Add Azure IMDS Support via Multi-Cloud Metadata Provider by Paramadon · Pull Request #1991 · aws/amazon-cloudwatch-agent

Paramadon · 2026-01-21T21:58:29Z

Add Azure IMDS Support via Multi-Cloud Metadata Provider

Problem

CloudWatch Agent currently only supports AWS metadata via EC2 IMDS. To enable Azure deployments, we need a way to fetch instance metadata (instance ID, region, subscription ID, private IP, etc.) from Azure IMDS while maintaining the existing AWS functionality.

Solution

Introduce a cloud metadata provider interface with AWS and Azure implementations. The provider auto-detects the cloud environment at agent startup and provides a unified API for fetching instance metadata.

Architecture

┌─────────────────────────────────────┐ │ Agent Startup │ │ (amazon-cloudwatch-agent.go) │ │ │ │ cloudmetadata.InitGlobalProvider() │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ Global Singleton │ │ (global.go) │ │ │ │ • sync.Once initialization │ │ • GetGlobalProvider() │ │ • GetGlobalProviderOrNil() │ └─────────────────┬───────────────────┘ │ ▼ ┌─────────────────────────────────────┐ │ Factory │ │ (factory.go) │ │ │ │ DetectCloudProvider(): │ │ 1. Check Azure DMI/SMBIOS │ │ 2. Check AWS (ec2util) │ │ 3. Return Unknown │ └─────────────────┬───────────────────┘ │ ┌────────────────────┴────────────────────┐ │ │ ▼ ▼ ┌──────────────────────────┐ ┌──────────────────────────┐ │ AWS Provider │ │ Azure Provider │ │ (aws/provider.go) │ │ (azure/provider.go) │ │ │ │ │ │ Wraps ec2util singleton │ │ Calls Azure IMDS: │ │ • GetInstanceID() │ │ • /metadata/instance/ │ │ • GetRegion() │ │ compute │ │ • GetAccountID() │ │ • /metadata/instance/ │ │ • GetPrivateIP() │ │ network │ │ • GetHostname() │ │ │ └────────────┬─────────────┘ └────────────┬─────────────┘ │ │ ▼ ▼ ┌──────────────────────────┐ ┌──────────────────────────┐ │ EC2 IMDS │ │ Azure IMDS │ │ 169.254.169.254 │ │ 169.254.169.254 │ └──────────────────────────┘ └──────────────────────────┘ ┌─────────────────────────────────────┐ │ Config Translation │ │ (placeholderUtil.go) │ │ │ │ GetGlobalProviderOrNil() to │ │ resolve ${aws:...} ${azure:...} │ │ placeholders │ └─────────────────────────────────────┘

Key Design Decisions:

Decision	Rationale
Provider interface	Unified API for AWS and Azure metadata
Azure detection first	DMI check is fast and local (no network)
Singleton pattern	One-time initialization at agent startup
Graceful degradation	Agent continues if metadata unavailable
Backward compatible	AWS code paths unchanged

Changes

New Cloud Metadata Provider (internal/cloudmetadata/)

Provider interface with methods for instance ID, region, account ID, hostname, private IP
Singleton management via InitGlobalProvider() and GetGlobalProvider()
Factory with cloud detection (DMI-based for Azure, ec2util for AWS)
Mock provider for testing

AWS Provider (internal/cloudmetadata/aws/)

Wraps existing ec2util.GetEC2UtilSingleton()
No changes to AWS metadata fetching logic

Azure Provider (internal/cloudmetadata/azure/)

Fetches compute metadata from Azure IMDS (/metadata/instance/compute)
Fetches network metadata for private IP (/metadata/instance/network)
Returns subscription ID, location, VM ID, VM size, resource group, etc.

Agent Integration

Provider initialized in cmd/amazon-cloudwatch-agent/amazon-cloudwatch-agent.go
Logs warning but continues if initialization fails

Config Placeholder Support

placeholderUtil.go uses provider for ${aws:...} and ${azure:...} placeholders
Falls back to existing code if provider unavailable

Testing

Unit Tests

40+ tests covering provider interface, singleton, AWS provider, Azure provider
Race detection clean

Manual Verification

AWS EC2 (us-west-2): Provider detects AWS, metadata fetched correctly
Azure VM (eastus2): Provider detects Azure, IMDS metadata fetched correctly

chadpatel · 2026-01-26T19:20:10Z

+	// Initialize global cloud metadata provider early (non-blocking with timeout)
+	// Covers all agent modes (logs-only and OTEL)
+	log.Println("I! [agent] Initializing cloud metadata provider...")
+	initCtx, cancel := context.WithTimeout(ctx, 5*time.Second)


should this magic number be defined elsewhere? Should it be configurable?

looks async so its probably fine but can it slow down initialization? What if it fails?

some features may be limited, I guess that means we can't get things from Azure or AWS IMDS

Conceptually are we supporting a whole new modality, supporting the scenario where the cloud metadata provider cannot be initialized?

Not sure the answer will keep thinking as I review

Rename unused 'r' parameter to '_' in TestProvider_Refresh_Timeout to satisfy revive linter.

The return statement in InitGlobalProvider was reading globalErr without holding the lock, causing a race with concurrent readers.

sync.Once cannot be safely reset while concurrent Do() calls may be in progress. Replace with atomic uint32 flag and double-checked locking pattern, which allows safe reset from tests without racing.

- Reset global provider in TestTranslator to ensure test uses mock metadata - Update placeholderUtil tests to use SetGlobalProviderForTest instead of relying on legacy fallback path which doesn't work on Azure - Skip TestGetMetadataInfo_FallbackToLegacy on Azure since azure.IsAzure() takes precedence over the legacy fallback path

The test was resetting the global provider but then calling GetMetadataInfo which falls through to the Azure path on Azure CI runners. Now we set the mock provider first so GetMetadataInfo uses it instead of Azure IMDS.

jefchien · 2026-02-11T16:28:06Z

+	metadata ec2metadataprovider.MetadataProvider
+
+	// Cached metadata (fetched once at initialization)
+	mu               sync.RWMutex


If it's only fetched once, consider using sync.Once, so we don't have to lock and unlock on each Get* call.

mutex is needed because Refresh() can update the cached values. While we fetch once at initialization, the interface supports refreshing (used by ec2tagger for periodic updates). The lock protects against concurrent reads during refresh.

jefchien · 2026-02-11T16:35:09Z

+// IsAzure detects if running on Azure using multiple methods:
+// IsAzure detects if running on Azure.
+// Detection order:
+// 1. DMI sys_vendor check
+// 2. DMI chassis asset tag check (Azure-specific)
+// 3. IMDS probe as fallback (for containers without DMI access)
+func IsAzure() bool {
+	// 1. Check sys_vendor for Microsoft
+	if data, err := os.ReadFile(DMISysVendorPath); err == nil {
+		if strings.Contains(strings.TrimSpace(string(data)), microsoftCorporation) {
+			return true
+		}
+	}
+
+	// 3. Check chassis asset tag (Azure-specific identifier)
+	if data, err := os.ReadFile(DMIChassisAssetPath); err == nil {
+		if strings.TrimSpace(string(data)) == azureChassisAssetTag {
+			return true
+		}
+	}
+
+	// 3. IMDS probe fallback (for containers without DMI)
+	if probeAzureIMDS() {
+		return true
+	}
+
+	return false
+}


I wonder if this is over-engineered. Why do we need all of these checks? The OTEL resourcedetection processor (https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.145.0/internal/metadataproviders/azure/metadata.go) is able to detect if it's azure just by checking the IMDS endpoint.

Agree. updated to just check IMDS. I think this was from the original PR with that DMI is supposed to be much quicker than IMDS.

jefchien · 2026-02-11T16:37:41Z

+// GetImageID returns a composite image identifier
+// Azure doesn't have a single image ID like AWS AMI
+// We return the VM ID as identifier
+func (p *Provider) GetImageID() string {


Isn't this misleading? Why not just not support it similar to how the the AWS provider doesn't support ResourceGroup.

You are right. removed the comments. both providers support refresh

github-actions · 2026-02-20T00:17:32Z

This PR was marked stale due to lack of activity.

movence · 2026-02-23T16:42:15Z

Closing in favor of #2032

Paramadon force-pushed the paramadon/multi-cloud-imds branch 2 times, most recently from 726d806 to 251ef82 Compare January 22, 2026 20:33

Paramadon changed the title ~~Implmenting Azure IMDS changes on the agent~~ Add Azure IMDS Support via Multi-Cloud Metadata Provider Jan 22, 2026

Paramadon force-pushed the paramadon/multi-cloud-imds branch 8 times, most recently from af1485e to ac45e79 Compare January 22, 2026 21:46

Paramadon marked this pull request as ready for review January 23, 2026 20:42

Paramadon requested a review from a team as a code owner January 23, 2026 20:42

Paramadon added the ready for testing Indicates this PR is ready for integration tests to run label Jan 23, 2026

Paramadon marked this pull request as draft January 23, 2026 21:31

Paramadon marked this pull request as ready for review January 23, 2026 21:31

chadpatel reviewed Jan 26, 2026

View reviewed changes

movence changed the base branch from main to feature-multi-cloud February 2, 2026 14:09

jefchien reviewed Feb 4, 2026

View reviewed changes

movence force-pushed the feature-multi-cloud branch from 1a4b2ce to 620362c Compare February 11, 2026 14:56

Paramadon and others added 10 commits February 11, 2026 15:03

Implmenting Azure IMDS changes on the agent

5500dd0

Adding minor comments

2ccbe06

Fixing build

744d6ca

Fix unused-parameter lint error in provider_test.go

8c0eb7a

Rename unused 'r' parameter to '_' in TestProvider_Refresh_Timeout to satisfy revive linter.

Fix data race: read globalErr under mutex lock

7f3b046

The return statement in InitGlobalProvider was reading globalErr without holding the lock, causing a race with concurrent readers.

Replace sync.Once with atomic flag for race-safe test reset

c3996fb

sync.Once cannot be safely reset while concurrent Do() calls may be in progress. Replace with atomic uint32 flag and double-checked locking pattern, which allows safe reset from tests without racing.

minor updates and refactoring

1ed7a3d

replace ec2util with metadata provider

e7f71a7

movence added 2 commits February 11, 2026 15:11

fmt

456ed46

fixes after rebase

f970232

movence force-pushed the paramadon/multi-cloud-imds branch from 30d6b51 to f970232 Compare February 11, 2026 15:47

movence added 2 commits February 11, 2026 16:09

lint

9505717

fix test

c5c7e8d

jefchien reviewed Feb 11, 2026

View reviewed changes

github-actions bot added Stale and removed Stale labels Feb 20, 2026

movence closed this Feb 23, 2026

Conversation

Paramadon commented Jan 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!