aws: add metadata fetcher utility to use http async client

.gitignore

@@ -57,3 +57,4 @@ distribution/custom
 examples/websocket/certs
 /contrib/golang/**/test_data/go.sum
 /contrib/golang/**/test_data/*/go.sum
+env/

changelogs/current.yaml

@@ -50,6 +50,10 @@ behavior_changes:
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
+- area: aws
+  change: |
+    uses http async client to fetch the credentials from EC2 instance metadata and ECS task metadata providers instead of libcurl
+    which is deprecated. To revert this behavior set ``envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials`` to true.
 - area: ext_authz
   change: |
     removing any query parameter in the presence of repeated query parameter keys no longer drops the repeats.

docs/root/configuration/http/http_filters/_include/aws_credentials.rst

@@ -13,4 +13,10 @@ secret access key (the session token is optional).
 
 3. Either EC2 instance metadata or ECS task metadata. For EC2 instance metadata, the fields ``AccessKeyId``, ``SecretAccessKey``, and
    ``Token`` are used, and credentials are cached for 1 hour. For ECS task metadata, the fields ``AccessKeyId``, ``SecretAccessKey``, and
-   ``Token`` are used, and credentials are cached for 1 hour or until they expire (according to the field ``Expiration``).
+   ``Token`` are used, and credentials are cached for 1 hour or until they expire (according to the field ``Expiration``). Note the latest
+   update on AWS credentials provider utility uses http async client functionality by default instead of libcurl to fetch the credentials.
+   The usage of libcurl is on the deprecation path and will be removed soon. To fetch the credentials from either EC2 instance metadata or
+   ECS task metadata a static cluster is required pointing towards the credentials provider. The static cluster name has to be
+   ``ec2_instance_metadata_server_internal`` for fetching from EC2 instance metadata or ``ecs_task_metadata_server_internal`` for fetching
+   from ECS task metadata. If these clusters are not provided in the bootstrap configuration then either of these will be added by default.
+   This behavior can be changed by setting ``envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials`` to true.

source/common/runtime/runtime_features.cc

@@ -120,6 +120,9 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_refresh_rtt_after_request);
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_reject_all);
 // TODO(adisuissa): enable by default once this is tested in prod.
 FALSE_RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads);
+// TODO(suniltheta): Once the newly added http async technique proves effective and
+// is stabilized get rid of this feature flag and code path that relies on libcurl.
+FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_libcurl_to_fetch_aws_credentials);
 // TODO(#10646) change to true when UHV is sufficiently tested
 // For more information about Universal Header Validation, please see
 // https://github.com/envoyproxy/envoy/issues/10646

source/extensions/common/aws/BUILD

@@ -40,19 +40,34 @@ envoy_cc_library(
     external_deps = ["abseil_optional"],
 )
 
+envoy_cc_library(
+    name = "metadata_fetcher_lib",
+    srcs = ["metadata_fetcher.cc"],
+    hdrs = ["metadata_fetcher.h"],
+    deps = [
+        ":utility_lib",
+        "//envoy/upstream:cluster_manager_interface",
+        "//source/common/http:utility_lib",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)
+
 envoy_cc_library(
     name = "credentials_provider_impl_lib",
     srcs = ["credentials_provider_impl.cc"],
     hdrs = ["credentials_provider_impl.h"],
     external_deps = ["abseil_time"],
     deps = [
         ":credentials_provider_interface",
-        ":utility_lib",
+        ":metadata_fetcher_lib",
         "//envoy/api:api_interface",
         "//source/common/common:logger_lib",
         "//source/common/common:thread_lib",
         "//source/common/http:utility_lib",
+        "//source/common/init:target_lib",
         "//source/common/json:json_loader_lib",
+        "//source/common/runtime:runtime_features_lib",
+        "//source/common/tracing:http_tracer_lib",
     ],
 )
 
@@ -63,10 +78,13 @@ envoy_cc_library(
     external_deps = ["curl"],
     deps = [
         "//envoy/http:message_interface",
+        "//envoy/upstream:cluster_manager_interface",
         "//source/common/common:empty_string",
         "//source/common/common:matchers_lib",
         "//source/common/common:utility_lib",
         "//source/common/http:headers_lib",
+        "//source/common/http:utility_lib",
+        "//source/common/runtime:runtime_features_lib",
     ],
 )
 

source/extensions/common/aws/credentials_provider.h

@@ -68,6 +68,8 @@ class CredentialsProvider {
   virtual Credentials getCredentials() PURE;
 };
 
+using CredentialsConstSharedPtr = std::shared_ptr<const Credentials>;
+using CredentialsConstUniquePtr = std::unique_ptr<const Credentials>;
 using CredentialsProviderSharedPtr = std::shared_ptr<CredentialsProvider>;
 
 } // namespace Aws