From e22c1cd9a1a6226c47b99ef232568880c9a85f80 Mon Sep 17 00:00:00 2001 From: Jesse Tuglu Date: Fri, 26 Jun 2026 16:26:58 -0700 Subject: [PATCH] fix: allow IPv6 EKS Pod Identity host regardless of IMDS endpoint mode ContainerCredentialsProvider rejects the EKS Pod Identity IPv6 endpoint (http://[fd00:ec2::23]/v1/credentials) unless AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE was explicitly set to IPV6. That variable configures the EC2 IMDS endpoint (169.254.169.254 vs [fd00:ec2::254]) which is (I believe?) a separate subsystem from the container credentials endpoint and EKS Pod Identity never sets it, so it defaults to the IPv4 allowlist. This behavior rejects valid IPv6 loopback hosts. This change aligns the Java SDK with the C++, Python (botocore), Go v2, and JS v3 SDKs, all of which allow the EKS IPv6 host unconditionally. Related issue: aws/containers-roadmap#2683. --- .../credentials/ContainerCredentialsProvider.java | 6 +----- .../ContainerCredentialsEndpointProviderTest.java | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.java b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.java index 5fefed5e8d65..57d14ba41164 100644 --- a/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.java +++ b/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsProvider.java @@ -307,11 +307,7 @@ private boolean matchesAllowedHostRules(InetAddress inetAddress) { } public boolean isMetadataServiceEndpoint(String host) { - String mode = SdkSystemSetting.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE.getStringValueOrThrow(); - if ("IPV6".equalsIgnoreCase(mode)) { - return VALID_LOOP_BACK_IPV6.contains(host); - } - return VALID_LOOP_BACK_IPV4.contains(host); + return VALID_LOOP_BACK_IPV4.contains(host) || VALID_LOOP_BACK_IPV6.contains(host); } } diff --git a/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsEndpointProviderTest.java b/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsEndpointProviderTest.java index 01b3d73416f9..d59c85f6b689 100644 --- a/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsEndpointProviderTest.java +++ b/core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ContainerCredentialsEndpointProviderTest.java @@ -164,6 +164,20 @@ private static Stream requestConstruction() { .headers(new HashMap<>()) .build())), + // EKS Pod Identity sets the IPv6 container URI but does NOT set + // AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE (that controls IMDS, not the + // container credentials endpoint). The IPv6 host must be allowed with the + // mode left at its IPv4 default. + Arguments.of("http link-local EKS URI with IPv6, default endpoint mode", + Collections.singletonList(Pair.of(FULL_URI_ENV, EKS_CONTAINER_HOST_IPV6 + "/credentials")), + EKS_CONTAINER_HOST_IPV6 + "/credentials", + new Result().type("success").sdkRequest( + SdkHttpFullRequest.builder() + .uri(URI.create(EKS_CONTAINER_HOST_IPV6 + "/credentials")) + .method(SdkHttpMethod.GET) + .headers(new HashMap<>()) + .build())), + Arguments.of("complex full URI", Collections.singletonList(Pair.of(FULL_URI_ENV, COMPLEX_URI)), COMPLEX_URI,