STS credentials provider and UserAgent tracking (#3539)

kai-ion · web-flow · commit 770cea2acf59 · 2025-09-18T13:41:12.000-04:00
- Remove CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN enum from UserAgent
- Add CREDENTIALS_STS_WEB_IDENTITY_TOKEN tracking to STSCredentialsProvider
- Simplify UserAgent credential tracking implementation
diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h b/src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h
@@ -37,6 +37,7 @@ enum class UserAgentFeature {
   CREDENTIALS_PROFILE_PROCESS,
   CREDENTIALS_IMDS,
   CREDENTIALS_STS_ASSUME_ROLE,
+  CREDENTIALS_STS_WEB_IDENTITY_TOKEN,
   CREDENTIALS_HTTP,
   CREDENTIALS_PROFILE_SOURCE_PROFILE,
 };
diff --git a/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp
@@ -5,6 +5,7 @@
 #include <aws/core/Globals.h>
 #include <aws/core/auth/STSCredentialsProvider.h>
 #include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/client/UserAgent.h>
 #include <aws/core/platform/Environment.h>
 #include <aws/crt/auth/Credentials.h>
 
@@ -106,7 +107,7 @@ AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials()
   m_refreshSignal.wait_for(lock, m_providerFuturesTimeoutMs, [&refreshDone]() -> bool { return refreshDone; });
 
   if (!credentials.IsEmpty()) {
-    credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE);
+    credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN);
   }
 
   return credentials;
diff --git a/src/aws-cpp-sdk-core/source/client/UserAgent.cpp b/src/aws-cpp-sdk-core/source/client/UserAgent.cpp
@@ -47,6 +47,7 @@ const std::pair<UserAgentFeature, const char*> BUSINESS_METRIC_MAPPING[] = {
     {UserAgentFeature::CREDENTIALS_PROFILE_PROCESS, "v"},
     {UserAgentFeature::CREDENTIALS_IMDS, "0"},
     {UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE, "i"},
+    {UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN, "q"},
     {UserAgentFeature::CREDENTIALS_HTTP, "z"},
     {UserAgentFeature::CREDENTIALS_PROFILE_SOURCE_PROFILE, "p"},
 };
diff --git a/src/aws-cpp-sdk-identity-management/source/auth/STSAssumeRoleCredentialsProvider.cpp b/src/aws-cpp-sdk-identity-management/source/auth/STSAssumeRoleCredentialsProvider.cpp
@@ -8,6 +8,7 @@
 #include <aws/sts/STSClient.h>
 #include <aws/core/utils/logging/LogMacros.h>
 #include <aws/core/utils/Outcome.h>
+#include <aws/core/client/UserAgent.h>
 
 using namespace Aws::Utils;
 using namespace Aws::STS;
@@ -71,6 +72,7 @@ namespace Aws
                     {
                         const auto& stsCredentials = assumeRoleOutcome.GetResult().GetCredentials();
                         m_cachedCredentials = AWSCredentials(stsCredentials.GetAccessKeyId(), stsCredentials.GetSecretAccessKey(), stsCredentials.GetSessionToken());
+                        m_cachedCredentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE);
                         m_expiry = stsCredentials.GetExpiration().Millis();
                         AWS_LOGSTREAM_DEBUG(CLASS_TAG, "Credentials refreshed with new expiry " << 
                             DateTime(m_expiry.load()).ToGmtString(DateFormat::ISO_8601));
