From bd359d0753325c3823c290d2b5715f7c5f63abab Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Thu, 3 Feb 2022 10:05:06 -0800
Subject: [PATCH 1/3] Set token create time before the request

---
 .../lib/aws-sdk-core/ec2_metadata.rb          |  5 +--
 .../instance_profile_credentials.rb           | 31 ++++++++++++++-----
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/ec2_metadata.rb b/gems/aws-sdk-core/lib/aws-sdk-core/ec2_metadata.rb
index e5212aa4a65..8f4a6aa57ff 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/ec2_metadata.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/ec2_metadata.rb
@@ -136,8 +136,9 @@ def resolve_endpoint(endpoint, endpoint_mode)
 
     def fetch_token
       open_connection do |conn|
+        created_time = Time.now
         token_value, token_ttl = http_put(conn, @token_ttl)
-        @token = Token.new(value: token_value, ttl: token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl, created_time: created_time)
       end
     end
 
@@ -222,7 +223,7 @@ class Token
       def initialize(options = {})
         @ttl   = options[:ttl]
         @value = options[:value]
-        @created_time = Time.now
+        @created_time = options[:created_time] || Time.now
       end
 
       # [String] Returns the token value.
diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb b/gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb
index d27d06a01ec..bb937931ee1 100644
--- a/gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb
+++ b/gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb
@@ -153,10 +153,11 @@ def get_credentials
               begin
                 retry_errors(NETWORK_ERRORS, max_retries: @retries) do
                   unless token_set?
+                    created_time = Time.now
                     token_value, ttl = http_put(
                       conn, METADATA_TOKEN_PATH, @token_ttl
                     )
-                    @token = Token.new(token_value, ttl) if token_value && ttl
+                    @token = Token.new(token_value, ttl, created_time) if token_value && ttl
                   end
                 end
               rescue *NETWORK_ERRORS
@@ -166,9 +167,17 @@ def get_credentials
               end
 
               token = @token.value if token_set?
-              metadata = http_get(conn, METADATA_PATH_BASE, token)
-              profile_name = metadata.lines.first.strip
-              http_get(conn, METADATA_PATH_BASE + profile_name, token)
+
+              begin
+                metadata = http_get(conn, METADATA_PATH_BASE, token)
+                profile_name = metadata.lines.first.strip
+                http_get(conn, METADATA_PATH_BASE + profile_name, token)
+              rescue TokenExpiredError
+                # Token has expired, reset it
+                # The next retry should fetch it
+                @token = nil
+                raise Non200Response
+              end
             end
           end
         rescue
@@ -200,9 +209,15 @@ def http_get(connection, path, token = nil)
       headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
       headers['x-aws-ec2-metadata-token'] = token if token
       response = connection.request(Net::HTTP::Get.new(path, headers))
-      raise Non200Response unless response.code.to_i == 200
 
-      response.body
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      else
+        raise Non200Response
+      end
     end
 
     # PUT request fetch token with ttl
@@ -244,10 +259,10 @@ def retry_errors(error_classes, options = {}, &_block)
     # @api private
     # Token used to fetch IMDS profile and credentials
     class Token
-      def initialize(value, ttl)
+      def initialize(value, ttl, created_time = Time.now)
         @ttl = ttl
         @value = value
-        @created_time = Time.now
+        @created_time = created_time
       end
 
       # [String] token value

From 5b5b8b0e653df72c898db302e31ab75e7f1f1fb0 Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Thu, 3 Feb 2022 10:06:48 -0800
Subject: [PATCH 2/3] Add changelog

---
 gems/aws-sdk-core/CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
index b3c392eaa74..2b7222adfb6 100644
--- a/gems/aws-sdk-core/CHANGELOG.md
+++ b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Set `create_time` on IMDS tokens before fetch to reduce chance of using expired tokens.
+
 * Feature - Add support for recursion detection.
 
 3.125.6 (2022-02-02)

From 05304bddfc678117b34c79cf857dd572d1776542 Mon Sep 17 00:00:00 2001
From: Alex Woods <alexwoo@amazon.com>
Date: Mon, 14 Feb 2022 09:27:53 -0800
Subject: [PATCH 3/3] Update changelog

---
 gems/aws-sdk-core/CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
index 8a8c4a57fd9..5c02f34e709 100644
--- a/gems/aws-sdk-core/CHANGELOG.md
+++ b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,7 +1,7 @@
 Unreleased Changes
 ------------------
 
-* Issue - Set `create_time` on IMDS tokens before fetch to reduce chance of using expired tokens.
+* Issue - Set `create_time` on IMDS tokens before fetch to reduce chance of using expired tokens and retry failures due to using expired tokens.
 
 3.126.0 (2022-02-03)
 ------------------