aws · kai-ion · Jul 16, 2025 · Jul 28, 2025 · Jul 28, 2025 · Jul 28, 2025
diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProvider.h
@@ -22,6 +22,10 @@
 
 namespace Aws
 {
+    namespace Client
+    {
+        struct ClientConfiguration;
+    }
     namespace Auth
     {
         constexpr int REFRESH_THRESHOLD = 1000 * 60 * 5;
@@ -212,6 +216,11 @@ namespace Aws
              */
             InstanceProfileCredentialsProvider(const std::shared_ptr<Aws::Config::EC2InstanceProfileConfigLoader>&, long refreshRateMs = REFRESH_THRESHOLD);
 
+            /**
+             * Initializes the provider using ClientConfiguration for IMDS settings.
+             */
+            InstanceProfileCredentialsProvider(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialProviderConfig, long refreshRateMs = REFRESH_THRESHOLD);
+
             /**
             * Retrieves the credentials if found, otherwise returns empty credential set.
             */

diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -492,6 +492,21 @@ namespace Aws
             * AWS profile name to use for credentials.
             */
             Aws::String profile;
+
+            /**
+             * IMDS configuration settings
+             */
+            struct {
+              /**
+               * Number of total attempts to make when retrieving data from IMDS. Default 1.
+               */
+              long metadataServiceNumAttempts = 1;
+
+              /**
+               * Timeout in seconds when retrieving data from IMDS. Default 1.
+               */
+              long metadataServiceTimeout = 1;
+            } imdsConfig;
           }credentialProviderConfig;
         };
 

diff --git a/src/aws-cpp-sdk-core/include/aws/core/config/EC2InstanceProfileConfigLoader.h b/src/aws-cpp-sdk-core/include/aws/core/config/EC2InstanceProfileConfigLoader.h
@@ -6,6 +6,7 @@
 #pragma once
 
 #include <aws/core/config/AWSProfileConfigLoaderBase.h>
+#include <aws/core/client/ClientConfiguration.h>
 
 #include <aws/core/utils/memory/stl/AWSString.h>
 #include <aws/core/utils/memory/stl/AWSMap.h>
@@ -19,6 +20,8 @@ namespace Aws
         class EC2MetadataClient;
     }
 
+
+
     namespace Config
     {
         static const char* const INSTANCE_PROFILE_KEY = "InstanceProfile";
@@ -33,6 +36,16 @@ namespace Aws
              * If client is nullptr, the default EC2MetadataClient will be created.
              */
             EC2InstanceProfileConfigLoader(const std::shared_ptr<Aws::Internal::EC2MetadataClient>& = nullptr);
+
+            /**
+             * Creates EC2MetadataClient using the provided ClientConfiguration.
+             */
+            EC2InstanceProfileConfigLoader(const Aws::Client::ClientConfiguration& clientConfig);
+
+            /**
+             * Creates EC2MetadataClient using the provided CredentialProviderConfiguration.
+             */
+            EC2InstanceProfileConfigLoader(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialConfig);
 
             virtual ~EC2InstanceProfileConfigLoader() = default;
 

diff --git a/src/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h b/src/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h
@@ -103,6 +103,7 @@ namespace Aws
              */
             EC2MetadataClient(const char* endpoint = "http://169.254.169.254");
             EC2MetadataClient(const Client::ClientConfiguration& clientConfiguration, const char* endpoint = "http://169.254.169.254");
+            EC2MetadataClient(const Client::ClientConfiguration::CredentialProviderConfiguration& credentialConfig, const char* endpoint = "http://169.254.169.254");
 
             EC2MetadataClient& operator =(const EC2MetadataClient& rhs) = delete;
             EC2MetadataClient(const EC2MetadataClient& rhs) = delete;

diff --git a/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp
@@ -7,6 +7,7 @@
 #include <aws/core/auth/AWSCredentialsProvider.h>
 
 #include <aws/core/config/AWSProfileConfigLoader.h>
+#include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/platform/Environment.h>
 #include <aws/core/platform/FileSystem.h>
 #include <aws/core/platform/OSVersionInfo.h>
@@ -242,6 +243,12 @@ InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(const std
     AWS_LOGSTREAM_INFO(INSTANCE_LOG_TAG, "Creating Instance with injected EC2MetadataClient and refresh rate " << refreshRateMs);
 }
 
+InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialConfig, long refreshRateMs) :
+    m_ec2MetadataConfigLoader(Aws::MakeShared<Aws::Config::EC2InstanceProfileConfigLoader>(INSTANCE_LOG_TAG, credentialConfig)),
+    m_loadFrequencyMs(refreshRateMs)
+{
+    AWS_LOGSTREAM_INFO(INSTANCE_LOG_TAG, "Creating Instance with IMDS timeout: " << credentialConfig.imdsConfig.metadataServiceTimeout << "s, attempts: " << credentialConfig.imdsConfig.metadataServiceNumAttempts);
+}
 
 AWSCredentials InstanceProfileCredentialsProvider::GetAWSCredentials()
 {

diff --git a/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp b/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp
@@ -6,6 +6,7 @@
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/core/auth/STSCredentialsProvider.h>
 #include <aws/core/auth/SSOCredentialsProvider.h>
+#include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/platform/Environment.h>
 #include <aws/core/utils/memory/AWSMemory.h>
 #include <aws/core/utils/StringUtils.h>
@@ -125,7 +126,7 @@ DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain(const Aws
     }
     else if (Aws::Utils::StringUtils::ToLower(ec2MetadataDisabled.c_str()) != "true")
     {
-        AddProvider(Aws::MakeShared<InstanceProfileCredentialsProvider>(DefaultCredentialsProviderChainTag));
+        AddProvider(Aws::MakeShared<InstanceProfileCredentialsProvider>(DefaultCredentialsProviderChainTag, config));
         AWS_LOGSTREAM_INFO(DefaultCredentialsProviderChainTag, "Added EC2 metadata service credentials provider to the provider chain.");
     }
 }

diff --git a/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp b/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp
@@ -41,6 +41,10 @@ static const char* DISABLE_IMDSV1_CONFIG_VAR = "AWS_EC2_METADATA_V1_DISABLED";
 static const char* DISABLE_IMDSV1_ENV_VAR = "ec2_metadata_v1_disabled";
 static const char* AWS_ACCOUNT_ID_ENDPOINT_MODE_ENVIRONMENT_VARIABLE = "AWS_ACCOUNT_ID_ENDPOINT_MODE";
 static const char* AWS_ACCOUNT_ID_ENDPOINT_MODE_CONFIG_FILE_OPTION = "account_id_endpoint_mode";
+static const char* AWS_METADATA_SERVICE_TIMEOUT_ENV_VAR = "AWS_METADATA_SERVICE_TIMEOUT";
+static const char* AWS_METADATA_SERVICE_TIMEOUT_CONFIG_VAR = "metadata_service_timeout";
+static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_ENV_VAR = "AWS_METADATA_SERVICE_NUM_ATTEMPTS";
+static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_CONFIG_VAR = "metadata_service_num_attempts";
 
 using RequestChecksumConfigurationEnumMapping = std::pair<const char*, RequestChecksumCalculation>;
 static const std::array<RequestChecksumConfigurationEnumMapping, 2> REQUEST_CHECKSUM_CONFIG_MAPPING = {{
@@ -288,6 +292,31 @@ void setConfigFromEnvOrProfile(ClientConfiguration &config)
         AWS_ACCOUNT_ID_ENDPOINT_MODE_CONFIG_FILE_OPTION,
         {"required", "disabled", "preferred"}, /* allowed values */
         "preferred" /* default value */);
+
+    // Load IMDS configuration from environment variables and config file
+    Aws::String timeoutStr = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_METADATA_SERVICE_TIMEOUT_ENV_VAR,
+        config.profileName,
+        AWS_METADATA_SERVICE_TIMEOUT_CONFIG_VAR,
+        {}, /* allowed values */
+        "1" /* default value */);
+
+    // Load IMDS configuration from environment variables and config file
+    Aws::String numAttemptsStr = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_METADATA_SERVICE_NUM_ATTEMPTS_ENV_VAR,
+        config.profileName,
+        AWS_METADATA_SERVICE_NUM_ATTEMPTS_CONFIG_VAR,
+        {}, /* allowed values */
+        "1" /* default value */);
+
+    // Parse and set IMDS num attempts
+    long attempts = std::stol(numAttemptsStr.c_str());
+    if (attempts >= 1) {
+        config.credentialProviderConfig.imdsConfig.metadataServiceNumAttempts = attempts;
+    }
+    // Parse and set IMDS timeout
+    long timeout = std::stol(timeoutStr.c_str());
+    if (timeout >= 1) {
+        config.credentialProviderConfig.imdsConfig.metadataServiceTimeout = timeout;
+    }
 }
 
 ClientConfiguration::ClientConfiguration()

diff --git a/src/aws-cpp-sdk-core/source/config/EC2InstanceProfileConfigLoader.cpp b/src/aws-cpp-sdk-core/source/config/EC2InstanceProfileConfigLoader.cpp
@@ -6,6 +6,7 @@
 #include <aws/core/config/AWSProfileConfigLoader.h>
 #include <aws/core/internal/AWSHttpResourceClient.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
+#include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/utils/memory/stl/AWSList.h>
 #include <aws/core/utils/logging/LogMacros.h>
 #include <aws/core/utils/json/JsonSerializer.h>
@@ -38,6 +39,14 @@ namespace Aws
             }
         }
 
+        EC2InstanceProfileConfigLoader::EC2InstanceProfileConfigLoader(const Aws::Client::ClientConfiguration& clientConfig)
+            : m_ec2metadataClient(Aws::MakeShared<Aws::Internal::EC2MetadataClient>(EC2_INSTANCE_PROFILE_LOG_TAG, clientConfig)) 
+        {}
+
+        EC2InstanceProfileConfigLoader::EC2InstanceProfileConfigLoader(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialConfig)
+            : m_ec2metadataClient(Aws::MakeShared<Aws::Internal::EC2MetadataClient>(EC2_INSTANCE_PROFILE_LOG_TAG, credentialConfig))
+        {}
+
         bool EC2InstanceProfileConfigLoader::LoadInternal()
         {
             // re-use old credentials until we need to call IMDS again.

diff --git a/src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp b/src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp
@@ -207,6 +207,30 @@ namespace Aws
             AWS_LOGSTREAM_TRACE(m_logtag.c_str(), "IMDSv1 had been disabled at the SDK build time");
 #endif
         }
+
+        EC2MetadataClient::EC2MetadataClient(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialConfig,
+            const char *endpoint) :
+            AWSHttpResourceClient([&credentialConfig]() {
+                Aws::Client::ClientConfiguration clientConfig;
+                clientConfig.credentialProviderConfig = credentialConfig;
+                clientConfig.connectTimeoutMs = credentialConfig.imdsConfig.metadataServiceTimeout * 1000;
+                clientConfig.requestTimeoutMs = credentialConfig.imdsConfig.metadataServiceTimeout * 1000;
+                clientConfig.retryStrategy = Aws::MakeShared<DefaultRetryStrategy>(RESOURCE_CLIENT_CONFIGURATION_ALLOCATION_TAG, credentialConfig.imdsConfig.metadataServiceNumAttempts - 1, 1000);
+                clientConfig.maxConnections = 2;
+                clientConfig.scheme = Scheme::HTTP;
+                return clientConfig;
+            }(), EC2_METADATA_CLIENT_LOG_TAG),
+            m_endpoint(endpoint),
+            m_disableIMDS(false),
+            m_tokenRequired(true),
+            m_disableIMDSV1(false)
+        {
+#if defined(DISABLE_IMDSV1)
+            AWS_UNREFERENCED_PARAM(m_disableIMDSV1);
+            m_disableIMDSV1 = true;
+            AWS_LOGSTREAM_TRACE(m_logtag.c_str(), "IMDSv1 had been disabled at the SDK build time");
+#endif
+        }
 
         EC2MetadataClient::~EC2MetadataClient()
         {