Priorize ECS/EKS credentials over EC2's when available

[regar42]

• Move container credentials logic out of the IMDSv1 function
• Priorize it over IMDSv2 like before Add imds v2 support #378

---

This change is 

Summary by CodeRabbit

New Features

• Added support for AWS credentials in containerized environments, with container credentials automatically checked as part of the credential fallback chain

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Support for container-based AWS credential retrieval is added via a new from_container_credentials_provider() method that reads the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable and fetches credentials from container metadata endpoints. A new NotContainer error variant handles missing container context. The container credentials path is integrated into the existing from_sts_env() credential chain, and the from_instance_metadata() method is simplified to focus on EC2 IAM role retrieval.

Changes

Cohort / File(s)	Summary
Container Credentials Provider aws-creds/src/credentials.rs, aws-creds/src/error.rs	New public method from_container_credentials_provider() (gated by http-credentials feature) reads AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, fetches credentials from container metadata endpoint, and maps response to Credentials instance. New NotContainer error variant added to CredentialsError to indicate missing container context.
Credential Resolution Chain Integration aws-creds/src/credentials.rs	from_sts_env() modified to include container credentials path as part of fallback chain. from_instance_metadata() refactored to remove ECS-relative-URI branch, simplifying to EC2 IAM role retrieval via standard metadata endpoint.

Sequence Diagram

sequenceDiagram
    participant Code as Credential Resolver
    participant Env as Environment
    participant Container as Container Metadata<br/>(if available)
    participant EC2 as EC2 Metadata<br/>(if available)

    Code->>Env: Check AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
    alt Container environment detected
        Code->>Container: Fetch credentials from<br/>container endpoint
        Container-->>Code: Return credentials
    else Not in container
        Code->>Env: Check for EC2 IAM role
        Code->>EC2: Fetch role credentials
        EC2-->>Code: Return credentials
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Container metadata endpoint integration: Verify correct URL construction from AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and HTTP request handling
• Error variant usage: Confirm NotContainer is returned appropriately when environment variable is absent
• Fallback chain logic: Ensure from_container_credentials_provider() integrates seamlessly into from_sts_env() without breaking existing paths
• Instance metadata refactoring: Validate that removal of ECS-relative-URI branch doesn't break EC2 IAM role credential retrieval
• Feature flag correctness: Confirm #[cfg(feature = "http-credentials")] guards are properly applied to the new method

Poem

🐇 A container hops into view,
Credentials tucked in AWS dew,
No IAM role to chase,
Metadata greets us face-to-face,
The fallback chain now knows what's true! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: prioritizing ECS/EKS container credentials over EC2 instance metadata credentials, which aligns with the PR objectives and code changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

aws-creds/src/error.rs (1)

7-8: New NotContainer variant is consistent with existing error model, but note semver impact

The new NotContainer case mirrors NotEc2 nicely and gives a clear signal for non-container environments. Just be aware this is a public enum, so adding a variant can break downstream exhaustive matches on CredentialsError; if you care about strict semver for this crate, consider calling this out in the changelog or marking the enum #[non_exhaustive] in a future breaking release.

aws-creds/src/credentials.rs (1)

330-350: Container credentials provider looks correct; consider minor robustness improvements

The implementation matches the ECS task credentials model well:

• It keys off AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and returns NotContainer when unset, which is exactly what you need for chaining.
• It targets http://169.254.170.2{RELATIVE_URI} and reuses CredentialsFromInstanceMetadata, aligning the JSON shape with the existing IMDS parsing.
• The mapping into Credentials is consistent with the IMDS flows (security_token populated from token, session_token left None).

Two optional follow-ups you might consider (non-blocking):

1. Support AWS_CONTAINER_CREDENTIALS_FULL_URI as well
   AWS also exposes container credentials via a full URI env var; handling that as a first branch and falling back to RELATIVE_URI would make this more broadly compatible.

2. Reuse the existing HTTP helper for consistency
   You could slightly simplify and standardize behavior by going through http_get (or a small shared helper) instead of inlining apply_timeout(attohttpc::get(...)).send()?, mirroring how STS requests are made.

If you’d like, I can sketch a small refactor that adds FULL_URI support while keeping behavior unchanged for existing callers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d88c5f4 and c8909e6.

📒 Files selected for processing (2)

• aws-creds/src/credentials.rs (2 hunks)
• aws-creds/src/error.rs (1 hunks)

🔇 Additional comments (2)

aws-creds/src/credentials.rs (2)

296-301: Credential resolution order now correctly prefers ECS/EKS over EC2 instance metadata

Placing from_container_credentials_provider() between from_sts_env("aws-creds") and the IMDSv2/IMDSv1 calls achieves the stated goal: when AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is present, container credentials win over EC2 instance metadata; when it’s absent, the chain naturally falls through to IMDSv2 then IMDSv1. The error mapping to NoCredentials at the end keeps the external behavior stable.

---

353-369: IMDSv1 path cleanly separated from container logic and guarded by is_ec2

The new from_instance_metadata implementation is focused solely on EC2 IMDSv1:

• Early is_ec2 check with NotEc2 preserves the previous “don’t hit metadata off-EC2” behavior.
• Role name and credentials are fetched via the standard IMDSv1 URLs, using the same CredentialsFromInstanceMetadata struct as other flows.
• Container-specific handling is gone from here, which avoids conflating ECS/EKS with raw EC2 metadata and matches the new container provider design.

This separation aligns well with the PR goal and keeps the IMDSv1 code straightforward.