Skip to content

Add business metrics support for STS and Profile credential providers #6426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: feature/master/feature-ids-implementation
Choose a base branch
from
Open

Add business metrics support for STS and Profile credential providers #6426

wants to merge 2 commits into from
+1,288 −66

Conversation

S-Saranya1
Copy link
Contributor

@S-Saranya1 S-Saranya1 commented Sep 16, 2025
edited
Loading

Adds business metric tracking for credentials

Motivation and Context

Keeping track of how users are providing credentials to SDKs and which credentials providers are being used.

Modifications

This PR adds business metrics support for these credential providers:

CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider
CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_PROCESS("v") - ProfileCredentialsProvider + ProcessCredentialsProvider

Key Technical Changes

  1. Source Propagation: Introduces source parameter on credential provider builders to track credential provider chains

    • Example: Profile AssumeRole with environment variables → User-Agent contains m/n,g,i (profile + env vars + assume role)

  2. Provider Name Updates: Changes existing providerName() methods to return business metric codes instead of full class names

  3. Chain Tracking: Supports credential scenarios like:

    • Profile with credential_source = Ec2InstanceMetadata
    • Fallback chains when primary providers fail

Example User-Agent Output

  • Simple environment variables: m/g
  • Profile AssumeRole chain: m/n,o,i
  • Failed AssumeRole fallback: m/g (only successful provider shown)

Testing

  • Added unit tests for profile-based STS credential scenarios including AssumeRole with source_profile, credential_source configurations, and failure fallback scenarios.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@S-Saranya1 S-Saranya1 force-pushed the somepal/Credentials-featureID-implementation branch from 077e209 to 685e7ac Compare September 16, 2025 18:26
@S-Saranya1 S-Saranya1 marked this pull request as ready for review September 16, 2025 18:28
@S-Saranya1 S-Saranya1 requested a review from a team as a code owner September 16, 2025 18:28
@S-Saranya1 S-Saranya1 changed the title Somepal/credentials feature id implementation Feature IDs implementation for STS credentials Sep 16, 2025
@S-Saranya1 S-Saranya1 changed the title Feature IDs implementation for STS credentials Add business metrics support for STS and Profile credential providers Sep 16, 2025
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
65.2% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

zoewangg
zoewangg reviewed Sep 18, 2025
View reviewed changes
.../src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java
.build();
}

/**
* Create the SSO credentials provider based on the related profile properties.
*/
private AwsCredentialsProvider ssoProfileCredentialsProvider() {
validateRequiredPropertiesForSsoCredentialsProvider();
boolean isLegacy = validateRequiredPropertiesForSsoCredentialsProvider();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we throw exception if it's invalid in validateRequiredPropertiesForSsoCredentialsProvider?

...ain/java/software/amazon/awssdk/auth/credentials/ChildProfileCredentialsProviderFactory.java
* previous credentials providers that are chained with this one.
* @return The credentials provider with permissions derived from the source credentials provider and profile.
*/
AwsCredentialsProvider create(AwsCredentialsProvider sourceCredentialsProvider, Profile profile, String source);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we create a wrapper object for those parameters? I'm trying to avoid the situation where we need to add a fourth parameter in the future and have to create another constructor.

Something like

AwsCredentialsProvider create(XXX input) //naming to be determined

Also, we should throw unsupportedoperation exception here otherwise it'd may break customers

services/sso/src/main/java/software/amazon/awssdk/services/sso/auth/SsoCredentialsProvider.java
Comment on lines +126 to +128
if (!StringUtils.isEmpty(this.source)) {
providerName = String.format("%s,%s", this.source, providerName);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we move this logic to ctor so that we just compute this once and not every time? Also, can we use plain string concatenation since String.format is a bit expensive? String.format is okay for exceptional messages/logging statement because the impact is minimal (doesn't affect every request), it seems unnecessary here.

Same for other places

...a/software/amazon/awssdk/services/sts/internal/AssumeRoleWithWebIdentityRequestSupplier.java
@@ -48,6 +49,10 @@ public AssumeRoleWithWebIdentityRequest get() {
return request.toBuilder().webIdentityToken(getToken(webIdentityTokenFile)).build();
}

public String source() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's nullable, we should use Optional<String>

...src/main/java/software/amazon/awssdk/services/sts/auth/StsAssumeRoleCredentialsProvider.java
@@ -145,6 +155,15 @@ public Builder refreshRequest(Consumer<AssumeRoleRequest.Builder> assumeRoleRequ
return refreshRequest(AssumeRoleRequest.builder().applyMutation(assumeRoleRequest).build());
}

/**
* An optional string list of {@link BusinessMetricFeatureId} denoting previous credentials providers
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BusinessMetricFeatureId is a protected API and it's not intended for users to use directly. Can we update the javadoc to mention this method is primarily intended for use by AWS SDK internal components?

Same for other places

...ava/software/amazon/awssdk/services/sts/auth/StsWebIdentityTokenFileCredentialsProvider.java
Comment on lines +137 to 147
AwsCredentials awsCredentials = credentialsProvider.resolveCredentials();
if (awsCredentials instanceof AwsSessionCredentials) {
AwsSessionCredentials sessionCredentials = (AwsSessionCredentials) awsCredentials;
Optional<String> providerName = awsCredentials.providerName();
if (providerName.isPresent()) {
return sessionCredentials.copy(s -> s.providerName(providerName.get() + "," + PROVIDER_NAME));
}
return sessionCredentials;
}
return awsCredentials;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: is there any reason we have special handling for this class? It seems for other providers, we just update the providerName method to include source

...ts/src/it/java/software/amazon/awssdk/auth/source/ProfileAssumeRoleFailureUserAgentTest.java
assertThat(userAgent).doesNotContain("o");
assertThat(userAgent).doesNotContain("n");

} catch (Exception e) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably should not silently swallow exception. Same for other places

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoewangg zoewangg zoewangg left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@S-Saranya1 @zoewangg