Add external account on ECS support.

foundation/auth/src/token_source/external_account_source/aws_subject_token_source.rs

@@ -25,6 +25,7 @@ const AWS_REGION: &str = "AWS_REGION";
 const AWS_SECRET_ACCESS_KEY: &str = "AWS_SECRET_ACCESS_KEY";
 const AWS_SESSION_TOKEN: &str = "AWS_SESSION_TOKEN";
 const AWS_IMDS_V2_SESSION_TOKEN_HEADER: &str = "X-aws-ec2-metadata-token";
+const AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: &str = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
 
 pub struct AWSSubjectTokenSource {
     subject_token_url: Url,
@@ -54,7 +55,12 @@ impl AWSSubjectTokenSource {
             None
         };
 
-        let credentials = get_security_credentials(&aws_session_token, &value.url).await?;
+        let credentials =
+            if let Some(credentials_relative_uri) = std::env::var(AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).ok() {
+                get_security_credentials_on_ecs(&credentials_relative_uri).await?
+            } else {
+                get_security_credentials(&aws_session_token, &value.url).await?
+            };
         let region = get_region(&aws_session_token, &value.region_url).await?;
 
         let url = value
@@ -284,6 +290,17 @@ async fn get_security_credentials(
     Ok(cred)
 }
 
+async fn get_security_credentials_on_ecs(credentials_relative_uri: &str) -> Result<AWSSecurityCredentials, Error> {
+    let client = default_http_client();
+    let builder = client.get(format!("http://169.254.170.2{credentials_relative_uri}"));
+    let response = builder.send().await?;
+    if !response.status().is_success() {
+        return Err(Error::UnexpectedStatusOnGetCredentials(response.status().as_u16()));
+    }
+
+    response.json().await.map_err(Error::from)
+}
+
 async fn get_region(temporary_session_token: &Option<String>, url: &Option<String>) -> Result<String, Error> {
     if can_retrieve_region_from_environment() {
         if let Ok(region) = var(AWS_REGION) {