aws · kuhe · Oct 8, 2024 · Oct 4, 2024 · Oct 7, 2024 · Oct 7, 2024
@@ -1,6 +1,7 @@
 // smithy-typescript generated code
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -118,7 +119,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -127,6 +128,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -174,7 +177,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -183,6 +186,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -115,7 +116,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -124,6 +125,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -171,7 +174,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -180,6 +183,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

diff --git a/packages/core/src/submodules/client/setFeature.ts b/packages/core/src/submodules/client/setFeature.ts
@@ -1,4 +1,9 @@
-import type { AwsHandlerExecutionContext, AwsSdkFeatures } from "@aws-sdk/types";
+import type {
+  AttributedAwsCredentialIdentity,
+  AwsHandlerExecutionContext,
+  AwsSdkCredentialsFeatures,
+  AwsSdkFeatures,
+} from "@aws-sdk/types";
 
 /**
  * @internal
@@ -24,3 +29,20 @@ export function setFeature<F extends keyof AwsSdkFeatures>(
   }
   context.__aws_sdk_context.features![feature] = value;
 }
+
+/**
+ * @internal
+ *
+ * @returns the credentials with source feature attribution.
+ */
+export function setCredentialFeature<F extends keyof AwsSdkCredentialsFeatures>(
+  credentials: AttributedAwsCredentialIdentity,
+  feature: F,
+  value: AwsSdkCredentialsFeatures[F]
+): AttributedAwsCredentialIdentity {
+  if (!credentials.$source) {
+    credentials.$source = {};
+  }
+  credentials.$source![feature] = value;
+  return credentials;
+}
@@ -1,3 +1,5 @@
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import { AttributedAwsCredentialIdentity } from "@aws-sdk/types";
 import {
   doesIdentityRequireRefresh,
   isIdentityExpired,
@@ -102,9 +104,11 @@ export interface AwsSdkSigV4AuthResolvedConfig {
 export const resolveAwsSdkSigV4Config = <T>(
   config: T & AwsSdkSigV4AuthInputConfig & AwsSdkSigV4PreviouslyResolved
 ): T & AwsSdkSigV4AuthResolvedConfig => {
+  let isUserSupplied = false;
   // Normalize credentials
   let normalizedCreds: AwsCredentialIdentityProvider | undefined;
   if (config.credentials) {
+    isUserSupplied = true;
     normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
   }
   if (!normalizedCreds) {
@@ -218,7 +222,12 @@ export const resolveAwsSdkSigV4Config = <T>(
     ...config,
     systemClockOffset,
     signingEscapePath,
-    credentials: normalizedCreds!,
+    credentials: isUserSupplied
+      ? async () =>
+          normalizedCreds!().then((creds: AttributedAwsCredentialIdentity) =>
+            setCredentialFeature(creds, "CREDENTIALS_CODE", "e")
+          )
+      : normalizedCreds!,
     signer,
   };
 };

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/property-provider": "^3.1.7",
     "@smithy/types": "^3.5.0",

@@ -1,4 +1,5 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core";
+import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
@@ -48,14 +49,16 @@ export const fromEnv =
     const accountId: string | undefined = process.env[ENV_ACCOUNT_ID];
 
     if (accessKeyId && secretAccessKey) {
-      return {
+      const credentials = {
         accessKeyId,
         secretAccessKey,
         ...(sessionToken && { sessionToken }),
         ...(expiry && { expiration: new Date(expiry) }),
         ...(credentialScope && { credentialScope }),
         ...(accountId && { accountId }),
-      };
+      } as AttributedAwsCredentialIdentity;
+      setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
+      return credentials;
     }
 
     throw new CredentialsProviderError("Unable to find environment variable credentials.", { logger: init?.logger });

@@ -26,6 +26,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/fetch-http-handler": "^3.2.9",
     "@smithy/node-http-handler": "^3.2.4",

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { NodeHttpHandler } from "@smithy/node-http-handler";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types";
@@ -81,7 +82,7 @@ Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
       }
       try {
         const result = await requestHandler.handle(request);
-        return getCredentials(result.response);
+        return getCredentials(result.response).then((creds) => setCredentialFeature(creds, "CREDENTIALS_HTTP", "z"));
       } catch (e: unknown) {
         throw new CredentialsProviderError(String(e), { logger: options.logger });
       }

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/credential-provider-env": "*",
     "@aws-sdk/credential-provider-http": "*",
     "@aws-sdk/credential-provider-process": "*",

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { getProfileName } from "@smithy/shared-ini-file-loader";
 import { AwsCredentialIdentity, IniSection, Logger, ParsedIniData, Profile } from "@smithy/types";
@@ -159,7 +160,7 @@ export const resolveAssumeRoleCredentials = async (
      * can use its role_arn instead of redundantly needing another role_arn at
      * this final layer.
      */
-    return sourceCredsProvider;
+    return sourceCredsProvider.then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
   } else {
     const params: AssumeRoleParams = {
       RoleArn: data.role_arn!,
@@ -181,7 +182,9 @@ export const resolveAssumeRoleCredentials = async (
     }
 
     const sourceCreds = await sourceCredsProvider;
-    return options.roleAssumer!(sourceCreds, params);
+    return options.roleAssumer!(sourceCreds, params).then((creds) =>
+      setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o")
+    );
   }
 };
 

@@ -1,4 +1,5 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core";
+import type { AwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { chain, CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider, Logger } from "@smithy/types";
 
@@ -21,17 +22,17 @@ export const resolveCredentialSource = (
       const { fromHttp } = await import("@aws-sdk/credential-provider-http");
       const { fromContainerMetadata } = await import("@smithy/credential-provider-imds");
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is EcsContainer");
-      return chain(fromHttp(options ?? {}), fromContainerMetadata(options));
+      return async () => chain(fromHttp(options ?? {}), fromContainerMetadata(options))().then(setNamedProvider);
     },
     Ec2InstanceMetadata: async (options?: CredentialProviderOptions) => {
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Ec2InstanceMetadata");
       const { fromInstanceMetadata } = await import("@smithy/credential-provider-imds");
-      return fromInstanceMetadata(options);
+      return async () => fromInstanceMetadata(options)().then(setNamedProvider);
     },
     Environment: async (options?: CredentialProviderOptions) => {
       logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Environment");
       const { fromEnv } = await import("@aws-sdk/credential-provider-env");
-      return fromEnv(options);
+      return async () => fromEnv(options)().then(setNamedProvider);
     },
   };
   if (credentialSource in sourceProvidersMap) {
@@ -44,3 +45,6 @@ export const resolveCredentialSource = (
     );
   }
 };
+
+const setNamedProvider = (creds: AwsCredentialIdentity) =>
+  setCredentialFeature(creds, "CREDENTIALS_PROFILE_NAMED_PROVIDER", "p");
@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { Credentials, Profile } from "@aws-sdk/types";
 
 import { FromIniInit } from "./fromIni";
@@ -23,5 +24,5 @@ export const resolveProcessCredentials = async (options: FromIniInit, profile: s
     fromProcess({
       ...options,
       profile,
-    })()
+    })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_PROCESS", "v"))
   );
@@ -59,7 +59,7 @@ export const resolveProfileData = async (
   }
 
   if (isSsoProfile(data)) {
-    return await resolveSsoCredentials(profileName, options);
+    return await resolveSsoCredentials(profileName, data, options);
   }
 
   // If the profile cannot be parsed or contains neither static credentials

@@ -1,16 +1,27 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import type { SsoProfile } from "@aws-sdk/credential-provider-sso";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
-import type { Profile } from "@smithy/types";
+import type { IniSection, Profile } from "@smithy/types";
 
 /**
  * @internal
  */
-export const resolveSsoCredentials = async (profile: string, options: CredentialProviderOptions = {}) => {
+export const resolveSsoCredentials = async (
+  profile: string,
+  profileData: IniSection,
+  options: CredentialProviderOptions = {}
+) => {
   const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
   return fromSSO({
     profile,
     logger: options.logger,
-  })();
+  })().then((creds) => {
+    if (profileData.sso_session) {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r");
+    } else {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO_LEGACY", "t");
+    }
+  });
 };
 
 /**

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AwsCredentialIdentity, Profile } from "@smithy/types";
 
 import { FromIniInit } from "./fromIni";
@@ -32,11 +33,14 @@ export const resolveStaticCredentials = (
   options?: FromIniInit
 ): Promise<AwsCredentialIdentity> => {
   options?.logger?.debug("@aws-sdk/credential-provider-ini - resolveStaticCredentials");
-  return Promise.resolve({
+
+  const credentials = {
     accessKeyId: profile.aws_access_key_id,
     secretAccessKey: profile.aws_secret_access_key,
     sessionToken: profile.aws_session_token,
     ...(profile.aws_credential_scope && { credentialScope: profile.aws_credential_scope }),
     ...(profile.aws_account_id && { accountId: profile.aws_account_id }),
-  });
+  };
+
+  return Promise.resolve(setCredentialFeature(credentials, "CREDENTIALS_PROFILE", "n"));
 };
@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core";
 import { AwsCredentialIdentity, Profile } from "@smithy/types";
 
 import { FromIniInit } from "./fromIni";
@@ -36,5 +37,5 @@ export const resolveWebIdentityCredentials = async (
       roleAssumerWithWebIdentity: options.roleAssumerWithWebIdentity,
       logger: options.logger,
       parentClientConfig: options.parentClientConfig,
-    })()
+    })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN", "q"))
   );