From c418365b23b429d2f765e1d925d8e99d410f3e73 Mon Sep 17 00:00:00 2001
From: Waqar Ahmed Khan <waahm7@gmail.com>
Date: Thu, 9 May 2024 10:01:49 -0700
Subject: [PATCH] add comments:

---
 include/aws/auth/credentials.h | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/include/aws/auth/credentials.h b/include/aws/auth/credentials.h
index 55d48570..93ef1542 100644
--- a/include/aws/auth/credentials.h
+++ b/include/aws/auth/credentials.h
@@ -232,6 +232,15 @@ struct aws_credentials_provider_imds_options {
  * AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
  * AWS_CONTAINER_CREDENTIALS_FULL_URI
  *
+ *`AWS_CONTAINER_CREDENTIALS_FULL_URI` URL must satisfy one of the following:
+ *1. The URL begins with `https`.
+ *2. The URL refers to an allowed IP address. If a URL contains a domain name instead of an IP address,
+ *   a DNS lookup will be performed. All resolved IP addresses must refer to an allowed IP address, or
+ *   the credentials provider will return `AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST`. Valid IP addresses are:
+ *      a) Loopback interfaces
+ *      b) The ECS container address (169.254.170.2)
+ *      c) EKS Pod Identity address (169.254.170.23 or fd00:ec2::23)
+ *
  * For the Authorization token, there are two ways (in order of priority):
  * 1. AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE (an env var which contains the absolute path to the token file. The file
  * will be re-read for each call to get credentials.)
@@ -261,6 +270,16 @@ struct aws_credentials_provider_ecs_environment_options {
  * Configuration options for the provider that sources credentials from ECS container metadata.
  * This options struct doesn't read anything from the environment and requires everything to be explicitly passed in. If
  * you need to read properties from the environment, use the `aws_credentials_provider_ecs_environment_options`.
+ *
+ *`host` must satisfy one of the following:
+ *1. tls_context is set 
+ *2. The host refers to an allowed IP address. If a URL contains a domain name instead of an IP address,
+ *   a DNS lookup will be performed. All resolved IP addresses must refer to an allowed IP address, or
+ *   the credentials provider will return `AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST`. Valid IP addresses are:
+ *      a) Loopback interfaces
+ *      b) The ECS container address (169.254.170.2)
+ *      c) EKS Pod Identity address (169.254.170.23 or fd00:ec2::23)
+ *
  */
 struct aws_credentials_provider_ecs_options {
     struct aws_credentials_provider_shutdown_options shutdown_options;