Track credential providers via User-Agent Feature ids #3008
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lucix-aws
reviewed
Feb 13, 2025
...main/java/software/amazon/smithy/aws/go/codegen/CredentialSourceFeatureTrackerGenerator.java
Outdated
Show resolved
Hide resolved
wty-Bryant
requested changes
Feb 17, 2025
lucix-aws
approved these changes
Feb 20, 2025
wty-Bryant
approved these changes
Feb 21, 2025
Madrigal
added a commit
that referenced
this pull request
Feb 21, 2025
Madrigal
added a commit
that referenced
this pull request
Feb 24, 2025
Madrigal
added a commit
that referenced
this pull request
Feb 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We already have a way to track feature ids via the user agent middleware. This PR adds a way to track which credential provider(s) have been used for getting the credentials on a certain service.
These features have been defined on a SEP, and a single provider can have multiple features depending on how the credentials were resolved
This is implemented by having the
configobject track which credential providers have been used, since it's the main point of entry where credentials are being loaded viaconfig.LoadDefaultConfig.Why not use the existing ProviderName field on aws.Credentials?
Because of 2 reasons
Why not extend the interface of credential provider to add this new method?
Because that would be a breaking change, since any credential provider implemented by a 3rd party would no longer satisfy the interface.
Why some providers have credential chain passed on the options struct instead of being part of the main provider?
Mainly due to backwards compatibility. The ones where options are used have a
New()method on the package, and this is the main way to create a new provider. Adding a new field would change the signature.How do we handle credential refresh?
Other SDKs have the concept of credential chain, where a provider is tried, and if it fails, there is a chain of credential providers that gets retried until valid credentials are found. In Go, we resolve credentials when we create the config object, but after that no changes are made to the credentials
Are there any known gaps?
Main thing is capturing intermediate credentials. We'd like to track the calls made to SSO to see which provider chain has been used. However, SSO doesn't use the
aws.Credentialsobject and instead uses an access token that is set directly into it, so this whole process fails and we don't set any feature on the user agent.