chore(credential-providers): attribute credential feature sources

clients/client-sts/src/defaultStsRoleAssumers.ts

@@ -1,6 +1,7 @@
 // smithy-typescript generated code
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -118,7 +119,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -127,6 +128,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -174,7 +177,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -183,6 +186,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -115,7 +116,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -124,6 +125,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -171,7 +174,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -180,6 +183,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

packages/core/src/submodules/client/setFeature.ts

@@ -33,7 +33,7 @@ export function setFeature<F extends keyof AwsSdkFeatures>(
 /**
  * @internal
  *
- * sets feature attribution on the credential object.
+ * @returns the credentials with source feature attribution.
  */
 export function setCredentialFeature<F extends keyof AwsSdkCredentialsFeatures>(
   credentials: AttributedAwsCredentialIdentity,

packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts

@@ -1,4 +1,4 @@
-import { setCredentialFeature } from "@aws-sdk/core/client";
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AttributedAwsCredentialIdentity } from "@aws-sdk/types";
 import {
   doesIdentityRequireRefresh,

packages/credential-provider-env/package.json

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/property-provider": "^3.1.7",
     "@smithy/types": "^3.5.0",

packages/credential-provider-env/src/fromEnv.ts

@@ -1,4 +1,4 @@
-import { setCredentialFeature } from "@aws-sdk/core/client";
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
@@ -58,9 +58,6 @@ export const fromEnv =
         ...(accountId && { accountId }),
       } as AttributedAwsCredentialIdentity;
       setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
-      if (accountId) {
-        setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
-      }
       return credentials;
     }
 

packages/credential-provider-http/package.json

@@ -26,6 +26,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/fetch-http-handler": "^3.2.9",
     "@smithy/node-http-handler": "^3.2.4",

packages/credential-provider-http/src/fromHttp/fromHttp.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { NodeHttpHandler } from "@smithy/node-http-handler";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types";
@@ -81,7 +82,7 @@ Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
       }
       try {
         const result = await requestHandler.handle(request);
-        return getCredentials(result.response);
+        return getCredentials(result.response).then((creds) => setCredentialFeature(creds, "CREDENTIALS_HTTP", "z"));
       } catch (e: unknown) {
         throw new CredentialsProviderError(String(e), { logger: options.logger });
       }

packages/credential-provider-ini/package.json

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/credential-provider-env": "*",
     "@aws-sdk/credential-provider-http": "*",
     "@aws-sdk/credential-provider-process": "*",

packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { getProfileName } from "@smithy/shared-ini-file-loader";
 import { AwsCredentialIdentity, IniSection, Logger, ParsedIniData, Profile } from "@smithy/types";
@@ -159,7 +160,7 @@ export const resolveAssumeRoleCredentials = async (
      * can use its role_arn instead of redundantly needing another role_arn at
      * this final layer.
      */
-    return sourceCredsProvider;
+    return sourceCredsProvider.then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
   } else {
     const params: AssumeRoleParams = {
       RoleArn: data.role_arn!,
@@ -181,7 +182,9 @@ export const resolveAssumeRoleCredentials = async (
     }
 
     const sourceCreds = await sourceCredsProvider;
-    return options.roleAssumer!(sourceCreds, params);
+    return options.roleAssumer!(sourceCreds, params).then((creds) =>
+      setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o")
+    );
   }
 };
 

packages/credential-provider-ini/src/resolveCredentialSource.ts

@@ -1,4 +1,5 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core";
+import type { AwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { chain, CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider, Logger } from "@smithy/types";
 
@@ -21,17 +22,17 @@ export const resolveCredentialSource = (
       const { fromHttp } = await import("@aws-sdk/credential-provider-http");
       const { fromContainerMetadata } = await import("@smithy/credential-provider-imds");
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is EcsContainer");
-      return chain(fromHttp(options ?? {}), fromContainerMetadata(options));
+      return async () => chain(fromHttp(options ?? {}), fromContainerMetadata(options))().then(setNamedProvider);
     },
     Ec2InstanceMetadata: async (options?: CredentialProviderOptions) => {
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Ec2InstanceMetadata");
       const { fromInstanceMetadata } = await import("@smithy/credential-provider-imds");
-      return fromInstanceMetadata(options);
+      return async () => fromInstanceMetadata(options)().then(setNamedProvider);
     },
     Environment: async (options?: CredentialProviderOptions) => {
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Environment");
       const { fromEnv } = await import("@aws-sdk/credential-provider-env");
-      return fromEnv(options);
+      return async () => fromEnv(options)().then(setNamedProvider);
     },
   };
   if (credentialSource in sourceProvidersMap) {
@@ -44,3 +45,6 @@ export const resolveCredentialSource = (
     );
   }
 };
+
+const setNamedProvider = (creds: AwsCredentialIdentity) =>
+  setCredentialFeature(creds, "CREDENTIALS_PROFILE_NAMED_PROVIDER", "p");

packages/credential-provider-ini/src/resolveProcessCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { Credentials, Profile } from "@aws-sdk/types";
 
 import { FromIniInit } from "./fromIni";
@@ -23,5 +24,5 @@ export const resolveProcessCredentials = async (options: FromIniInit, profile: s
     fromProcess({
       ...options,
       profile,
-    })()
+    })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_PROCESS", "v"))
   );

packages/credential-provider-ini/src/resolveProfileData.ts

@@ -59,7 +59,7 @@ export const resolveProfileData = async (
   }
 
   if (isSsoProfile(data)) {
-    return await resolveSsoCredentials(profileName, options);
+    return await resolveSsoCredentials(profileName, data, options);
   }
 
   // If the profile cannot be parsed or contains neither static credentials

packages/credential-provider-ini/src/resolveSsoCredentials.ts

@@ -1,16 +1,27 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { SsoProfile } from "@aws-sdk/credential-provider-sso";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
-import type { Profile } from "@smithy/types";
+import type { IniSection, Profile } from "@smithy/types";
 
 /**
  * @internal
  */
-export const resolveSsoCredentials = async (profile: string, options: CredentialProviderOptions = {}) => {
+export const resolveSsoCredentials = async (
+  profile: string,
+  profileData: IniSection,
+  options: CredentialProviderOptions = {}
+) => {
   const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
   return fromSSO({
     profile,
     logger: options.logger,
-  })();
+  })().then((creds) => {
+    if (profileData.sso_session) {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r");
+    } else {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO_LEGACY", "t");
+    }
+  });
 };
 
 /**

packages/credential-provider-ini/src/resolveStaticCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AwsCredentialIdentity, Profile } from "@smithy/types";
 
 import { FromIniInit } from "./fromIni";
@@ -32,11 +33,14 @@ export const resolveStaticCredentials = (
   options?: FromIniInit
 ): Promise<AwsCredentialIdentity> => {
   options?.logger?.debug("@aws-sdk/credential-provider-ini - resolveStaticCredentials");
-  return Promise.resolve({
+
+  const credentials = {
     accessKeyId: profile.aws_access_key_id,
     secretAccessKey: profile.aws_secret_access_key,
     sessionToken: profile.aws_session_token,
     ...(profile.aws_credential_scope && { credentialScope: profile.aws_credential_scope }),
     ...(profile.aws_account_id && { accountId: profile.aws_account_id }),
-  });
+  };
+
+  return Promise.resolve(setCredentialFeature(credentials, "CREDENTIALS_PROFILE", "n"));
 };

packages/credential-provider-ini/src/resolveWebIdentityCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AwsCredentialIdentity, Profile } from "@smithy/types";
 
 import { FromIniInit } from "./fromIni";
@@ -36,5 +37,5 @@ export const resolveWebIdentityCredentials = async (
       roleAssumerWithWebIdentity: options.roleAssumerWithWebIdentity,
       logger: options.logger,
       parentClientConfig: options.parentClientConfig,
-    })()
+    })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN", "q"))
   );

packages/credential-provider-process/package.json

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/property-provider": "^3.1.7",
     "@smithy/shared-ini-file-loader": "^3.1.8",

packages/credential-provider-process/src/getValidatedProcessCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AwsCredentialIdentity, ParsedIniData } from "@smithy/types";
 
 import { ProcessCredentials } from "./ProcessCredentials";
@@ -31,12 +32,16 @@ export const getValidatedProcessCredentials = (
     accountId = profiles[profileName].aws_account_id;
   }
 
-  return {
+  const credentials = {
     accessKeyId: data.AccessKeyId,
     secretAccessKey: data.SecretAccessKey,
     ...(data.SessionToken && { sessionToken: data.SessionToken }),
     ...(data.Expiration && { expiration: new Date(data.Expiration) }),
     ...(data.CredentialScope && { credentialScope: data.CredentialScope }),
     ...(accountId && { accountId }),
   };
+
+  setCredentialFeature(credentials, "CREDENTIALS_PROCESS", "w");
+
+  return credentials;
 };

packages/credential-provider-sso/package.json

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/client-sso": "*",
     "@aws-sdk/token-providers": "*",
     "@aws-sdk/types": "*",

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { getSSOTokenFromFile, SSOToken } from "@smithy/shared-ini-file-loader";
@@ -103,12 +104,20 @@ export const resolveSSOCredentials = async ({
     });
   }
 
-  return {
+  const credentials = {
     accessKeyId,
     secretAccessKey,
     sessionToken,
     expiration: new Date(expiration),
     ...(credentialScope && { credentialScope }),
     ...(accountId && { accountId }),
   };
+
+  if (ssoSession) {
+    setCredentialFeature(credentials, "CREDENTIALS_SSO", "s");
+  } else {
+    setCredentialFeature(credentials, "CREDENTIALS_SSO_LEGACY", "u");
+  }
+
+  return credentials;
 };

packages/credential-provider-web-identity/package.json

@@ -32,6 +32,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/property-provider": "^3.1.7",
     "@smithy/types": "^3.5.0",

packages/credential-provider-web-identity/src/fromTokenFile.ts

@@ -1,4 +1,4 @@
-import { setCredentialFeature } from "@aws-sdk/core/client";
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import type { AwsCredentialIdentityProvider } from "@smithy/types";
@@ -48,7 +48,7 @@ export const fromTokenFile =
       roleSessionName,
     })();
 
-    if (process.env[ENV_TOKEN_FILE]) {
+    if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
       setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
     }