Credentials from EKS Pod Identity causing error

Background

AWS EKS recently announced EKS Pod Identities in November, which is a new way to provide credentials to AWS SDKs when running inside EKS. Previously, the recommended way was IAM Roles for Service Accounts.

The error

I tried setting this up for my app, which is using the latest @aws/client-s3 package (version 3.490.0). However I am getting this error:

[Nest] 22  - 01/14/2024, 5:21:05 AM   ERROR [ExceptionsHandler] 169.254.170.23 is not a valid container metadata service hostname                                                                                             │
│ CredentialsProviderError: 169.254.170.23 is not a valid container metadata service hostname                                                                                                                                   │
│     at getCmdsUri (/app/node_modules/@smithy/credential-provider-imds/dist-cjs/fromContainerMetadata.js:57:19)                                                                                                                │
│     at /app/node_modules/@smithy/credential-provider-imds/dist-cjs/fromContainerMetadata.js:16:38                                                                                                                             │
│     at retry (/app/node_modules/@smithy/credential-provider-imds/dist-cjs/remoteProvider/retry.js:5:19)                                                                                                                       │
│     at /app/node_modules/@smithy/credential-provider-imds/dist-cjs/fromContainerMetadata.js:15:36                                                                                                                             │
│     at /app/node_modules/@smithy/property-provider/dist-cjs/chain.js:12:39                                                                                                                                                    │
│     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)                                                                                                                                             │
│     at async coalesceProvider (/app/node_modules/@smithy/property-provider/dist-cjs/memoize.js:14:24)                                                                                                                         │
│     at async SignatureV4S3Express.credentialProvider (/app/node_modules/@smithy/property-provider/dist-cjs/memoize.js:33:24)                                                                                                  │
│     at async SignatureV4S3Express.signRequest (/app/node_modules/@smithy/signature-v4/dist-cjs/SignatureV4.js:106:29)                                                                                                         │
│     at async /app/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:28:25

Reason for error

The reason for the error is that the EKS Pod Identity's pod mutation webhook works by setting these two environment variables on the app:

- name: AWS_CONTAINER_CREDENTIALS_FULL_URI
  value: http://169.254.170.23/v1/credentials
- name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
  value: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token

And the AWS_CONTAINER_CREDENTIALS_FULL_URI is rejected by this code:

https://github.com/smithy-lang/smithy-typescript/blob/1ae1f4c6138f1463dd254d2b17d714a0b20c2eed/packages/credential-provider-imds/src/fromContainerMetadata.ts#L79-L82

Potential solution

Looking at other official AWS SDKs which do work with EKS Pod Identity credentials, they have some more IPs that they allow when specifying a URI:

https://github.com/aws/aws-sdk-go-v2/blob/a7db10670faedd542dc92cec6d0c602e5315a3a9/config/resolve_credentials.go#L33-L52

I think we just need to make sure these are all supported here as well.

smithy-lang / smithy-typescript