update the testcases accordingly

Author: smilkuri

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

@@ -1,15 +1,17 @@
+import { loadConfig } from "@smithy/node-config-provider";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { afterEach, beforeEach, describe, expect, test as it, vi } from "vitest";
-
 import { InstanceMetadataV1FallbackError } from "./error/InstanceMetadataV1FallbackError";
-import { fromInstanceMetadata } from "./fromInstanceMetadata";
+import { checkIfImdsDisabled, fromInstanceMetadata } from "./fromInstanceMetadata";
+import * as fromInstanceMetadataModule from "./fromInstanceMetadata";
 import { httpRequest } from "./remoteProvider/httpRequest";
 import { fromImdsCredentials, isImdsCredentials } from "./remoteProvider/ImdsCredentials";
 import { providerConfigFromInit } from "./remoteProvider/RemoteProviderInit";
 import { retry } from "./remoteProvider/retry";
 import { getInstanceMetadataEndpoint } from "./utils/getInstanceMetadataEndpoint";
 import { staticStabilityProvider } from "./utils/staticStabilityProvider";
 
+vi.mock("@smithy/node-config-provider");
 vi.mock("./remoteProvider/httpRequest");
 vi.mock("./remoteProvider/ImdsCredentials");
 vi.mock("./remoteProvider/retry");
@@ -36,7 +38,7 @@ describe("fromInstanceMetadata", () => {
 
   const mockProfileRequestOptions = {
     hostname,
-    path: "/latest/meta-data/iam/security-credentials/",
+    path: "/latest/meta-data/iam/security-credentials-extended/",
     timeout: mockTimeout,
     headers: {
       "x-aws-ec2-metadata-token": mockToken,
@@ -49,18 +51,22 @@ describe("fromInstanceMetadata", () => {
     SecretAccessKey: "bar",
     Token: "baz",
     Expiration: ONE_HOUR_IN_FUTURE.toISOString(),
+    AccountId: "123456789012",
   });
 
   const mockCreds = Object.freeze({
     accessKeyId: mockImdsCreds.AccessKeyId,
     secretAccessKey: mockImdsCreds.SecretAccessKey,
     sessionToken: mockImdsCreds.Token,
     expiration: new Date(mockImdsCreds.Expiration),
+    accountId: mockImdsCreds.AccountId,
   });
 
   beforeEach(() => {
     vi.mocked(staticStabilityProvider).mockImplementation((input) => input);
     vi.mocked(getInstanceMetadataEndpoint).mockResolvedValue({ hostname } as any);
+    vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(false));
+    vi.spyOn(fromInstanceMetadataModule, "checkIfImdsDisabled").mockResolvedValue(undefined);
     (isImdsCredentials as unknown as any).mockReturnValue(true);
     vi.mocked(providerConfigFromInit).mockReturnValue({
       timeout: mockTimeout,
@@ -72,6 +78,65 @@ describe("fromInstanceMetadata", () => {
     vi.resetAllMocks();
   });
 
+  it("returns no credentials when AWS_EC2_METADATA_DISABLED=true", async () => {
+    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(true));
+    vi.mocked(fromInstanceMetadataModule.checkIfImdsDisabled).mockRejectedValueOnce(
+      new CredentialsProviderError("IMDS credential fetching is disabled")
+    );
+    const provider = fromInstanceMetadata({});
+
+    await expect(provider()).rejects.toEqual(new CredentialsProviderError("IMDS credential fetching is disabled"));
+    expect(httpRequest).not.toHaveBeenCalled();
+  });
+
+  it("returns valid credentials with account ID when ec2InstanceProfileName is provided", async () => {
+    const profileName = "my-profile-0002";
+
+    vi.mocked(httpRequest)
+      .mockResolvedValueOnce(mockToken as any)
+      .mockResolvedValueOnce(JSON.stringify(mockImdsCreds) as any);
+
+    vi.mocked(retry).mockImplementation((fn: any) => fn());
+    vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+
+    const result = await fromInstanceMetadata({ ec2InstanceProfileName: profileName })();
+
+    expect(result).toEqual(mockCreds);
+    expect(result.accountId).toBe(mockCreds.accountId);
+
+    expect(httpRequest).toHaveBeenCalledTimes(2);
+    expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
+    expect(httpRequest).toHaveBeenNthCalledWith(2, {
+      ...mockProfileRequestOptions,
+      path: `${mockProfileRequestOptions.path}${profileName}`,
+    });
+  });
+
+  it("returns valid credentials with account ID when profile is discovered from IMDS", async () => {
+    vi.mocked(httpRequest)
+      .mockResolvedValueOnce(mockToken as any)
+      .mockResolvedValueOnce(mockProfile as any)
+      .mockResolvedValueOnce(JSON.stringify(mockImdsCreds) as any);
+
+    vi.mocked(retry).mockImplementation((fn: any) => fn());
+    vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+
+    const provider = fromInstanceMetadata({});
+
+    const result = await provider();
+
+    expect(result).toEqual(mockCreds);
+    expect(result.accountId).toBe(mockCreds.accountId);
+
+    expect(httpRequest).toHaveBeenCalledTimes(3);
+    expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
+    expect(httpRequest).toHaveBeenNthCalledWith(2, mockProfileRequestOptions);
+    expect(httpRequest).toHaveBeenNthCalledWith(3, {
+      ...mockProfileRequestOptions,
+      path: `${mockProfileRequestOptions.path}${mockProfile}`,
+    });
+  });
+
   it("gets token and profile name to fetch credentials", async () => {
     vi.mocked(httpRequest)
       .mockResolvedValueOnce(mockToken as any)
@@ -99,6 +164,7 @@ describe("fromInstanceMetadata", () => {
 
     vi.mocked(retry).mockImplementation((fn: any) => fn());
     vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
+    vi.mocked(checkIfImdsDisabled).mockReturnValueOnce(Promise.resolve());
 
     await expect(fromInstanceMetadata()()).resolves.toEqual(mockCreds);
     expect(httpRequest).toHaveBeenNthCalledWith(3, {
@@ -109,6 +175,7 @@ describe("fromInstanceMetadata", () => {
 
   it("passes {} to providerConfigFromInit if init not defined", async () => {
     vi.mocked(retry).mockResolvedValueOnce(mockProfile).mockResolvedValueOnce(mockCreds);
+    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(false));
 
     await expect(fromInstanceMetadata()()).resolves.toEqual(mockCreds);
     expect(providerConfigFromInit).toHaveBeenCalledTimes(1);
@@ -117,6 +184,7 @@ describe("fromInstanceMetadata", () => {
 
   it("passes init to providerConfigFromInit", async () => {
     vi.mocked(retry).mockResolvedValueOnce(mockProfile).mockResolvedValueOnce(mockCreds);
+    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(false));
 
     const init = { maxRetries: 5, timeout: 1213 };
     await expect(fromInstanceMetadata(init)()).resolves.toEqual(mockCreds);
@@ -213,6 +281,73 @@ describe("fromInstanceMetadata", () => {
     expect(vi.mocked(staticStabilityProvider)).toBeCalledTimes(1);
   });
 
+  describe("getImdsProfileHelper", () => {
+    beforeEach(() => {
+      vi.mocked(httpRequest).mockClear();
+      vi.mocked(loadConfig).mockClear();
+      vi.mocked(retry).mockImplementation((fn: any) => fn());
+    });
+
+    it("uses ec2InstanceProfileName from init if provided", async () => {
+      const profileName = "profile-from-init";
+      const options = { hostname } as any;
+
+      // Only use vi.spyOn for imported functions
+      vi.spyOn(fromInstanceMetadataModule, "getConfiguredProfileName").mockResolvedValueOnce(profileName);
+
+      const result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {
+        ec2InstanceProfileName: profileName,
+      });
+
+      expect(result).toBe(profileName);
+      expect(httpRequest).not.toHaveBeenCalled();
+    });
+
+    it("uses environment variable if ec2InstanceProfileName not provided", async () => {
+      const envProfileName = "profile-from-env";
+      const options = { hostname } as any;
+
+      // Mock loadConfig to simulate env variable present
+      vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(envProfileName));
+
+      const result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
+
+      expect(result).toBe(envProfileName);
+      expect(httpRequest).not.toHaveBeenCalled();
+    });
+
+    it("uses profile from config file if present, otherwise falls back to IMDS (extended then legacy)", async () => {
+      const configProfileName = "profile-from-config";
+      const legacyProfileName = "profile-from-legacy";
+      const options = { hostname } as any;
+
+      // 1. Simulate config file present: should return configProfileName, no IMDS call
+      vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(configProfileName));
+
+      let result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
+      expect(result).toBe(configProfileName);
+      expect(httpRequest).not.toHaveBeenCalled();
+
+      // 2. Simulate config file missing: should call IMDS (extended fails, legacy succeeds)
+      vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(null));
+      vi.mocked(httpRequest)
+        .mockRejectedValueOnce(Object.assign(new Error(), { statusCode: 404 }))
+        .mockResolvedValueOnce(legacyProfileName as any);
+
+      result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
+      expect(result).toBe(legacyProfileName);
+      expect(httpRequest).toHaveBeenCalledTimes(2);
+      expect(httpRequest).toHaveBeenNthCalledWith(1, {
+        ...options,
+        path: "/latest/meta-data/iam/security-credentials-extended/",
+      });
+      expect(httpRequest).toHaveBeenNthCalledWith(2, {
+        ...options,
+        path: "/latest/meta-data/iam/security-credentials/",
+      });
+    });
+  });
+
   describe("disables fetching of token", () => {
     beforeEach(() => {
       vi.mocked(retry).mockImplementation((fn: any) => fn());

packages/credential-provider-imds/src/fromInstanceMetadata.ts

@@ -21,10 +21,10 @@ const X_AWS_EC2_METADATA_TOKEN = "x-aws-ec2-metadata-token";
 
 // Environment variables and config keys
 
-const ENV_IMDS_DISABLED = "AWS_EC2_METADATA_DISABLED";                         
-const CONFIG_IMDS_DISABLED = "disable_ec2_metadata";                       
-const ENV_PROFILE_NAME = "AWS_EC2_INSTANCE_PROFILE_NAME";                 
-const CONFIG_PROFILE_NAME = "ec2_instance_profile_name";              
+const ENV_IMDS_DISABLED = "AWS_EC2_METADATA_DISABLED";
+const CONFIG_IMDS_DISABLED = "disable_ec2_metadata";
+const ENV_PROFILE_NAME = "AWS_EC2_INSTANCE_PROFILE_NAME";
+const CONFIG_PROFILE_NAME = "ec2_instance_profile_name";
 
 /**
  * @internal
@@ -44,7 +44,6 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
   const { logger, profile } = init;
   const { timeout, maxRetries } = providerConfigFromInit(init);
 
-
   const getCredentials = async (maxRetries: number, options: RequestOptions) => {
     const isImdsV1Fallback = disableFetchToken || options.headers?.[X_AWS_EC2_METADATA_TOKEN] == null;
 
@@ -110,8 +109,7 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
     }, maxRetries);
   };
 
-
-  return async () => {   
+  return async () => {
     const endpoint = await getInstanceMetadataEndpoint();
     await checkIfImdsDisabled(profile, logger);
     if (disableFetchToken) {
@@ -147,15 +145,21 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
  * @internal
  * Gets IMDS profile with proper error handling and retries
  */
-const getImdsProfileHelper = async (
+export const getImdsProfileHelper = async (
   options: RequestOptions,
   maxRetries: number,
   init: RemoteProviderInit = {},
-  profile?: string
+  profile?: string,
+  resetCache?: boolean
 ): Promise<string> => {
   let apiVersion: "unknown" | "extended" | "legacy" = "unknown";
   let resolvedProfile: string | null = null;
-  
+
+  // If resetCache is true, clear the cached profile name
+  if (resetCache) {
+    resolvedProfile = null;
+  }
+
   return retry<string>(async () => {
     // First check if a profile name is configured
     const configuredName = await getConfiguredProfileName(init, profile);
@@ -169,7 +173,7 @@ const getImdsProfileHelper = async (
     try {
       // Try extended API first
       try {
-        const response = await httpRequest({...options, path: IMDS_EXTENDED_PATH});
+        const response = await httpRequest({ ...options, path: IMDS_EXTENDED_PATH });
         resolvedProfile = response.toString().trim();
         if (apiVersion === "unknown") {
           apiVersion = "extended";
@@ -178,7 +182,7 @@ const getImdsProfileHelper = async (
       } catch (error) {
         if (error?.statusCode === 404 && apiVersion === "unknown") {
           apiVersion = "legacy";
-          const response = await httpRequest({...options, path: IMDS_LEGACY_PATH});
+          const response = await httpRequest({ ...options, path: IMDS_LEGACY_PATH });
           resolvedProfile = response.toString().trim();
           return resolvedProfile;
         } else {
@@ -191,7 +195,6 @@ const getImdsProfileHelper = async (
   }, maxRetries);
 };
 
-
 const getMetadataToken = async (options: RequestOptions) =>
   httpRequest({
     ...options,
@@ -206,7 +209,7 @@ const getMetadataToken = async (options: RequestOptions) =>
  * @internal
  * Checks if IMDS credential fetching is disabled through configuration
  */
-const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void> => {
+export const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void> => {
   // Load configuration in priority order
   const disableImds = await loadConfig(
     {
@@ -224,7 +227,7 @@ const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void
     },
     { profile }
   )();
-  
+
   // If IMDS is disabled, throw error
   if (disableImds) {
     throw new CredentialsProviderError("IMDS credential fetching is disabled", { logger });
@@ -235,7 +238,7 @@ const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void
  * @internal
  * Gets configured profile name from various sources
  */
-const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: string): Promise<string | null> => {
+export const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: string): Promise<string | null> => {
   // Load configuration in priority order
   const profileName = await loadConfig(
     {
@@ -247,19 +250,18 @@ const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: stri
     },
     { profile }
   )();
-  
+
   // Check runtime config (highest priority)
   const name = init.ec2InstanceProfileName || profileName;
-  
+
   // Validate if name is provided but empty
-  if (typeof name === 'string' && name.trim() === "") {
+  if (typeof name === "string" && name.trim() === "") {
     throw new CredentialsProviderError("EC2 instance profile name cannot be empty");
   }
-  
+
   return name;
 };
 
-
 /**
  * @internal
  * Gets credentials from profile
@@ -275,12 +277,12 @@ const getCredentialsFromProfile = async (profile: string, options: RequestOption
         return await getCredentialsFromPath(IMDS_LEGACY_PATH + profile, options);
       } catch (legacyError) {
         if (legacyError.statusCode === 404 && init.ec2InstanceProfileName === undefined) {
-            // If legacy API also returns 404 and we're using a cached profile name,
-            // the profile might have changed - clear cache and retry
-            const resolvedProfile = null;
-            const newProfileName = await getImdsProfileHelper(options, init.maxRetries ?? 3, init, profile);
-            return getCredentialsFromProfile(newProfileName, options, init);
-          }
+          // If legacy API also returns 404 and we're using a cached profile name,
+          // the profile might have changed - clear cache and retry
+          const resolvedProfile = null;
+          const newProfileName = await getImdsProfileHelper(options, init.maxRetries ?? 3, init, profile, true);
+          return getCredentialsFromProfile(newProfileName, options, init);
+        }
         throw legacyError;
       }
     }
@@ -297,14 +299,14 @@ async function getCredentialsFromPath(path: string, options: RequestOptions) {
     ...options,
     path,
   });
-  
+
   const credentialsResponse = JSON.parse(response.toString());
-  
+
   // Validate response
   if (!isImdsCredentials(credentialsResponse)) {
     throw new CredentialsProviderError("Invalid response received from instance metadata service.");
   }
-  
+
   // Convert IMDS credentials format to standard format
   return fromImdsCredentials(credentialsResponse);
-}
+}