Updated credential providers to provide Async version for generating credentials.

Author: ashishdhingra

generator/.DevConfigs/9fa1d027-8266-430e-b4c0-a541eb733f8e.json

@@ -0,0 +1,18 @@
+{
+    "core": {
+        "changeLogMessages": [
+            "Updated credential providers to provide Async version for generating credentials."
+        ],
+        "type": "patch",
+        "updateMinimum": false
+    },
+    "services": [
+        {
+            "serviceName": "SecurityToken",
+            "type": "patch",
+            "changeLogMessages": [
+                "Added implementation for ICoreAmazonSTS_SAML/ICoreAmazonSTS.CredentialsFromSAMLAuthenticationAsync() and ICoreAmazonSTS.CredentialsFromAssumeRoleAuthenticationAsync()."
+            ]
+        }
+    ]
+}

sdk/src/Core/Amazon.Runtime/Credentials/AWSCredentials.cs

@@ -35,11 +35,9 @@ public abstract class AWSCredentials : BaseIdentity
         /// </summary>
         protected virtual void Validate() { }
 
-#if AWS_ASYNC_API
         public virtual System.Threading.Tasks.Task<ImmutableCredentials> GetCredentialsAsync()
         {
             return System.Threading.Tasks.Task.FromResult<ImmutableCredentials>(this.GetCredentials());
         }
-#endif
     }
 }

sdk/src/Core/Amazon.Runtime/Credentials/AssumeRoleAWSCredentials.cs

@@ -22,6 +22,7 @@
 using System.Net;
 using System.Diagnostics.CodeAnalysis;
 using ThirdParty.RuntimeBackports;
+using System.Threading.Tasks;
 
 namespace Amazon.Runtime
 {
@@ -91,13 +92,32 @@ public AssumeRoleAWSCredentials(AWSCredentials sourceCredentials, string roleArn
             PreemptExpiryTime = TimeSpan.FromMinutes(15);
         }
 
-        [UnconditionalSuppressMessage("ReflectionAnalysis", "IL2026", 
-            Justification = "Reflection code is only used as a fallback in case the SDK was not trimmed. Trimmed scenarios should register dependencies with Amazon.RuntimeDependencyRegistry.GlobalRuntimeDependencyRegistry")]
         protected override CredentialsRefreshState GenerateNewCredentials()
         {
             var region = FallbackRegionFactory.GetRegionEndpoint() ?? DefaultSTSClientRegion;
-            ICoreAmazonSTS coreSTSClient = GlobalRuntimeDependencyRegistry.Instance.GetInstance<ICoreAmazonSTS>(ServiceClientHelpers.STS_ASSEMBLY_NAME, ServiceClientHelpers.STS_SERVICE_CLASS_NAME, 
-                new CreateInstanceContext(new SecurityTokenServiceClientContext {Action = SecurityTokenServiceClientContext.ActionContext.AssumeRoleAWSCredentials, Region = region, ProxySettings = Options?.ProxySettings } ));
+            ICoreAmazonSTS coreSTSClient = GetSTSClient(region);
+
+            var credentials = coreSTSClient.CredentialsFromAssumeRoleAuthentication(RoleArn, RoleSessionName, Options);
+            _logger.InfoFormat("New credentials created for assume role that expire at {0}", credentials.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
+            return new CredentialsRefreshState(credentials, credentials.Expiration);
+        }
+
+        protected override async Task<CredentialsRefreshState> GenerateNewCredentialsAsync()
+        {
+            var region = FallbackRegionFactory.GetRegionEndpoint() ?? DefaultSTSClientRegion;
+            ICoreAmazonSTS coreSTSClient = GetSTSClient(region);
+
+            var credentials = await coreSTSClient.CredentialsFromAssumeRoleAuthenticationAsync(RoleArn, RoleSessionName, Options).ConfigureAwait(false);
+            _logger.InfoFormat("New credentials created for assume role that expire at {0}", credentials.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
+            return new CredentialsRefreshState(credentials, credentials.Expiration);
+        }
+
+        [UnconditionalSuppressMessage("ReflectionAnalysis", "IL2026",
+            Justification = "Reflection code is only used as a fallback in case the SDK was not trimmed. Trimmed scenarios should register dependencies with Amazon.RuntimeDependencyRegistry.GlobalRuntimeDependencyRegistry")]
+        private ICoreAmazonSTS GetSTSClient(RegionEndpoint region)
+        {
+            ICoreAmazonSTS coreSTSClient = GlobalRuntimeDependencyRegistry.Instance.GetInstance<ICoreAmazonSTS>(ServiceClientHelpers.STS_ASSEMBLY_NAME, ServiceClientHelpers.STS_SERVICE_CLASS_NAME,
+                            new CreateInstanceContext(new SecurityTokenServiceClientContext { Action = SecurityTokenServiceClientContext.ActionContext.AssumeRoleAWSCredentials, Region = region, ProxySettings = Options?.ProxySettings }));
 
             if (coreSTSClient == null)
             {
@@ -130,11 +150,7 @@ protected override CredentialsRefreshState GenerateNewCredentials()
                 }
             }
 
-
-
-            var credentials = coreSTSClient.CredentialsFromAssumeRoleAuthentication(RoleArn, RoleSessionName, Options);
-            _logger.DebugFormat("New credentials created for assume role that expire at {0}", credentials.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
-            return new CredentialsRefreshState(credentials, credentials.Expiration);
+            return coreSTSClient;
         }
     }
 }

sdk/src/Core/Amazon.Runtime/Credentials/AssumeRoleWithWebIdentityCredentials.cs

@@ -25,9 +25,7 @@
 using System.IO;
 using System.Net;
 using System.Text.RegularExpressions;
-#if AWS_ASYNC_API
 using System.Threading.Tasks;
-#endif
 
 namespace Amazon.Runtime
 {
@@ -181,7 +179,6 @@ protected override CredentialsRefreshState GenerateNewCredentials()
             return new CredentialsRefreshState(credentials, credentials.Expiration);
         }
 
-#if AWS_ASYNC_API
         protected override async Task<CredentialsRefreshState> GenerateNewCredentialsAsync()
         {
             string token = null;
@@ -218,7 +215,6 @@ protected override async Task<CredentialsRefreshState> GenerateNewCredentialsAsy
             _logger.DebugFormat("New credentials created using assume role with web identity that expire at {0}", credentials.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
             return new CredentialsRefreshState(credentials, credentials.Expiration);
         }
-#endif
 
         /// <summary>
         /// Gets a client to be used for AssumeRoleWithWebIdentity requests.

sdk/src/Core/Amazon.Runtime/Credentials/DefaultInstanceProfileAWSCredentials.cs

@@ -81,7 +81,7 @@ private DefaultInstanceProfileAWSCredentials()
 
             _logger = Logger.GetLogger(typeof(DefaultInstanceProfileAWSCredentials));
 
-            _credentialsRetrieverTimer = new Timer(RenewCredentials, null, TimeSpan.Zero, _neverTimespan);
+            _credentialsRetrieverTimer = new Timer(RenewCredentials, null, TimeSpan.Zero, _neverTimespan); // This invokes synchronous calls in seperate thread.
         }
 
         #region Overrides
@@ -174,15 +174,94 @@ public override ImmutableCredentials GetCredentials()
             return credentials;
         }
 
-#if AWS_ASYNC_API
         /// <summary>
         /// Returns a copy of the most recent instance profile credentials.
         /// </summary>
-        public override Task<ImmutableCredentials> GetCredentialsAsync()
+        public override async Task<ImmutableCredentials> GetCredentialsAsync()
         {
-            return Task.FromResult<ImmutableCredentials>(GetCredentials());
+            CheckIsIMDSEnabled();
+            ImmutableCredentials credentials = null;
+
+            // Try to acquire read lock. The thread would be blocked if another thread has write lock.
+            if (_credentialsLock.TryEnterReadLock(_credentialsLockTimeout))
+            {
+                try
+                {
+                    if (null != _lastRetrievedCredentials)
+                    {
+                        if (_lastRetrievedCredentials.IsExpiredWithin(TimeSpan.Zero) &&
+                            !_imdsRefreshFailed)
+                        {
+                            // this is the first failure - immediately try to renew
+                            _imdsRefreshFailed = true;
+                            _lastRetrievedCredentials = await FetchCredentialsAsync().ConfigureAwait(false);
+                        }
+
+                        // if credentials are expired, we'll still return them, but log a message about
+                        // them being expired.
+                        if (_lastRetrievedCredentials.IsExpiredWithin(TimeSpan.Zero))
+                        {
+                            _logger.InfoFormat(_usingExpiredCredentialsFromIMDS);
+                        }
+                        else
+                        {
+                            _imdsRefreshFailed = false;
+                        }
+
+                        return _lastRetrievedCredentials?.Credentials.Copy();
+                    }
+                }
+                finally
+                {
+                    _credentialsLock.ExitReadLock();
+                }
+            }
+
+            // If there's no credentials cached, hit IMDS directly. Try to acquire write lock.
+            if (_credentialsLock.TryEnterWriteLock(_credentialsLockTimeout))
+            {
+                try
+                {
+                    // Check for last retrieved credentials again in case other thread might have already fetched it.
+                    if (null == _lastRetrievedCredentials)
+                    {
+                        _lastRetrievedCredentials = await FetchCredentialsAsync().ConfigureAwait(false);
+                    }
+
+                    if (_lastRetrievedCredentials.IsExpiredWithin(TimeSpan.Zero) &&
+                         !_imdsRefreshFailed)
+                    {
+                        // this is the first failure - immediately try to renew
+                        _imdsRefreshFailed = true;
+                        _lastRetrievedCredentials = await FetchCredentialsAsync().ConfigureAwait(false);
+                    }
+
+                    // if credentials are expired, we'll still return them, but log a message about
+                    // them being expired.
+                    if (_lastRetrievedCredentials.IsExpiredWithin(TimeSpan.Zero))
+                    {
+                        _logger.InfoFormat(_usingExpiredCredentialsFromIMDS);
+                    }
+                    else
+                    {
+                        _imdsRefreshFailed = false;
+                    }
+
+                    credentials = _lastRetrievedCredentials.Credentials?.Copy();
+                }
+                finally
+                {
+                    _credentialsLock.ExitWriteLock();
+                }
+            }
+
+            if (credentials == null)
+            {
+                throw new AmazonServiceException(FailedToGetCredentialsMessage);
+            }
+
+            return credentials;
         }
-#endif
 #endregion
 
         #region Private members
@@ -241,6 +320,28 @@ private static RefreshingAWSCredentials.CredentialsRefreshState FetchCredentials
             if (securityCredentials == null)
                 throw new AmazonServiceException("Unable to get IAM security credentials from EC2 Instance Metadata Service.");
 
+            IAMSecurityCredentialMetadata metadata = GetMetadataFromSecurityCredentials(securityCredentials);
+
+            return new RefreshingAWSCredentials.CredentialsRefreshState(
+                new ImmutableCredentials(metadata.AccessKeyId, metadata.SecretAccessKey, metadata.Token),
+                metadata.Expiration);
+        }
+
+        private static async Task<RefreshingAWSCredentials.CredentialsRefreshState> FetchCredentialsAsync()
+        {
+            var securityCredentials = await EC2InstanceMetadata.GetIAMSecurityCredentialsAsync().ConfigureAwait(false);
+            if (securityCredentials == null)
+                throw new AmazonServiceException("Unable to get IAM security credentials from EC2 Instance Metadata Service.");
+
+            IAMSecurityCredentialMetadata metadata = GetMetadataFromSecurityCredentials(securityCredentials);
+
+            return new RefreshingAWSCredentials.CredentialsRefreshState(
+                new ImmutableCredentials(metadata.AccessKeyId, metadata.SecretAccessKey, metadata.Token),
+                metadata.Expiration);
+        }
+
+        private static IAMSecurityCredentialMetadata GetMetadataFromSecurityCredentials(System.Collections.Generic.IDictionary<string, IAMSecurityCredentialMetadata> securityCredentials)
+        {
             string firstRole = null;
             foreach (var role in securityCredentials.Keys)
             {
@@ -255,9 +356,7 @@ private static RefreshingAWSCredentials.CredentialsRefreshState FetchCredentials
             if (metadata == null)
                 throw new AmazonServiceException("Unable to get credentials for role \"" + firstRole + "\" from EC2 Instance Metadata Service.");
 
-            return new RefreshingAWSCredentials.CredentialsRefreshState(
-                new ImmutableCredentials(metadata.AccessKeyId, metadata.SecretAccessKey, metadata.Token),
-                metadata.Expiration);
+            return metadata;
         }
 
         private static void CheckIsIMDSEnabled()

sdk/src/Core/Amazon.Runtime/Credentials/GenericContainerCredentials.cs

@@ -20,6 +20,7 @@
 using System.Globalization;
 using System.IO;
 using System.Linq;
+using System.Threading.Tasks;
 
 namespace Amazon.Runtime
 {
@@ -110,6 +111,47 @@ protected override CredentialsRefreshState GenerateNewCredentials()
             return new CredentialsRefreshState(new ImmutableCredentials(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.Token), credentials.Expiration);
         }
 
+        protected override async Task<CredentialsRefreshState> GenerateNewCredentialsAsync()
+        {
+            SecurityCredentials credentials;
+            JitteredDelay retry = new JitteredDelay(TimeSpan.FromMilliseconds(200), TimeSpan.FromMilliseconds(50));
+
+            // Attempt to get the credentials 4 times ignoring null return/exceptions and on the 5th try, escalate the exception if there is one.
+            for (int i = 1; ; i++)
+            {
+                try
+                {
+                    var headers = CreateAuthorizationHeader();
+
+                    // This provider intentionally does not use a proxy when retrieving credentials from the determined endpoint.
+                    credentials = await GetObjectFromResponseAsync<SecurityCredentials, SecurityCredentialsJsonSerializerContexts>(ResolvedEndpointUri, proxy: null, headers).ConfigureAwait(false);
+                    if (credentials != null)
+                    {
+                        break;
+                    }
+                }
+                catch (Exception exception)
+                {
+                    if (i == MaxRetries)
+                    {
+                        // GetObjectFromResponse returns a "Unable to reach credentials server" generic message, but we'll check if there are inner exceptions available.
+                        // They may contain more details about the error (e.g. 500 Internal Server Error).
+                        while (exception.InnerException != null)
+                        {
+                            exception = exception.InnerException;
+                        }
+
+                        throw new AmazonServiceException(string.Format(CultureInfo.InvariantCulture, "Unable to retrieve credentials. Message = \"{0}\"", exception.Message));
+                    }
+                }
+                ;
+
+                AWSSDKUtils.Sleep(retry.Next());
+            }
+
+            return new CredentialsRefreshState(new ImmutableCredentials(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.Token), credentials.Expiration);
+        }
+
         /// <summary>
         /// Determines the endpoint where the credentials retrieval request should be sent.
         /// This provider will respect the following sources, in order of priority, to determine the request URI: