Implement credential tracking for profile, process, STS, and IMDS providers (#3527)

Add user agent feature tracking to identify credential provider usage:
- Profile credentials: CREDENTIALS_PROFILE (n)
- Process credentials: CREDENTIALS_PROFILE_PROCESS (o)
- STS credentials: CREDENTIALS_STS (p)
- IMDS credentials: CREDENTIALS_IMDS (q)

Changes:
- Add UserAgentFeature enum values for credential tracking
- Update credential providers to add tracking features
- Add comprehensive tests for credential tracking validation
- Fix type mismatches and improve error handling

Author: kai-ion

src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h

@@ -33,6 +33,10 @@ enum class UserAgentFeature {
   RESOLVED_ACCOUNT_ID,
   GZIP_REQUEST_COMPRESSION,
   CREDENTIALS_ENV_VARS,
+  CREDENTIALS_PROFILE,
+  CREDENTIALS_PROFILE_PROCESS,
+  CREDENTIALS_IMDS,
+  CREDENTIALS_STS_ASSUME_ROLE,
 };
 
 class AWS_CORE_API UserAgent {

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp

@@ -201,7 +201,11 @@ AWSCredentials ProfileConfigFileAWSCredentialsProvider::GetAWSCredentials()
 
     if(credsFileProfileIter != profiles.end())
     {
-        return credsFileProfileIter->second.GetCredentials();
+        AWSCredentials credentials = credsFileProfileIter->second.GetCredentials();
+        if (!credentials.IsEmpty()) {
+            credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_PROFILE);
+        }
+        return credentials;
     }
 
     return AWSCredentials();
@@ -265,7 +269,11 @@ AWSCredentials InstanceProfileCredentialsProvider::GetAWSCredentials()
         auto profileIter = profiles.find(Aws::Config::INSTANCE_PROFILE_KEY);
 
         if (profileIter != profiles.end()) {
-            return profileIter->second.GetCredentials();
+            AWSCredentials credentials = profileIter->second.GetCredentials();
+            if (!credentials.IsEmpty()) {
+                credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_IMDS);
+            }
+            return credentials;
         }
     }
     else
@@ -357,6 +365,9 @@ void ProcessCredentialsProvider::Reload()
         return;
     }
     m_credentials = GetCredentialsFromProcess(command);
+    if (!m_credentials.IsEmpty()) {
+        m_credentials.AddUserAgentFeature(UserAgentFeature::CREDENTIALS_PROFILE_PROCESS);
+    }
 }
 
 void ProcessCredentialsProvider::RefreshIfExpired()

src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

@@ -104,6 +104,11 @@ AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials()
 
   std::unique_lock<std::mutex> lock{m_refreshMutex};
   m_refreshSignal.wait_for(lock, m_providerFuturesTimeoutMs, [&refreshDone]() -> bool { return refreshDone; });
+
+  if (!credentials.IsEmpty()) {
+    credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE);
+  }
+
   return credentials;
 }
 

src/aws-cpp-sdk-core/source/client/UserAgent.cpp

@@ -43,6 +43,10 @@ const std::pair<UserAgentFeature, const char*> BUSINESS_METRIC_MAPPING[] = {
     {UserAgentFeature::RESOLVED_ACCOUNT_ID, "T"},
     {UserAgentFeature::GZIP_REQUEST_COMPRESSION, "L"},
     {UserAgentFeature::CREDENTIALS_ENV_VARS, "g"},
+    {UserAgentFeature::CREDENTIALS_PROFILE, "n"},
+    {UserAgentFeature::CREDENTIALS_PROFILE_PROCESS, "v"},
+    {UserAgentFeature::CREDENTIALS_IMDS, "0"},
+    {UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE, "i"},
 };
 
 const std::pair<const char*, UserAgentFeature> RETRY_FEATURE_MAPPING[] = {

tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp

@@ -7,28 +7,56 @@
 #include <aws/testing/AwsTestHelpers.h>
 #include <aws/testing/mocks/aws/client/MockAWSClient.h>
 #include <aws/testing/mocks/http/MockHttpClient.h>
+#include <aws/testing/mocks/aws/auth/MockAWSHttpResourceClient.h>
 #include <aws/testing/platform/PlatformTesting.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/core/client/AWSClient.h>
 #include <aws/core/utils/StringUtils.h>
+#include <aws/core/utils/HashingUtils.h>
+#include <aws/core/platform/FileSystem.h>
+#include <aws/core/utils/FileSystemUtils.h>
+#include <fstream>
+#include <sys/stat.h>
 
 using namespace Aws::Client;
 using namespace Aws::Auth;
 using namespace Aws::Http;
 
-static const char ALLOCATION_TAG[] = "CredentialTrackingTest";
+namespace {
+const char* TEST_LOG_TAG =  "CredentialTrackingTest";
+}
+
+static Aws::String WrapEchoStringWithSingleQuoteForUnixShell(Aws::String str)
+{
+#ifndef _WIN32
+  str.insert(0, 1, '\'');
+  str.append(1, '\'');
+#endif
+  return str;
+}
 
 // Custom client that uses default credential provider for testing
 class CredentialTestingClient : public Aws::Client::AWSClient
 {
 public:
     explicit CredentialTestingClient(const Aws::Client::ClientConfiguration& configuration)
         : AWSClient(configuration,
-                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(ALLOCATION_TAG,
-                       Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG),
+                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(TEST_LOG_TAG,
+                       Aws::MakeShared<DefaultAWSCredentialsProviderChain>(TEST_LOG_TAG),
                        "service", configuration.region),
-                   Aws::MakeShared<MockAWSErrorMarshaller>(ALLOCATION_TAG))
+                   Aws::MakeShared<MockAWSErrorMarshaller>(TEST_LOG_TAG))
+    {
+    }
+
+    // Constructor with custom credential provider for IMDS test
+    explicit CredentialTestingClient(const Aws::Client::ClientConfiguration& configuration,
+                                   std::shared_ptr<AWSCredentialsProvider> credentialsProvider)
+        : AWSClient(configuration,
+                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(TEST_LOG_TAG,
+                       credentialsProvider,
+                       "service", configuration.region),
+                   Aws::MakeShared<MockAWSErrorMarshaller>(TEST_LOG_TAG))
     {
     }
 
@@ -56,8 +84,8 @@ class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
 
     void SetUp() override
     {
-        mockHttpClient = Aws::MakeShared<MockHttpClient>(ALLOCATION_TAG);
-        mockHttpClientFactory = Aws::MakeShared<MockHttpClientFactory>(ALLOCATION_TAG);
+        mockHttpClient = Aws::MakeShared<MockHttpClient>(TEST_LOG_TAG);
+        mockHttpClientFactory = Aws::MakeShared<MockHttpClientFactory>(TEST_LOG_TAG);
         mockHttpClientFactory->SetClient(mockHttpClient);
         SetHttpClientFactory(mockHttpClientFactory);
     }
@@ -70,6 +98,56 @@ class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
         Aws::Http::CleanupHttp();
         Aws::Http::InitHttp();
     }
+
+    void RunTestWithCredentialsProvider(const std::shared_ptr<AWSCredentialsProvider>& credentialsProvider, const Aws::String& id) {
+      // Setup mock response
+      std::shared_ptr<HttpRequest> requestTmp =
+          CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
+                          Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+      auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(TEST_LOG_TAG, requestTmp);
+      successResponse->SetResponseCode(HttpResponseCode::OK);
+      successResponse->GetResponseBody() << "{}";
+      mockHttpClient->AddResponseToReturn(successResponse);
+
+      // Create client configuration
+      Aws::Client::ClientConfigurationInitValues cfgInit;
+      cfgInit.shouldDisableIMDS = true;
+      Aws::Client::ClientConfiguration clientConfig(cfgInit);
+      clientConfig.region = Aws::Region::US_EAST_1;
+
+      // Create credential testing client that uses default provider chain
+      CredentialTestingClient client(clientConfig, credentialsProvider);
+
+      // Create mock request
+      AmazonWebServiceRequestMock mockRequest;
+
+      // Make request
+      auto outcome = client.MakeRequest(mockRequest);
+      ASSERT_TRUE(outcome.IsSuccess());
+
+      // Verify User-Agent contains environment credentials tracking
+      auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+      EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+      const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
+      EXPECT_FALSE(userAgent.empty());
+
+      const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
+
+      // Verify there's only one m/ section (no duplicate m/ sections)
+      int mSectionCount = 0;
+      for (const auto& part : userAgentParsed) {
+          if (part.find("m/") != Aws::String::npos) {
+              mSectionCount++;
+          }
+      }
+      EXPECT_EQ(1, mSectionCount);
+
+      // Check for environment credentials business metric (g) in user agent
+      auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
+          [&id](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find(id) != Aws::String::npos; });
+
+      EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+    }
 };
 
 TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
@@ -78,52 +156,61 @@ TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
         {"AWS_ACCESS_KEY_ID", "test-access-key"},
         {"AWS_SECRET_ACCESS_KEY", "test-secret-key"},
     }};
+    auto credsProvider = Aws::MakeShared<Aws::Auth::EnvironmentAWSCredentialsProvider>(TEST_LOG_TAG);
+    RunTestWithCredentialsProvider(std::move(credsProvider), "g");
+}
 
-    // Setup mock response
-    std::shared_ptr<HttpRequest> requestTmp =
-        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
-                        Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
-    auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
-    successResponse->SetResponseCode(HttpResponseCode::OK);
-    successResponse->GetResponseBody() << "{}";
-    mockHttpClient->AddResponseToReturn(successResponse);
-
-    // Create client configuration
-    Aws::Client::ClientConfigurationInitValues cfgInit;
-    cfgInit.shouldDisableIMDS = true;
-    Aws::Client::ClientConfiguration clientConfig(cfgInit);
-    clientConfig.region = Aws::Region::US_EAST_1;
-
-    // Create credential testing client that uses default provider chain
-    CredentialTestingClient client(clientConfig);
-
-    // Create mock request
-    AmazonWebServiceRequestMock mockRequest;
-
-    // Make request
-    auto outcome = client.MakeRequest(mockRequest);
-    ASSERT_TRUE(outcome.IsSuccess());
-
-    // Verify User-Agent contains environment credentials tracking
-    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
-    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
-    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
-    EXPECT_FALSE(userAgent.empty());
-
-    const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
-
-    // Verify there's only one m/ section (no duplicate m/ sections)
-    int mSectionCount = 0;
-    for (const auto& part : userAgentParsed) {
-        if (part.find("m/") != Aws::String::npos) {
-            mSectionCount++;
-        }
-    }
-    EXPECT_EQ(1, mSectionCount);
+TEST_F(CredentialTrackingTest, TestProfileCredentialsTracking)
+{
+    // Create temporary credentials file
+    Aws::Utils::TempFile credentialsFile(std::ios_base::out | std::ios_base::trunc);
+    ASSERT_TRUE(credentialsFile.good());
+    credentialsFile << "[default]" << std::endl;
+    credentialsFile << "aws_access_key_id = test-profile-access-key" << std::endl;
+    credentialsFile << "aws_secret_access_key = test-profile-secret-key" << std::endl;
+    credentialsFile.close();
+
+    // Set environment to use our test credentials file
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_SHARED_CREDENTIALS_FILE", credentialsFile.GetFileName().c_str()},
+    }};
+    Aws::Config::ReloadCachedCredentialsFile();
 
-    // Check for environment credentials business metric (g) in user agent
-    auto businessMetrics = std::find_if(userAgentParsed.begin(), userAgentParsed.end(),
-        [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("g") != Aws::String::npos; });
+    auto credsProvider = Aws::MakeShared<Aws::Auth::ProfileConfigFileAWSCredentialsProvider>(TEST_LOG_TAG);
+    RunTestWithCredentialsProvider(std::move(credsProvider), "n");
+}
 
-    EXPECT_TRUE(businessMetrics != userAgentParsed.end());
+TEST_F(CredentialTrackingTest, TestProfileProcessCredentialsTracking)
+{
+    // Create temporary config file with credential_process
+    Aws::Utils::TempFile configFile(std::ios_base::out | std::ios_base::trunc);
+    ASSERT_TRUE(configFile.good());
+    configFile << "[default]" << std::endl;
+    configFile << "credential_process = echo " << WrapEchoStringWithSingleQuoteForUnixShell("{\"Version\": 1, \"AccessKeyId\": \"test-process-key\", \"SecretAccessKey\": \"test-process-secret\"}") << std::endl;
+    configFile.close();
+
+    // Set environment to use our test config file
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_CONFIG_FILE", configFile.GetFileName().c_str()},
+    }};
+
+    // Force reload config file after setting environment variable
+    Aws::Config::ReloadCachedConfigFile();
+
+    auto credsProvider = Aws::MakeShared<Aws::Auth::ProcessCredentialsProvider>(TEST_LOG_TAG);
+    RunTestWithCredentialsProvider(std::move(credsProvider), "v");
 }
+
+TEST_F(CredentialTrackingTest, TestInstanceProfileCredentialsTracking)
+{
+    // Create mock EC2 metadata client with valid credentials
+    auto mockClient = Aws::MakeShared<MockEC2MetadataClient>(TEST_LOG_TAG);
+    const char* validCredentials = R"({ "AccessKeyId": "test-imds-access-key", "SecretAccessKey": "test-imds-secret-key", "Token": "test-imds-token", "Code": "Success", "Expiration": "2037-04-19T00:00:00Z" })";
+    mockClient->SetMockedCredentialsValue(validCredentials);
+
+    // Create IMDS credential provider with mock client
+    auto imdsProvider = Aws::MakeShared<InstanceProfileCredentialsProvider>(TEST_LOG_TAG,
+        Aws::MakeShared<Aws::Config::EC2InstanceProfileConfigLoader>(TEST_LOG_TAG, mockClient), 1000);
+
+    RunTestWithCredentialsProvider(std::move(imdsProvider), "0");
+}