// is stabilized get rid of this feature flag and code path that relies on libcurl.
+FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_libcurl_to_fetch_aws_credentials);
 // TODO(adisuissa): enable by default once this is tested in prod.
 FALSE_RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads);
 // TODO(#10646) change to true when UHV is sufficiently tested

diff --git a/source/extensions/common/aws/BUILD b/source/extensions/common/aws/BUILD
@@ -59,12 +59,16 @@ envoy_cc_library(
     external_deps = ["abseil_time"],
     deps = [
         ":credentials_provider_interface",
+        ":metadata_fetcher_lib",
         ":utility_lib",
         "//envoy/api:api_interface",
         "//source/common/common:logger_lib",
         "//source/common/common:thread_lib",
         "//source/common/http:utility_lib",
+        "//source/common/init:target_lib",
         "//source/common/json:json_loader_lib",
+        "//source/common/runtime:runtime_features_lib",
+        "//source/common/tracing:http_tracer_lib",
     ],
 )
 
@@ -81,6 +85,7 @@ envoy_cc_library(
         "//source/common/common:utility_lib",
         "//source/common/http:headers_lib",
         "//source/common/http:utility_lib",
+        "//source/common/runtime:runtime_features_lib",
         "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto",
         "@envoy_api//envoy/extensions/upstreams/http/v3:pkg_cc_proto",
     ],

diff --git a/source/extensions/common/aws/credentials_provider.h b/source/extensions/common/aws/credentials_provider.h
@@ -68,6 +68,8 @@ class CredentialsProvider {
   virtual Credentials getCredentials() PURE;
 };
 
+using CredentialsConstSharedPtr = std::shared_ptr<const Credentials>;
+using CredentialsConstUniquePtr = std::unique_ptr<const Credentials>;
 using CredentialsProviderSharedPtr = std::shared_ptr<CredentialsProvider>;
 
 } // namespace Aws