Merge pull request #1981 from aws/staging/56041e2f-715e-44b1-a45e-644ef07e8386

Pull request: release <- staging/56041e2f-715e-44b1-a45e-644ef07e8386

Author: aws-sdk-java-automation

.changes/2.17.164.json

@@ -0,0 +1,42 @@
+{
+    "version": "2.17.164",
+    "date": "2022-04-05",
+    "entries": [
+        {
+            "type": "feature",
+            "category": "AWS SDK for Java v2",
+            "contributor": "",
+            "description": "Bump CRT version to `0.16.1`."
+        },
+        {
+            "type": "bugfix",
+            "category": "AWS SDK for Java v2",
+            "contributor": "",
+            "description": "Refresh IMDS credentials more aggressively."
+        },
+        {
+            "type": "feature",
+            "category": "AWS S3 Control",
+            "contributor": "",
+            "description": "Documentation-only update for doc bug fixes for the S3 Control API docs."
+        },
+        {
+            "type": "feature",
+            "category": "AWS SecurityHub",
+            "contributor": "",
+            "description": "Added additional ASFF details for RdsSecurityGroup AutoScalingGroup, ElbLoadBalancer, CodeBuildProject and RedshiftCluster."
+        },
+        {
+            "type": "feature",
+            "category": "AWS DataSync",
+            "contributor": "",
+            "description": "AWS DataSync now supports Amazon FSx for OpenZFS locations."
+        },
+        {
+            "type": "feature",
+            "category": "Amazon FSx",
+            "contributor": "",
+            "description": "Provide customers more visibility into file system status by adding new \"Misconfigured Unavailable\" status for Amazon FSx for Windows File Server."
+        }
+    ]
+}

CHANGELOG.md

@@ -1,3 +1,27 @@
+# __2.17.164__ __2022-04-05__
+## __AWS DataSync__
+  - ### Features
+    - AWS DataSync now supports Amazon FSx for OpenZFS locations.
+
+## __AWS S3 Control__
+  - ### Features
+    - Documentation-only update for doc bug fixes for the S3 Control API docs.
+
+## __AWS SDK for Java v2__
+  - ### Features
+    - Bump CRT version to `0.16.1`.
+
+  - ### Bugfixes
+    - Refresh IMDS credentials more aggressively.
+
+## __AWS SecurityHub__
+  - ### Features
+    - Added additional ASFF details for RdsSecurityGroup AutoScalingGroup, ElbLoadBalancer, CodeBuildProject and RedshiftCluster.
+
+## __Amazon FSx__
+  - ### Features
+    - Provide customers more visibility into file system status by adding new "Misconfigured Unavailable" status for Amazon FSx for Windows File Server.
+
 # __2.17.163__ __2022-04-04__
 ## __AWS IoT__
   - ### Features

README.md

@@ -52,7 +52,7 @@ To automatically manage module versions (currently all modules have the same ver
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>bom</artifactId>
-      <version>2.17.163</version>
+      <version>2.17.164</version>
       <type>pom</type>
       <scope>import</scope>
     </dependency>
@@ -86,12 +86,12 @@ Alternatively you can add dependencies for the specific services you use only:
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>ec2</artifactId>
-  <version>2.17.163</version>
+  <version>2.17.164</version>
 </dependency>
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>s3</artifactId>
-  <version>2.17.163</version>
+  <version>2.17.164</version>
 </dependency>
 ```
 
@@ -103,7 +103,7 @@ You can import the whole SDK into your project (includes *ALL* services). Please
 <dependency>
   <groupId>software.amazon.awssdk</groupId>
   <artifactId>aws-sdk-java</artifactId>
-  <version>2.17.163</version>
+  <version>2.17.164</version>
 </dependency>
 ```
 

archetypes/archetype-app-quickstart/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

archetypes/archetype-lambda/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>archetype-lambda</artifactId>

archetypes/archetype-tools/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>archetypes</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

archetypes/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>aws-sdk-java-pom</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>archetypes</artifactId>

aws-sdk-java/pom.xml

@@ -17,7 +17,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>aws-sdk-java</artifactId>

bom-internal/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>aws-sdk-java-pom</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

bom/pom.xml

@@ -17,7 +17,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>bom</artifactId>

bundle/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <artifactId>bundle</artifactId>
     <packaging>jar</packaging>

codegen-lite-maven-plugin/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>codegen-lite-maven-plugin</artifactId>

codegen-lite/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <artifactId>codegen-lite</artifactId>
     <name>AWS Java SDK :: Code Generator Lite</name>

codegen-maven-plugin/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>codegen-maven-plugin</artifactId>

codegen/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>aws-sdk-java-pom</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <artifactId>codegen</artifactId>
     <name>AWS Java SDK :: Code Generator</name>

core/annotations/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

core/arns/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

core/auth-crt/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
 
     <artifactId>auth-crt</artifactId>

core/auth/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
 
     <artifactId>auth</artifactId>

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java

@@ -15,8 +15,9 @@
 
 package software.amazon.awssdk.auth.credentials;
 
-import static java.time.temporal.ChronoUnit.HOURS;
 import static java.time.temporal.ChronoUnit.MINUTES;
+import static java.time.temporal.ChronoUnit.SECONDS;
+import static software.amazon.awssdk.utils.ComparableUtils.minimum;
 
 import java.io.IOException;
 import java.net.URI;
@@ -156,24 +157,39 @@ private boolean isLocalCredentialLoadingDisabled() {
 
     private Instant prefetchTime(Instant expiration) {
         Instant now = clock.instant();
-        Instant oneHourFromNow = now.plus(1, HOURS);
 
-        // If expiration time is infinite or farther out than an hour, wait an hour before refreshing
-        if (expiration == null || expiration.isAfter(oneHourFromNow)) {
-            return oneHourFromNow;
+        // If expiration time doesn't exist, refresh in 60 minutes
+        if (expiration == null) {
+            return now.plus(60, MINUTES);
         }
 
-        // If expiration time is within 15 minutes (or in the past), wait 15 minutes and warn the customer that they'll be using
-        // expired credentials.
-        Instant fifteenMinutesFromNow = now.plus(15, MINUTES);
-        if (expiration.isBefore(fifteenMinutesFromNow)) {
-            log.warn(() -> "IMDS credential expiration has been extended due to an IMDS availability outage. A refresh"
-                           + " of these credentials will be attempted again in 15 minutes.");
-            return fifteenMinutesFromNow;
+        // If expiration time is 60+ minutes from now, refresh in 60 minutes or 60 minutes before expiration, whichever is
+        // sooner. This is the average case, where customers are using IMDS and there is no IMDS outage.
+        Instant sixtyMinutesBeforeExpiration = expiration.minus(60, MINUTES);
+        if (now.isBefore(sixtyMinutesBeforeExpiration)) {
+            return minimum(sixtyMinutesBeforeExpiration, now.plus(60, MINUTES));
         }
 
-        // Otherwise, just refresh 15 minutes before the credentials expire.
-        return expiration.minus(15, MINUTES);
+        // If expiration time is 5-60 minutes from now, refresh in 30 minutes or 5 minutes before expiration, whatever is
+        // sooner. This is an unusual case: IMDS is either having an outage or the customer is using a mock IMDS with shorter
+        // default session durations.
+        Instant fiveMinutesBeforeExpiration = expiration.minus(5, MINUTES);
+        if (now.isBefore(fiveMinutesBeforeExpiration)) {
+            return minimum(fiveMinutesBeforeExpiration, now.plus(30, MINUTES));
+        }
+
+        // If expiration time is 0.25-5 minutes from now, refresh 15 seconds before expiration. This is an unusual case: IMDS is
+        // either having an outage or the customer is using a mock IMDS with very aggressive session durations.
+        Instant fifteenSecondsBeforeExpiration = expiration.minus(15, SECONDS);
+        if (now.isBefore(fifteenSecondsBeforeExpiration)) {
+            return fifteenSecondsBeforeExpiration;
+        }
+
+        // These credentials are expired. Try refreshing again in 5 minutes. We can't be more aggressive than that, because we
+        // don't want to overload the IMDS endpoint.
+        log.warn(() -> "IMDS credential expiration has been extended due to an IMDS availability outage. A refresh "
+                       + "of these credentials will be attempted again in 5 minutes.");
+        return now.plus(5, MINUTES);
     }
 
     @Override

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProviderTest.java

@@ -24,6 +24,8 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
 import static java.time.temporal.ChronoUnit.HOURS;
+import static java.time.temporal.ChronoUnit.MINUTES;
+import static java.time.temporal.ChronoUnit.SECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
@@ -335,6 +337,46 @@ public void resolveCredentials_usesCacheIfImdsFailsOnSecondCall() {
         assertThat(credentialsBefore).isEqualTo(credentialsAfter);
     }
 
+    @Test
+    public void resolveCredentials_callsImdsIfCredentialsWithin5MinutesOfExpiration() {
+        AdjustableClock clock = new AdjustableClock();
+        AwsCredentialsProvider credentialsProvider = credentialsProviderWithClock(clock);
+        Instant now = Instant.now();
+        String successfulCredentialsResponse1 =
+            "{"
+            + "\"AccessKeyId\":\"ACCESS_KEY_ID\","
+            + "\"SecretAccessKey\":\"SECRET_ACCESS_KEY\","
+            + "\"Expiration\":\"" + DateUtils.formatIso8601Date(now) + '"'
+            + "}";
+
+        String successfulCredentialsResponse2 =
+            "{"
+            + "\"AccessKeyId\":\"ACCESS_KEY_ID\","
+            + "\"SecretAccessKey\":\"SECRET_ACCESS_KEY2\","
+            + "\"Expiration\":\"" + DateUtils.formatIso8601Date(now.plus(6, HOURS)) + '"'
+            + "}";
+
+        // Set the time to the past and call IMDS to prime the cache
+        clock.time = now.minus(24, HOURS);
+        stubCredentialsResponse(aResponse().withBody(successfulCredentialsResponse1));
+        AwsCredentials credentials24HoursAgo = credentialsProvider.resolveCredentials();
+
+        // Set the time to 3 minutes before expiration, and fail to call IMDS
+        clock.time = now.minus(3, MINUTES);
+        stubCredentialsResponse(aResponse().withStatus(500));
+        AwsCredentials credentials3MinutesAgo = credentialsProvider.resolveCredentials();
+
+        // Set the time to 10 seconds before expiration, and verify that we still call IMDS to try to get credentials in at the
+        // last moment before expiration
+        clock.time = now.minus(10, SECONDS);
+        stubCredentialsResponse(aResponse().withBody(successfulCredentialsResponse2));
+        AwsCredentials credentials10SecondsAgo = credentialsProvider.resolveCredentials();
+
+        assertThat(credentials24HoursAgo).isEqualTo(credentials3MinutesAgo);
+        assertThat(credentials24HoursAgo.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY");
+        assertThat(credentials10SecondsAgo.secretAccessKey()).isEqualTo("SECRET_ACCESS_KEY2");
+    }
+
     private AwsCredentialsProvider credentialsProviderWithClock(Clock clock) {
         InstanceProfileCredentialsProvider.BuilderImpl builder =
             (InstanceProfileCredentialsProvider.BuilderImpl) InstanceProfileCredentialsProvider.builder();

core/aws-core/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>core</artifactId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
 
     <artifactId>aws-core</artifactId>

core/json-utils/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

core/metrics-spi/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>core</artifactId>
         <groupId>software.amazon.awssdk</groupId>
-        <version>2.17.163</version>
+        <version>2.17.164</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>