class Aws::InstanceProfileCredentials

def _metadata_disabled? 

def _metadata_disabled?
  ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true'
end

def backoff(backoff) 

def backoff(backoff)
  case backoff
  when Proc then backoff
  when Numeric then ->(_) { sleep(backoff) }
  else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
  end
end

def get_credentials 

def get_credentials
  # Retry loading credentials a configurable number of times if
  # the instance metadata service is not responding.
  if _metadata_disabled?
    '{}'
  else
    begin
      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
        open_connection do |conn|
          # attempt to fetch token to start secure flow first
          # and rescue to failover
          begin
            retry_errors(NETWORK_ERRORS, max_retries: @retries) do
              unless token_set?
                created_time = Time.now
                token_value, ttl = http_put(
                  conn, METADATA_TOKEN_PATH, @token_ttl
                )
                @token = Token.new(token_value, ttl, created_time) if token_value && ttl
              end
            end
          rescue *NETWORK_ERRORS
            # token attempt failed, reset token
            # fallback to non-token mode
            @token = nil
          end
          token = @token.value if token_set?
          begin
            metadata = http_get(conn, METADATA_PATH_BASE, token)
            profile_name = metadata.lines.first.strip
            http_get(conn, METADATA_PATH_BASE + profile_name, token)
          rescue TokenExpiredError
            # Token has expired, reset it
            # The next retry should fetch it
            @token = nil
            raise Non200Response
          end
        end
      end
    rescue
      '{}'
    end
  end
end

def http_get(connection, path, token = nil)

GET request fetch profile and credentials 
def http_get(connection, path, token = nil)
  headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
  headers['x-aws-ec2-metadata-token'] = token if token
  response = connection.request(Net::HTTP::Get.new(path, headers))
  case response.code.to_i
  when 200
    response.body
  when 401
    raise TokenExpiredError
  else
    raise Non200Response
  end
end

def http_put(connection, path, ttl)

PUT request fetch token with ttl 
def http_put(connection, path, ttl)
  headers = {
    'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
    'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
  }
  response = connection.request(Net::HTTP::Put.new(path, headers))
  case response.code.to_i
  when 200
    [
      response.body,
      response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
    ]
  when 400
    raise TokenRetrivalError
  when 401
    raise TokenExpiredError
  else
    raise Non200Response
  end
end

def initialize(options = {})

Options Hash: (**options)
  • before_refresh (Callable) -- Proc called before
  • :token_ttl (Integer) -- Time-to-Live in seconds for EC2
  • :http_debug_output (IO) -- HTTP wire
  • :delay (Numeric, Proc) -- By default, failures are retried
  • :http_read_timeout (Float) --
  • :http_open_timeout (Float) --
  • :port (Integer) --
  • :ip_address (String) -- Deprecated. Use
  • :endpoint_mode (String) -- The endpoint mode for
  • :endpoint (String) -- The IMDS
  • :retries (Integer) -- Number of times to retry

Parameters:
  • options (Hash) -- 
def initialize(options = {})
  @retries = options[:retries] || 1
  endpoint_mode = resolve_endpoint_mode(options)
  @endpoint = resolve_endpoint(options, endpoint_mode)
  @port = options[:port] || 80
  @http_open_timeout = options[:http_open_timeout] || 1
  @http_read_timeout = options[:http_read_timeout] || 1
  @http_debug_output = options[:http_debug_output]
  @backoff = backoff(options[:backoff])
  @token_ttl = options[:token_ttl] || 21_600
  @token = nil
  super
end

def open_connection 

def open_connection
  uri = URI.parse(@endpoint)
  http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
  http.open_timeout = @http_open_timeout
  http.read_timeout = @http_read_timeout
  http.set_debug_output(@http_debug_output) if @http_debug_output
  http.start
  yield(http).tap { http.finish }
end

def refresh 

def refresh
  # Retry loading credentials up to 3 times is the instance metadata
  # service is responding but is returning invalid JSON documents
  # in response to the GET profile credentials call.
  begin
    retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
      c = Aws::Json.load(get_credentials.to_s)
      @credentials = Credentials.new(
        c['AccessKeyId'],
        c['SecretAccessKey'],
        c['Token']
      )
      @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
    end
  rescue Aws::Json::ParseError
    raise Aws::Errors::MetadataParserError
  end
end

def resolve_endpoint(options, endpoint_mode) 

def resolve_endpoint(options, endpoint_mode)
  value = options[:endpoint] || options[:ip_address]
  value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
  value ||= Aws.shared_config.ec2_metadata_service_endpoint(
    profile: options[:profile]
  )
  return value if value
  case endpoint_mode.downcase
  when 'ipv4' then 'http://169.254.169.254'
  when 'ipv6' then 'http://[fd00:ec2::254]'
  else
    raise ArgumentError,
          ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
          "got: #{endpoint_mode}"
  end
end

def resolve_endpoint_mode(options) 

def resolve_endpoint_mode(options)
  value = options[:endpoint_mode]
  value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
  value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
    profile: options[:profile]
  )
  value || 'IPv4'
end

def retry_errors(error_classes, options = {}, &_block) 

def retry_errors(error_classes, options = {}, &_block)
  max_retries = options[:max_retries]
  retries = 0
  begin
    yield
  rescue *error_classes
    raise unless retries < max_retries
    @backoff.call(retries)
    retries += 1
    retry
  end
end

def token_set? 

def token_set?
  @token && !@token.expired?
end