chore(credential-providers): add credential attribution (#6546)

* chore(credential-providers): add credential attribution

* chore(credential-providers): attribute credential feature sources

* test(credential-provider-node): add credential source assertions

* test: fix unit test

* test(credential-providers): fix unit tests

* chore(core): separate function files

* chore: undo script change

* chore: change Promise.resolve to async fn

Author: kuhe

clients/client-sts/src/defaultStsRoleAssumers.ts

@@ -1,6 +1,7 @@
 // smithy-typescript generated code
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
+import { setCredentialFeature } from "@aws-sdk/core/client";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -118,7 +119,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -127,6 +128,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -174,7 +177,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -183,6 +186,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -1,3 +1,4 @@
+import { setCredentialFeature } from "@aws-sdk/core/client";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -115,7 +116,7 @@ export const getDefaultRoleAssumer = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -124,6 +125,8 @@ export const getDefaultRoleAssumer = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i");
+    return credentials;
   };
 };
 
@@ -171,7 +174,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 
     const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser);
 
-    return {
+    const credentials = {
       accessKeyId: Credentials.AccessKeyId,
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
@@ -180,6 +183,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }),
       ...(accountId && { accountId }),
     };
+    if (accountId) {
+      setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+    }
+    setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k");
+    return credentials;
   };
 };
 

packages/core/src/submodules/client/index.ts

@@ -1,2 +1,3 @@
 export * from "./emitWarningIfUnsupportedVersion";
+export * from "./setCredentialFeature";
 export * from "./setFeature";

packages/core/src/submodules/client/setCredentialFeature.spec.ts

@@ -0,0 +1,40 @@
+import { AttributedAwsCredentialIdentity } from "@aws-sdk/types";
+
+import { setCredentialFeature } from "./setCredentialFeature";
+
+describe(setCredentialFeature.name, () => {
+  it("should create the data path if it does't exist", () => {
+    const credentials = {
+      accessKeyId: "",
+      secretAccessKey: "",
+    } as AttributedAwsCredentialIdentity;
+    expect(setCredentialFeature(credentials, "CREDENTIALS_CODE", "e")).toEqual({
+      accessKeyId: "",
+      secretAccessKey: "",
+      $source: {
+        CREDENTIALS_CODE: "e",
+      },
+    });
+  });
+
+  it("should track a set of features", () => {
+    const credentials = {
+      accessKeyId: "",
+      secretAccessKey: "",
+    } as AttributedAwsCredentialIdentity;
+
+    setCredentialFeature(credentials, "CREDENTIALS_CODE", "e");
+    setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
+    // it ignores duplicates.
+    setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
+
+    expect(setCredentialFeature(credentials, "CREDENTIALS_CODE", "e")).toEqual({
+      accessKeyId: "",
+      secretAccessKey: "",
+      $source: {
+        CREDENTIALS_CODE: "e",
+        CREDENTIALS_ENV_VARS: "g",
+      },
+    });
+  });
+});

packages/core/src/submodules/client/setCredentialFeature.ts

@@ -0,0 +1,18 @@
+import type { AttributedAwsCredentialIdentity, AwsSdkCredentialsFeatures } from "@aws-sdk/types";
+
+/**
+ * @internal
+ *
+ * @returns the credentials with source feature attribution.
+ */
+export function setCredentialFeature<F extends keyof AwsSdkCredentialsFeatures>(
+  credentials: AttributedAwsCredentialIdentity,
+  feature: F,
+  value: AwsSdkCredentialsFeatures[F]
+): AttributedAwsCredentialIdentity {
+  if (!credentials.$source) {
+    credentials.$source = {};
+  }
+  credentials.$source![feature] = value;
+  return credentials;
+}

packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts

@@ -1,3 +1,5 @@
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import { AttributedAwsCredentialIdentity } from "@aws-sdk/types";
 import {
   doesIdentityRequireRefresh,
   isIdentityExpired,
@@ -102,9 +104,11 @@ export interface AwsSdkSigV4AuthResolvedConfig {
 export const resolveAwsSdkSigV4Config = <T>(
   config: T & AwsSdkSigV4AuthInputConfig & AwsSdkSigV4PreviouslyResolved
 ): T & AwsSdkSigV4AuthResolvedConfig => {
+  let isUserSupplied = false;
   // Normalize credentials
   let normalizedCreds: AwsCredentialIdentityProvider | undefined;
   if (config.credentials) {
+    isUserSupplied = true;
     normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
   }
   if (!normalizedCreds) {
@@ -218,7 +222,12 @@ export const resolveAwsSdkSigV4Config = <T>(
     ...config,
     systemClockOffset,
     signingEscapePath,
-    credentials: normalizedCreds!,
+    credentials: isUserSupplied
+      ? async () =>
+          normalizedCreds!().then((creds: AttributedAwsCredentialIdentity) =>
+            setCredentialFeature(creds, "CREDENTIALS_CODE", "e")
+          )
+      : normalizedCreds!,
     signer,
   };
 };

packages/credential-provider-env/package.json

@@ -24,6 +24,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/property-provider": "^3.1.7",
     "@smithy/types": "^3.5.0",

packages/credential-provider-env/src/fromEnv.spec.ts

@@ -33,6 +33,9 @@ describe(fromEnv.name, () => {
       sessionToken: mockSessionToken,
       expiration: new Date(mockExpiration),
       accountId: mockAccountId,
+      $source: {
+        CREDENTIALS_ENV_VARS: "g",
+      },
     });
   });
 
@@ -44,6 +47,9 @@ describe(fromEnv.name, () => {
     expect(receivedCreds).toStrictEqual({
       accessKeyId: mockAccessKeyId,
       secretAccessKey: mockSecretAccessKey,
+      $source: {
+        CREDENTIALS_ENV_VARS: "g",
+      },
     });
   });
 

packages/credential-provider-env/src/fromEnv.ts

@@ -1,4 +1,5 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
@@ -48,14 +49,16 @@ export const fromEnv =
     const accountId: string | undefined = process.env[ENV_ACCOUNT_ID];
 
     if (accessKeyId && secretAccessKey) {
-      return {
+      const credentials = {
         accessKeyId,
         secretAccessKey,
         ...(sessionToken && { sessionToken }),
         ...(expiry && { expiration: new Date(expiry) }),
         ...(credentialScope && { credentialScope }),
         ...(accountId && { accountId }),
-      };
+      } as AttributedAwsCredentialIdentity;
+      setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
+      return credentials;
     }
 
     throw new CredentialsProviderError("Unable to find environment variable credentials.", { logger: init?.logger });

packages/credential-provider-http/package.json

@@ -26,6 +26,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
+    "@aws-sdk/core": "*",
     "@aws-sdk/types": "*",
     "@smithy/fetch-http-handler": "^3.2.9",
     "@smithy/node-http-handler": "^3.2.4",