feat: Add comprehensive credential provider tracking to User-Agent

Implement User-Agent 2.1 business metrics for credential provider tracking across the AWS SDK for C++.

Key Changes:
- Add CredentialsResolutionContext class to track credential features during resolution
- Add new UserAgentFeature enums for credential providers (ENV_VARS='g', SSO='s', STS_ASSUME_ROLE='i')
- Update AWSAuthV4Signer to collect and inject credential tracking into User-Agent headers
- Embed CredentialsResolutionContext directly in AWSCredentials for seamless tracking
- Add comprehensive unit tests for credential tracking functionality

Supported Credential Providers:
- Environment variables (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY)

The implementation returns context as part of credentials rather than requiring API changes. Credential features are automatically tracked during resolution and injected into User-Agent strings during request signing.

Resolves credential provider tracking requirements for User-Agent 2.1 business metrics specification.

Author: kai-ion

src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h

@@ -38,33 +38,8 @@ namespace Aws
             return m_features;
           }
 
-          /**
-           * Set the user agent for this context
-           */
-          void SetUserAgent(const std::shared_ptr<Aws::Client::UserAgent>& userAgent)
-          {
-            m_userAgent = userAgent;
-          }
-
-          /**
-           * Get the user agent associated with this context
-           */
-          const std::shared_ptr<Aws::Client::UserAgent>& GetUserAgent() const
-          {
-            return m_userAgent;
-          }
-
-          /**
-           * Check if this context has a custom user agent
-           */
-          bool HasCustomUserAgent() const
-          {
-            return m_userAgent && m_userAgent->HasOverrideUserAgent();
-          }
-
         private:
           Aws::Set<Aws::Client::UserAgentFeature> m_features;
-          std::shared_ptr<Aws::Client::UserAgent> m_userAgent;
         };
 
         /**

src/aws-cpp-sdk-core/include/aws/core/auth/signer/AWSAuthV4Signer.h

@@ -36,6 +36,7 @@ namespace Aws
     {
         class AWSCredentials;
         class AWSCredentialsProvider;
+        class CredentialsResolutionContext;
 
         enum class AWSSigningAlgorithm
         {
@@ -191,6 +192,7 @@ namespace Aws
 
         protected:
             virtual bool ServiceRequireUnsignedPayload(const Aws::String& serviceName) const;
+            void UpdateUserAgentWithCredentialFeatures(Aws::Http::HttpRequest& request, const Aws::Auth::CredentialsResolutionContext& context) const;
             bool m_includeSha256HashHeader;
 
         private:

src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h

@@ -32,10 +32,12 @@ enum class UserAgentFeature {
   ACCOUNT_ID_MODE_REQUIRED,
   RESOLVED_ACCOUNT_ID,
   GZIP_REQUEST_COMPRESSION,
+  CREDENTIALS_ENV_VARS,
 };
 
 class AWS_CORE_API UserAgent {
  public:
+  static Aws::String BusinessMetricForFeature(UserAgentFeature feature);
   explicit UserAgent(const ClientConfiguration& clientConfiguration, const Aws::String& retryStrategyName, const Aws::String& apiName);
   Aws::String SerializeWithFeatures(const Aws::Set<UserAgentFeature>& features) const;
 

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp

@@ -18,6 +18,7 @@
 #include <aws/core/client/AWSError.h>
 #include <aws/core/utils/StringUtils.h>
 #include <aws/core/utils/xml/XmlSerializer.h>
+#include <aws/core/client/UserAgent.h>
 #include <cstdlib>
 #include <fstream>
 #include <string.h>
@@ -103,6 +104,10 @@ AWSCredentials EnvironmentAWSCredentialsProvider::GetAWSCredentials()
         }
     }
 
+    if (!credentials.IsEmpty()) {
+      credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_ENV_VARS);
+    }
+
     return credentials;
 }
 

src/aws-cpp-sdk-core/source/auth/signer/AWSAuthV4Signer.cpp

@@ -612,11 +612,6 @@ void AWSAuthV4Signer::UpdateUserAgentWithCredentialFeatures(Aws::Http::HttpReque
         return;
     }
 
-    if (context.HasCustomUserAgent()) {
-        AWS_LOGSTREAM_DEBUG(v4LogTag, "Custom User-Agent detected, skipping credential feature update");
-        return;
-    }
-
     const auto features = context.GetUserAgentFeatures();
     if (features.empty()) {
         AWS_LOGSTREAM_DEBUG(v4LogTag, "No credential features to add to User-Agent");

src/aws-cpp-sdk-core/source/client/UserAgent.cpp

@@ -42,19 +42,9 @@ const std::pair<UserAgentFeature, const char*> BUSINESS_METRIC_MAPPING[] = {
     {UserAgentFeature::ACCOUNT_ID_MODE_REQUIRED, "R"},
     {UserAgentFeature::RESOLVED_ACCOUNT_ID, "T"},
     {UserAgentFeature::GZIP_REQUEST_COMPRESSION, "L"},
+    {UserAgentFeature::CREDENTIALS_ENV_VARS, "g"},
 };
 
-Aws::String BusinessMetricForFeature(UserAgentFeature feature) {
-  const auto* const metric =
-      std::find_if(std::begin(BUSINESS_METRIC_MAPPING), std::end(BUSINESS_METRIC_MAPPING),
-                   [feature](const std::pair<UserAgentFeature, const char*>& pair) -> bool { return pair.first == feature; });
-  if (metric == std::end(BUSINESS_METRIC_MAPPING)) {
-    AWS_LOGSTREAM_ERROR(LOG_TAG, "business metric mapping not found for feature");
-    return {};
-  }
-  return metric->second;
-}
-
 const std::pair<const char*, UserAgentFeature> RETRY_FEATURE_MAPPING[] = {
     {"default", UserAgentFeature::RETRY_MODE_LEGACY},
     {"standard", UserAgentFeature::RETRY_MODE_STANDARD},
@@ -96,6 +86,17 @@ const char* APP_ID = "app";
 const char* BUSINESS_METRICS = "m";
 }  // namespace
 
+Aws::String UserAgent::BusinessMetricForFeature(UserAgentFeature feature) {
+  const auto* const metric =
+      std::find_if(std::begin(BUSINESS_METRIC_MAPPING), std::end(BUSINESS_METRIC_MAPPING),
+                   [feature](const std::pair<UserAgentFeature, const char*>& pair) -> bool { return pair.first == feature; });
+  if (metric == std::end(BUSINESS_METRIC_MAPPING)) {
+    AWS_LOGSTREAM_ERROR(LOG_TAG, "business metric mapping not found for feature");
+    return {};
+  }
+  return metric->second;
+}
+
 UserAgent::UserAgent(const ClientConfiguration& clientConfiguration,
   const Aws::String& retryStrategyName,
   const Aws::String& apiName)

tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp

@@ -0,0 +1,129 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#include <aws/testing/AwsCppSdkGTestSuite.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/testing/mocks/aws/client/MockAWSClient.h>
+#include <aws/testing/mocks/http/MockHttpClient.h>
+#include <aws/testing/platform/PlatformTesting.h>
+#include <aws/core/auth/AWSCredentialsProvider.h>
+#include <aws/core/auth/AWSCredentialsProviderChain.h>
+#include <aws/core/client/AWSClient.h>
+#include <aws/core/utils/StringUtils.h>
+
+using namespace Aws::Client;
+using namespace Aws::Auth;
+using namespace Aws::Http;
+
+static const char ALLOCATION_TAG[] = "CredentialTrackingTest";
+
+// Custom client that uses default credential provider for testing
+class CredentialTestingClient : public Aws::Client::AWSClient
+{
+public:
+    explicit CredentialTestingClient(const Aws::Client::ClientConfiguration& configuration)
+        : AWSClient(configuration,
+                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(ALLOCATION_TAG,
+                       Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG),
+                       "service", configuration.region),
+                   Aws::MakeShared<MockAWSErrorMarshaller>(ALLOCATION_TAG))
+    {
+    }
+
+    Aws::Client::HttpResponseOutcome MakeRequest(const Aws::AmazonWebServiceRequest& request)
+    {
+        auto uri = Aws::Http::URI("https://test.com");
+        return AWSClient::AttemptExhaustively(uri, request, Aws::Http::HttpMethod::HTTP_POST, Aws::Auth::SIGV4_SIGNER);
+    }
+
+    const char* GetServiceClientName() const override { return "CredentialTestingClient"; }
+
+protected:
+    Aws::Client::AWSError<Aws::Client::CoreErrors> BuildAWSError(const std::shared_ptr<Aws::Http::HttpResponse>& response) const override
+    {
+        AWS_UNREFERENCED_PARAM(response);
+        return Aws::Client::AWSError<Aws::Client::CoreErrors>(Aws::Client::CoreErrors::UNKNOWN, false);
+    }
+};
+
+class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
+{
+protected:
+    std::shared_ptr<MockHttpClient> mockHttpClient;
+    std::shared_ptr<MockHttpClientFactory> mockHttpClientFactory;
+
+    void SetUp() override
+    {
+        mockHttpClient = Aws::MakeShared<MockHttpClient>(ALLOCATION_TAG);
+        mockHttpClientFactory = Aws::MakeShared<MockHttpClientFactory>(ALLOCATION_TAG);
+        mockHttpClientFactory->SetClient(mockHttpClient);
+        SetHttpClientFactory(mockHttpClientFactory);
+    }
+
+    void TearDown() override
+    {
+        mockHttpClient->Reset();
+        mockHttpClient = nullptr;
+        mockHttpClientFactory = nullptr;
+        Aws::Http::CleanupHttp();
+        Aws::Http::InitHttp();
+    }
+};
+
+TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
+{
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_ACCESS_KEY_ID", "test-access-key"},
+        {"AWS_SECRET_ACCESS_KEY", "test-secret-key"},
+    }};
+
+    // Setup mock response
+    std::shared_ptr<HttpRequest> requestTmp =
+        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
+                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
+    successResponse->SetResponseCode(HttpResponseCode::OK);
+    successResponse->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(successResponse);
+
+    // Create client configuration
+    Aws::Client::ClientConfigurationInitValues cfgInit;
+    cfgInit.shouldDisableIMDS = true;
+    Aws::Client::ClientConfiguration clientConfig(cfgInit);
+    clientConfig.region = Aws::Region::US_EAST_1;
+
+    // Create credential testing client that uses default provider chain
+    CredentialTestingClient client(clientConfig);
+
+    // Create mock request
+    AmazonWebServiceRequestMock mockRequest;
+
+    // Make request
+    auto outcome = client.MakeRequest(mockRequest);
+    ASSERT_TRUE(outcome.IsSuccess());
+
+    // Verify User-Agent contains environment credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
+    EXPECT_FALSE(userAgent.empty());
+
+    const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
+
+    // Verify there's only one m/ section (no duplicate m/ sections)
+    int mSectionCount = 0;
+    for (const auto& part : userAgentParsed) {
+        if (part.find("m/") != Aws::String::npos) {
+            mSectionCount++;
+        }
+    }
+    EXPECT_EQ(1, mSectionCount);
+
+    // Check for environment credentials business metric (g) in user agent
+    auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
+        [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("g") != Aws::String::npos; });
+
+    EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+}