diff --git a/packages/core/src/submodules/client/setFeature.ts b/packages/core/src/submodules/client/setFeature.ts index 01f0a436fca5c..a525e790260bc 100644 --- a/packages/core/src/submodules/client/setFeature.ts +++ b/packages/core/src/submodules/client/setFeature.ts @@ -1,4 +1,9 @@ -import type { AwsHandlerExecutionContext, AwsSdkFeatures } from "@aws-sdk/types"; +import type { + AttributedAwsCredentialIdentity, + AwsHandlerExecutionContext, + AwsSdkCredentialsFeatures, + AwsSdkFeatures, +} from "@aws-sdk/types"; /** * @internal @@ -24,3 +29,20 @@ export function setFeature( } context.__aws_sdk_context.features![feature] = value; } + +/** + * @internal + * + * sets feature attribution on the credential object. + */ +export function setCredentialFeature( + credentials: AttributedAwsCredentialIdentity, + feature: F, + value: AwsSdkCredentialsFeatures[F] +): AttributedAwsCredentialIdentity { + if (!credentials.$source) { + credentials.$source = {}; + } + credentials.$source![feature] = value; + return credentials; +} diff --git a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts index c70d7a9e37d52..5d19419bccb50 100644 --- a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts +++ b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts @@ -1,3 +1,5 @@ +import { setCredentialFeature } from "@aws-sdk/core/client"; +import { AttributedAwsCredentialIdentity } from "@aws-sdk/types"; import { doesIdentityRequireRefresh, isIdentityExpired, @@ -102,9 +104,11 @@ export interface AwsSdkSigV4AuthResolvedConfig { export const resolveAwsSdkSigV4Config = ( config: T & AwsSdkSigV4AuthInputConfig & AwsSdkSigV4PreviouslyResolved ): T & AwsSdkSigV4AuthResolvedConfig => { + let isUserSupplied = false; // Normalize credentials let normalizedCreds: AwsCredentialIdentityProvider | undefined; if (config.credentials) { + isUserSupplied = true; normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh); } if (!normalizedCreds) { @@ -218,7 +222,12 @@ export const resolveAwsSdkSigV4Config = ( ...config, systemClockOffset, signingEscapePath, - credentials: normalizedCreds!, + credentials: isUserSupplied + ? async () => + normalizedCreds!().then((creds: AttributedAwsCredentialIdentity) => + setCredentialFeature(creds, "CREDENTIALS_CODE", "e") + ) + : normalizedCreds!, signer, }; }; diff --git a/packages/credential-provider-env/src/fromEnv.ts b/packages/credential-provider-env/src/fromEnv.ts index 71215e3f83f0b..60e63489e06d3 100644 --- a/packages/credential-provider-env/src/fromEnv.ts +++ b/packages/credential-provider-env/src/fromEnv.ts @@ -1,4 +1,5 @@ -import type { CredentialProviderOptions } from "@aws-sdk/types"; +import { setCredentialFeature } from "@aws-sdk/core/client"; +import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types"; import { CredentialsProviderError } from "@smithy/property-provider"; import { AwsCredentialIdentityProvider } from "@smithy/types"; @@ -48,14 +49,19 @@ export const fromEnv = const accountId: string | undefined = process.env[ENV_ACCOUNT_ID]; if (accessKeyId && secretAccessKey) { - return { + const credentials = { accessKeyId, secretAccessKey, ...(sessionToken && { sessionToken }), ...(expiry && { expiration: new Date(expiry) }), ...(credentialScope && { credentialScope }), ...(accountId && { accountId }), - }; + } as AttributedAwsCredentialIdentity; + setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g"); + if (accountId) { + setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T"); + } + return credentials; } throw new CredentialsProviderError("Unable to find environment variable credentials.", { logger: init?.logger }); diff --git a/packages/credential-provider-web-identity/src/fromTokenFile.ts b/packages/credential-provider-web-identity/src/fromTokenFile.ts index fc39fc626e305..881e5cf54d635 100644 --- a/packages/credential-provider-web-identity/src/fromTokenFile.ts +++ b/packages/credential-provider-web-identity/src/fromTokenFile.ts @@ -1,4 +1,5 @@ -import { CredentialProviderOptions } from "@aws-sdk/types"; +import { setCredentialFeature } from "@aws-sdk/core/client"; +import { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types"; import { CredentialsProviderError } from "@smithy/property-provider"; import type { AwsCredentialIdentityProvider } from "@smithy/types"; import { readFileSync } from "fs"; @@ -40,10 +41,16 @@ export const fromTokenFile = }); } - return fromWebToken({ + const credentials: AttributedAwsCredentialIdentity = await fromWebToken({ ...init, webIdentityToken: readFileSync(webIdentityTokenFile, { encoding: "ascii" }), roleArn, roleSessionName, })(); + + if (process.env[ENV_TOKEN_FILE]) { + setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h"); + } + + return credentials; }; diff --git a/packages/types/src/feature-ids.ts b/packages/types/src/feature-ids.ts index 7dc1b9078aedf..6464a693651b6 100644 --- a/packages/types/src/feature-ids.ts +++ b/packages/types/src/feature-ids.ts @@ -21,7 +21,6 @@ export type AwsSdkFeatures = Partial<{ ACCOUNT_ID_MODE_DISABLED: "Q"; ACCOUNT_ID_MODE_REQUIRED: "R"; SIGV4A_SIGNING: "S"; - RESOLVED_ACCOUNT_ID: "T"; FLEXIBLE_CHECKSUMS_REQ_CRC32: "U"; FLEXIBLE_CHECKSUMS_REQ_CRC32C: "V"; FLEXIBLE_CHECKSUMS_REQ_CRC64: "W"; @@ -32,8 +31,15 @@ export type AwsSdkFeatures = Partial<{ FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED: "b"; FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED: "c"; DDB_MAPPER: "d"; +}> & + AwsSdkCredentialsFeatures; + +/** + * @internal + */ +export type AwsSdkCredentialsFeatures = Partial<{ + RESOLVED_ACCOUNT_ID: "T"; CREDENTIALS_CODE: "e"; - // CREDENTIALS_JVM_SYSTEM_PROPERTIES: "f"; // not applicable. CREDENTIALS_ENV_VARS: "g"; CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN: "h"; CREDENTIALS_STS_ASSUME_ROLE: "i"; diff --git a/packages/types/src/identity/AwsCredentialIdentity.ts b/packages/types/src/identity/AwsCredentialIdentity.ts index 1113d9c37c040..813fd86f1128e 100644 --- a/packages/types/src/identity/AwsCredentialIdentity.ts +++ b/packages/types/src/identity/AwsCredentialIdentity.ts @@ -1 +1,9 @@ +import type { AwsCredentialIdentity } from "@smithy/types"; + +import type { AwsSdkCredentialsFeatures } from "../feature-ids"; + export { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types"; + +export type AttributedAwsCredentialIdentity = AwsCredentialIdentity & { + $source?: AwsSdkCredentialsFeatures; +};