address PR comments

Author: smilkuri

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

@@ -3,8 +3,7 @@ import { CredentialsProviderError } from "@smithy/property-provider";
 import { afterEach, beforeEach, describe, expect, test as it, vi } from "vitest";
 
 import { InstanceMetadataV1FallbackError } from "./error/InstanceMetadataV1FallbackError";
-import { checkIfImdsDisabled, fromInstanceMetadata } from "./fromInstanceMetadata";
-import * as fromInstanceMetadataModule from "./fromInstanceMetadata";
+import { fromInstanceMetadata,getConfiguredProfileName, getImdsProfile, throwIfImdsTurnedOff } from "./fromInstanceMetadata";
 import { httpRequest } from "./remoteProvider/httpRequest";
 import { fromImdsCredentials, isImdsCredentials } from "./remoteProvider/ImdsCredentials";
 import { providerConfigFromInit } from "./remoteProvider/RemoteProviderInit";
@@ -67,7 +66,7 @@ describe("fromInstanceMetadata", () => {
     vi.mocked(staticStabilityProvider).mockImplementation((input) => input);
     vi.mocked(getInstanceMetadataEndpoint).mockResolvedValue({ hostname } as any);
     vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(false));
-    vi.spyOn(fromInstanceMetadataModule, "checkIfImdsDisabled").mockResolvedValue(undefined);
+    vi.spyOn({throwIfImdsTurnedOff}, "throwIfImdsTurnedOff").mockResolvedValue(undefined);
     (isImdsCredentials as unknown as any).mockReturnValue(true);
     vi.mocked(providerConfigFromInit).mockReturnValue({
       timeout: mockTimeout,
@@ -80,8 +79,16 @@ describe("fromInstanceMetadata", () => {
   });
 
   it("returns no credentials when AWS_EC2_METADATA_DISABLED=true", async () => {
-    vi.mocked(loadConfig).mockReturnValueOnce(() => Promise.resolve(true));
-    vi.mocked(fromInstanceMetadataModule.checkIfImdsDisabled).mockRejectedValueOnce(
+  vi.mocked(loadConfig).mockImplementation(({ environmentVariableSelector, configFileSelector }) => {
+    if (environmentVariableSelector && environmentVariableSelector({ AWS_EC2_METADATA_DISABLED: "true" })) {
+      return () => Promise.resolve(true);
+    }
+    if (configFileSelector && configFileSelector({ imds_disabled: "true" })) {
+      return () => Promise.resolve(true);
+    }
+    return () => Promise.resolve(false);
+  });
+    vi.spyOn({throwIfImdsTurnedOff},"throwIfImdsTurnedOff").mockRejectedValueOnce(
       new CredentialsProviderError("IMDS credential fetching is disabled")
     );
     const provider = fromInstanceMetadata({});
@@ -100,10 +107,10 @@ describe("fromInstanceMetadata", () => {
     vi.mocked(retry).mockImplementation((fn: any) => fn());
     vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
 
-    const result = await fromInstanceMetadata({ ec2InstanceProfileName: profileName })();
+    const credentials = await fromInstanceMetadata({ ec2InstanceProfileName: profileName })();
 
-    expect(result).toEqual(mockCreds);
-    expect(result.accountId).toBe(mockCreds.accountId);
+    expect(credentials).toEqual(mockCreds);
+    expect(credentials.accountId).toBe(mockCreds.accountId);
 
     expect(httpRequest).toHaveBeenCalledTimes(2);
     expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
@@ -124,10 +131,10 @@ describe("fromInstanceMetadata", () => {
 
     const provider = fromInstanceMetadata({});
 
-    const result = await provider();
+    const credentials = await provider();
 
-    expect(result).toEqual(mockCreds);
-    expect(result.accountId).toBe(mockCreds.accountId);
+    expect(credentials).toEqual(mockCreds);
+    expect(credentials.accountId).toBe(mockCreds.accountId);
 
     expect(httpRequest).toHaveBeenCalledTimes(3);
     expect(httpRequest).toHaveBeenNthCalledWith(1, mockTokenRequestOptions);
@@ -165,7 +172,7 @@ describe("fromInstanceMetadata", () => {
 
     vi.mocked(retry).mockImplementation((fn: any) => fn());
     vi.mocked(fromImdsCredentials).mockReturnValue(mockCreds);
-    vi.mocked(checkIfImdsDisabled).mockReturnValueOnce(Promise.resolve());
+     vi.spyOn({throwIfImdsTurnedOff}, "throwIfImdsTurnedOff").mockResolvedValue();
 
     await expect(fromInstanceMetadata()()).resolves.toEqual(mockCreds);
     expect(httpRequest).toHaveBeenNthCalledWith(3, {
@@ -282,7 +289,7 @@ describe("fromInstanceMetadata", () => {
     expect(vi.mocked(staticStabilityProvider)).toBeCalledTimes(1);
   });
 
-  describe("getImdsProfileHelper", () => {
+  describe("getImdsProfile", () => {
     beforeEach(() => {
       vi.mocked(httpRequest).mockClear();
       vi.mocked(loadConfig).mockClear();
@@ -291,29 +298,27 @@ describe("fromInstanceMetadata", () => {
 
     it("uses ec2InstanceProfileName from init if provided", async () => {
       const profileName = "profile-from-init";
-      const options = { hostname } as any;
+      const options = { hostname } ;
 
-      // Only use vi.spyOn for imported functions
-      vi.spyOn(fromInstanceMetadataModule, "getConfiguredProfileName").mockResolvedValueOnce(profileName);
+      vi.spyOn({getConfiguredProfileName}, "getConfiguredProfileName").mockResolvedValueOnce(profileName);
 
-      const result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {
+      const credentials = await getImdsProfile(options, mockMaxRetries, {
         ec2InstanceProfileName: profileName,
       });
 
-      expect(result).toBe(profileName);
+      expect(credentials).toBe(profileName);
       expect(httpRequest).not.toHaveBeenCalled();
     });
 
     it("uses environment variable if ec2InstanceProfileName not provided", async () => {
       const envProfileName = "profile-from-env";
       const options = { hostname } as any;
 
-      // Mock loadConfig to simulate env variable present
       vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(envProfileName));
 
-      const result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
+      const credentials = await getImdsProfile(options, mockMaxRetries, {});
 
-      expect(result).toBe(envProfileName);
+      expect(credentials).toBe(envProfileName);
       expect(httpRequest).not.toHaveBeenCalled();
     });
 
@@ -322,21 +327,19 @@ describe("fromInstanceMetadata", () => {
       const legacyProfileName = "profile-from-legacy";
       const options = { hostname } as any;
 
-      // 1. Simulate config file present: should return configProfileName, no IMDS call
       vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(configProfileName));
 
-      let result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
-      expect(result).toBe(configProfileName);
+      let credentials = await getImdsProfile(options, mockMaxRetries, {});
+      expect(credentials).toBe(configProfileName);
       expect(httpRequest).not.toHaveBeenCalled();
 
-      // 2. Simulate config file missing: should call IMDS (extended fails, legacy succeeds)
       vi.mocked(loadConfig).mockReturnValue(() => Promise.resolve(null));
       vi.mocked(httpRequest)
         .mockRejectedValueOnce(Object.assign(new Error(), { statusCode: 404 }))
         .mockResolvedValueOnce(legacyProfileName as any);
 
-      result = await fromInstanceMetadataModule.getImdsProfileHelper(options, mockMaxRetries, {});
-      expect(result).toBe(legacyProfileName);
+      credentials = await getImdsProfile(options, mockMaxRetries, {});
+      expect(credentials).toBe(legacyProfileName);
       expect(httpRequest).toHaveBeenCalledTimes(2);
       expect(httpRequest).toHaveBeenNthCalledWith(1, {
         ...options,

packages/credential-provider-imds/src/fromInstanceMetadata.ts

@@ -48,7 +48,7 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
     const isImdsV1Fallback = disableFetchToken || options.headers?.[X_AWS_EC2_METADATA_TOKEN] == null;
 
     if (isImdsV1Fallback) {
-      await checkIfImdsDisabled(profile, logger);
+      await throwIfImdsTurnedOff(profile, logger);
       let fallbackBlockedFromProfile = false;
       let fallbackBlockedFromProcessEnv = false;
 
@@ -93,7 +93,7 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
       }
     }
 
-    const imdsProfile = await getImdsProfileHelper(options, maxRetries, init, profile);
+    const imdsProfile = await getImdsProfile(options, maxRetries, init, profile);
 
     return retry(async () => {
       let creds: AwsCredentialIdentity;
@@ -111,7 +111,7 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
 
   return async () => {
     const endpoint = await getInstanceMetadataEndpoint();
-    await checkIfImdsDisabled(profile, logger);
+    await throwIfImdsTurnedOff(profile, logger);
     if (disableFetchToken) {
       logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (no token fetch)");
       return getCredentials(maxRetries, { ...endpoint, timeout });
@@ -145,7 +145,7 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
  * @internal
  * Gets IMDS profile with proper error handling and retries
  */
-export const getImdsProfileHelper = async (
+export const getImdsProfile = async (
   options: RequestOptions,
   maxRetries: number,
   init: RemoteProviderInit = {},
@@ -169,8 +169,6 @@ export const getImdsProfileHelper = async (
     if (resolvedProfile) {
       return resolvedProfile;
     }
-    // If no configured name, fetch profile name from IMDS
-    try {
       // Try extended API first
       try {
         const response = await httpRequest({ ...options, path: IMDS_EXTENDED_PATH });
@@ -189,9 +187,6 @@ export const getImdsProfileHelper = async (
           throw error;
         }
       }
-    } catch (err) {
-      throw err;
-    }
   }, maxRetries);
 };
 
@@ -209,7 +204,7 @@ const getMetadataToken = async (options: RequestOptions) =>
  * @internal
  * Checks if IMDS credential fetching is disabled through configuration
  */
-export const checkIfImdsDisabled = async (profile?: string, logger?: any): Promise<void> => {
+export const throwIfImdsTurnedOff = async (profile?: string, logger?: any): Promise<void> => {
   // Load configuration in priority order
   const disableImds = await loadConfig(
     {
@@ -252,7 +247,7 @@ export const getConfiguredProfileName = async (init: RemoteProviderInit, profile
   )();
 
   // Check runtime config (highest priority)
-  const name = init.ec2InstanceProfileName || profileName;
+  const name = init.ec2InstanceProfileName ?? profileName;
 
   // Validate if name is provided but empty
   if (typeof name === "string" && name.trim() === "") {
@@ -279,8 +274,7 @@ const getCredentialsFromProfile = async (profile: string, options: RequestOption
         if (legacyError.statusCode === 404 && init.ec2InstanceProfileName === undefined) {
           // If legacy API also returns 404 and we're using a cached profile name,
           // the profile might have changed - clear cache and retry
-          const resolvedProfile = null;
-          const newProfileName = await getImdsProfileHelper(options, init.maxRetries ?? 3, init, profile, true);
+          const newProfileName = await getImdsProfile(options, init.maxRetries ?? 3, init, profile, true);
           return getCredentialsFromProfile(newProfileName, options, init);
         }
         throw legacyError;