resolved comments

Author: smilkuri

packages/credential-provider-imds/src/fromInstanceMetadata.e2e.spec.ts

@@ -24,10 +24,8 @@ describe("fromInstanceMetadata (Live EC2 E2E Tests)", () => {
     process.env = { ...originalEnv };
   });
 
-  it("should fetch metadata token successfully", async () => {
-    if (!imdsAvailable) {
-      return;
-    }
+  const test = imdsAvailable ? it : it.skip;
+  test("should fetch metadata token successfully", async () => {
     const options = {
       path: "/latest/api/token",
       method: "PUT",
@@ -42,7 +40,7 @@ describe("fromInstanceMetadata (Live EC2 E2E Tests)", () => {
     expect(token.length).toBeGreaterThan(0);
   });
 
-  it("retrieves credentials with account ID on allowlisted instances only)", async () => {
+  it("retrieves credentials successfully", async () => {
     if (!imdsAvailable) return;
 
     const provider = fromInstanceMetadata({ timeout: 1000, maxRetries: 2 });
@@ -52,10 +50,16 @@ describe("fromInstanceMetadata (Live EC2 E2E Tests)", () => {
     expect(credentials).toHaveProperty("secretAccessKey");
     expect(typeof credentials.accessKeyId).toBe("string");
     expect(typeof credentials.secretAccessKey).toBe("string");
+  });
+
+  it("retrieves credentials with account ID on allowlisted instances", async () => {
+    if (!imdsAvailable) return;
+
+    const provider = fromInstanceMetadata({ timeout: 1000, maxRetries: 2 });
+    const credentials = await provider();
 
     if (!credentials.accountId) {
-      console.log("Skipping account ID test not an allowlisted instance");
-      return;
+      it.skip("account ID test skipped - not an allowlisted instance", () => {});
     }
 
     expect(credentials.accountId).toBeDefined();

packages/credential-provider-imds/src/fromInstanceMetadata.spec.ts

@@ -266,7 +266,7 @@ describe("fromInstanceMetadata", () => {
       .mockResolvedValueOnce("." as any);
     vi.mocked(retry).mockImplementation((fn: any) => fn());
 
-    await expect(fromInstanceMetadata()()).rejects.toThrow("Unexpected token");
+    await expect(fromInstanceMetadata()()).rejects.toThrow("Failed to parse JSON from instance metadata service.");
     expect(retry).toHaveBeenCalledTimes(2);
     expect(httpRequest).toHaveBeenCalledTimes(3);
     expect(fromImdsCredentials).not.toHaveBeenCalled();

packages/credential-provider-imds/src/fromInstanceMetadata.ts

@@ -110,8 +110,8 @@ const getInstanceMetadataProvider = (init: RemoteProviderInit = {}) => {
   };
 
   return async () => {
-    const endpoint = await getInstanceMetadataEndpoint();
     await throwIfImdsTurnedOff(profile, logger);
+    const endpoint = await getInstanceMetadataEndpoint();
     if (disableFetchToken) {
       logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (no token fetch)");
       return getCredentials(maxRetries, { ...endpoint, timeout });
@@ -149,17 +149,11 @@ export const getImdsProfile = async (
   options: RequestOptions,
   maxRetries: number,
   init: RemoteProviderInit = {},
-  profile?: string,
-  resetCache?: boolean
+  profile?: string
 ): Promise<string> => {
   let apiVersion: "unknown" | "extended" | "legacy" = "unknown";
   let resolvedProfile: string | null = null;
 
-  // If resetCache is true, clear the cached profile name
-  if (resetCache) {
-    resolvedProfile = null;
-  }
-
   return retry<string>(async () => {
     // First check if a profile name is configured
     const configuredName = await getConfiguredProfileName(init, profile);
@@ -201,8 +195,8 @@ export const getMetadataToken = async (options: RequestOptions) =>
   });
 
 /**
- * @internal
  * Checks if IMDS credential fetching is disabled through configuration
+ * @internal
  */
 export const throwIfImdsTurnedOff = async (profile?: string, logger?: any): Promise<void> => {
   // Load configuration in priority order
@@ -236,8 +230,8 @@ export const throwIfImdsTurnedOff = async (profile?: string, logger?: any): Prom
 };
 
 /**
- * @internal
  * Gets configured profile name from various sources
+ *  @internal
  */
 export const getConfiguredProfileName = async (init: RemoteProviderInit, profile?: string): Promise<string | null> => {
   // Load configuration in priority order
@@ -264,8 +258,8 @@ export const getConfiguredProfileName = async (init: RemoteProviderInit, profile
 };
 
 /**
- * @internal
  * Gets credentials from profile
+ *  @internal
  */
 const getCredentialsFromProfile = async (profile: string, options: RequestOptions, init: RemoteProviderInit) => {
   // Try extended API first
@@ -280,7 +274,7 @@ const getCredentialsFromProfile = async (profile: string, options: RequestOption
         if (legacyError.statusCode === 404 && init.ec2InstanceProfileName === undefined) {
           // If legacy API also returns 404 and we're using a cached profile name,
           // the profile might have changed - clear cache and retry
-          const newProfileName = await getImdsProfile(options, init.maxRetries ?? 3, init, profile, true);
+          const newProfileName = await getImdsProfile(options, init.maxRetries ?? 3, init, profile);
           return getCredentialsFromProfile(newProfileName, options, init);
         }
         throw legacyError;
@@ -291,16 +285,21 @@ const getCredentialsFromProfile = async (profile: string, options: RequestOption
 };
 
 /**
- * @internal
  * Gets credentials from specified IMDS path
+ *  @internal
  */
 async function getCredentialsFromPath(path: string, options: RequestOptions) {
   const response = await httpRequest({
     ...options,
     path,
   });
 
-  const credentialsResponse = JSON.parse(response.toString());
+  let credentialsResponse;
+  try {
+    credentialsResponse = JSON.parse(response.toString());
+  } catch (error) {
+    throw new CredentialsProviderError("Failed to parse JSON from instance metadata service.");
+  }
 
   // Validate response
   if (!isImdsCredentials(credentialsResponse)) {