chore(credential-providers): add credential attribution

Author: kuhe

packages/core/src/submodules/client/setFeature.ts

@@ -1,4 +1,9 @@
-import type { AwsHandlerExecutionContext, AwsSdkFeatures } from "@aws-sdk/types";
+import type {
+  AttributedAwsCredentialIdentity,
+  AwsHandlerExecutionContext,
+  AwsSdkCredentialsFeatures,
+  AwsSdkFeatures,
+} from "@aws-sdk/types";
 
 /**
  * @internal
@@ -24,3 +29,20 @@ export function setFeature<F extends keyof AwsSdkFeatures>(
   }
   context.__aws_sdk_context.features![feature] = value;
 }
+
+/**
+ * @internal
+ *
+ * sets feature attribution on the credential object.
+ */
+export function setCredentialFeature<F extends keyof AwsSdkCredentialsFeatures>(
+  credentials: AttributedAwsCredentialIdentity,
+  feature: F,
+  value: AwsSdkCredentialsFeatures[F]
+): AttributedAwsCredentialIdentity {
+  if (!credentials.$source) {
+    credentials.$source = {};
+  }
+  credentials.$source![feature] = value;
+  return credentials;
+}

packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts

@@ -1,3 +1,5 @@
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import { AttributedAwsCredentialIdentity } from "@aws-sdk/types";
 import {
   doesIdentityRequireRefresh,
   isIdentityExpired,
@@ -102,9 +104,11 @@ export interface AwsSdkSigV4AuthResolvedConfig {
 export const resolveAwsSdkSigV4Config = <T>(
   config: T & AwsSdkSigV4AuthInputConfig & AwsSdkSigV4PreviouslyResolved
 ): T & AwsSdkSigV4AuthResolvedConfig => {
+  let isUserSupplied = false;
   // Normalize credentials
   let normalizedCreds: AwsCredentialIdentityProvider | undefined;
   if (config.credentials) {
+    isUserSupplied = true;
     normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
   }
   if (!normalizedCreds) {
@@ -218,7 +222,12 @@ export const resolveAwsSdkSigV4Config = <T>(
     ...config,
     systemClockOffset,
     signingEscapePath,
-    credentials: normalizedCreds!,
+    credentials: isUserSupplied
+      ? async () =>
+          normalizedCreds!().then((creds: AttributedAwsCredentialIdentity) =>
+            setCredentialFeature(creds, "CREDENTIALS_CODE", "e")
+          )
+      : normalizedCreds!,
     signer,
   };
 };

packages/credential-provider-env/src/fromEnv.ts

@@ -1,4 +1,5 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
@@ -48,14 +49,19 @@ export const fromEnv =
     const accountId: string | undefined = process.env[ENV_ACCOUNT_ID];
 
     if (accessKeyId && secretAccessKey) {
-      return {
+      const credentials = {
         accessKeyId,
         secretAccessKey,
         ...(sessionToken && { sessionToken }),
         ...(expiry && { expiration: new Date(expiry) }),
         ...(credentialScope && { credentialScope }),
         ...(accountId && { accountId }),
-      };
+      } as AttributedAwsCredentialIdentity;
+      setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g");
+      if (accountId) {
+        setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T");
+      }
+      return credentials;
     }
 
     throw new CredentialsProviderError("Unable to find environment variable credentials.", { logger: init?.logger });

packages/credential-provider-web-identity/src/fromTokenFile.ts

@@ -1,4 +1,5 @@
-import { CredentialProviderOptions } from "@aws-sdk/types";
+import { setCredentialFeature } from "@aws-sdk/core/client";
+import { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import type { AwsCredentialIdentityProvider } from "@smithy/types";
 import { readFileSync } from "fs";
@@ -40,10 +41,16 @@ export const fromTokenFile =
       });
     }
 
-    return fromWebToken({
+    const credentials: AttributedAwsCredentialIdentity = await fromWebToken({
       ...init,
       webIdentityToken: readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
       roleArn,
       roleSessionName,
     })();
+
+    if (process.env[ENV_TOKEN_FILE]) {
+      setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
+    }
+
+    return credentials;
   };

packages/types/src/feature-ids.ts

@@ -21,7 +21,6 @@ export type AwsSdkFeatures = Partial<{
   ACCOUNT_ID_MODE_DISABLED: "Q";
   ACCOUNT_ID_MODE_REQUIRED: "R";
   SIGV4A_SIGNING: "S";
-  RESOLVED_ACCOUNT_ID: "T";
   FLEXIBLE_CHECKSUMS_REQ_CRC32: "U";
   FLEXIBLE_CHECKSUMS_REQ_CRC32C: "V";
   FLEXIBLE_CHECKSUMS_REQ_CRC64: "W";
@@ -32,8 +31,15 @@ export type AwsSdkFeatures = Partial<{
   FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED: "b";
   FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED: "c";
   DDB_MAPPER: "d";
+}> &
+  AwsSdkCredentialsFeatures;
+
+/**
+ * @internal
+ */
+export type AwsSdkCredentialsFeatures = Partial<{
+  RESOLVED_ACCOUNT_ID: "T";
   CREDENTIALS_CODE: "e";
-  // CREDENTIALS_JVM_SYSTEM_PROPERTIES: "f"; // not applicable.
   CREDENTIALS_ENV_VARS: "g";
   CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN: "h";
   CREDENTIALS_STS_ASSUME_ROLE: "i";

packages/types/src/identity/AwsCredentialIdentity.ts

@@ -1 +1,9 @@
+import type { AwsCredentialIdentity } from "@smithy/types";
+
+import type { AwsSdkCredentialsFeatures } from "../feature-ids";
+
 export { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types";
+
+export type AttributedAwsCredentialIdentity = AwsCredentialIdentity & {
+  $source?: AwsSdkCredentialsFeatures;
+};