Wrap getCredentials() in a doPrivileged() block (#23297)

This commit fixes an issue that was missed in #22534.
`AWSCredentialsProvider.getCredentials()` appears to potentially open a
socket connect. This operation needed to be wrapped in `doPrivileged()`.

This should fix issue #23271.

Author: Tim-Brooks

plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java

@@ -25,6 +25,7 @@
 
 import com.amazonaws.ClientConfiguration;
 import com.amazonaws.Protocol;
+import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.auth.BasicAWSCredentials;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
@@ -35,6 +36,7 @@
 import com.amazonaws.services.s3.S3ClientOptions;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.cloud.aws.util.SocketAccess;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
@@ -141,22 +143,30 @@ static ClientConfiguration buildConfiguration(Logger logger, Settings repository
 
     public static AWSCredentialsProvider buildCredentials(Logger logger, DeprecationLogger deprecationLogger,
                                                           Settings settings, Settings repositorySettings, String clientName) {
-        AWSCredentialsProvider credentials;
         try (SecureString key = getConfigValue(repositorySettings, settings, clientName, S3Repository.ACCESS_KEY_SETTING,
                                                S3Repository.Repository.KEY_SETTING, S3Repository.Repositories.KEY_SETTING);
              SecureString secret = getConfigValue(repositorySettings, settings, clientName, S3Repository.SECRET_KEY_SETTING,
                                                   S3Repository.Repository.SECRET_SETTING, S3Repository.Repositories.SECRET_SETTING)) {
 
             if (key.length() == 0 && secret.length() == 0) {
                 logger.debug("Using instance profile credentials");
-                credentials = new InstanceProfileCredentialsProvider();
+                AWSCredentialsProvider credentials = new InstanceProfileCredentialsProvider();
+                return new AWSCredentialsProvider() {
+                    @Override
+                    public AWSCredentials getCredentials() {
+                        return SocketAccess.doPrivileged(credentials::getCredentials);
+                    }
+
+                    @Override
+                    public void refresh() {
+                        SocketAccess.doPrivilegedVoid(credentials::refresh);
+                    }
+                };
             } else {
                 logger.debug("Using basic key/secret credentials");
-                credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
+                return new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
             }
         }
-
-        return credentials;
     }
 
     // pkg private for tests