Skip to content

Implement IMDS scanner for task credential retrieval#4945

Merged
singholt merged 1 commit into
aws:devfrom
singholt:dev
Apr 30, 2026
Merged

Implement IMDS scanner for task credential retrieval#4945
singholt merged 1 commit into
aws:devfrom
singholt:dev

Conversation

@singholt
Copy link
Copy Markdown
Contributor

@singholt singholt commented Apr 28, 2026
edited
Loading

Summary

Implements the IMDS credential scanner in the shared library (ecs-agent/credentials/imds). The scanner discovers iam-ecs-* IMDS namespaces, reads their info files, and fetches task credentials with rate limiting. The scanner is not used by the ECS agents today, and the feature is config-disabled.

Changes to consume this shared library will come in a follow-up PR. Changes to incorporate metrics in the scanner will also come in a follow-up PR after operational review for the feature.

Implementation details

  • Implement Scanner.Scan() to discover iam-ecs-* namespaces, read info files, and fetch credentials.
  • Add rate limiter (~10% of IMDS PPS budget) to leave headroom for other link-local requests on the instance.
  • Cache LastUpdated per namespace to optimize IMDS call volume.

Testing

New tests cover the changes: yes, added new unit tests

Description for the changelog

Feature - Implement IMDS scanner for task credential retrieval, in the shared library

Additional Information

Does this PR include breaking model changes? No

Does this PR include the addition of new environment variables in the README? No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@singholt singholt force-pushed the dev branch 20 times, most recently from 82f2206 to 45464f0 Compare April 29, 2026 16:06
@singholt singholt marked this pull request as ready for review April 29, 2026 16:17
@singholt singholt requested a review from a team as a code owner April 29, 2026 16:17
mye956
mye956 reviewed Apr 29, 2026
View reviewed changes
Comment thread ecs-agent/credentials/imds/scanner_test.go
mye956
mye956 reviewed Apr 29, 2026
View reviewed changes
Comment thread ecs-agent/credentials/imds/scanner.go
mye956
mye956 reviewed Apr 29, 2026
View reviewed changes
Comment thread ecs-agent/credentials/imds/scanner.go Outdated
mye956
mye956 previously approved these changes Apr 29, 2026
View reviewed changes
@singholt
Implement IMDS credential scanner
488d5e9 
- Implement Scanner.Scan() to discover iam-ecs-* namespaces, read info
  files, and fetch credentials
- Add rate limiter (~10% of IMDS PPS budget) to leave headroom for
  other link-local requests on the instance
- Cache LastUpdated per namespace to optimize IMDS call volume
@singholt singholt enabled auto-merge (rebase) April 29, 2026 17:56
@singholt singholt merged commit 828a7ad into aws:dev Apr 30, 2026
42 of 45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShelbyZ ShelbyZ ShelbyZ approved these changes

@mye956 mye956 mye956 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@singholt @ShelbyZ @mye956 @amazon-ecs-bot