feat: Add environment credentials feature tracking to User-Agent

kai-ion · kai-ion · commit e9553865ca7c · 2025-08-13T15:44:10.000-04:00
- Add CREDENTIALS_ENV_VARS enum to UserAgentFeature with metric ID 'g'
- Track environment credentials usage in AWSClient::AttemptOneRequest
- Check for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY presence
- Implements env-credentials SEP specification for business metrics
- Add unit test for environment credentials feature tracking

Resolves environment credentials tracking for User-Agent 2.1 business metrics.
diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProvider.h b/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProvider.h
@@ -32,6 +32,17 @@ namespace Aws
 
         constexpr int AWS_CREDENTIAL_PROVIDER_EXPIRATION_GRACE_PERIOD = 5 * 1000;
 
+        /**
+         * Enum to identify credential provider types for tracking purposes
+         */
+        enum class CredentialProviderType
+        {
+            DEFAULT,
+            ENVIRONMENT,
+            // ... add other types as needed
+
+        };
+
         /**
          * Returns the full path of the config file.
          */
@@ -62,10 +73,16 @@ namespace Aws
              * Initializes provider. Sets last Loaded time count to 0, forcing a refresh on the
              * first call to GetAWSCredentials.
              */
-            AWSCredentialsProvider() : m_lastLoadedMs(0)
+            AWSCredentialsProvider(CredentialProviderType providerType = CredentialProviderType::DEFAULT)
+                : m_lastLoadedMs(0), m_providerType(providerType)
             {
             }
 
+            /**
+             * Get the provider type for tracking purposes
+             */
+            CredentialProviderType GetProviderType() const { return m_providerType; }
+
             virtual ~AWSCredentialsProvider() = default;
 
             /**
@@ -83,6 +100,7 @@ namespace Aws
             mutable Aws::Utils::Threading::ReaderWriterLock m_reloadLock;
         private:
             long long m_lastLoadedMs;
+            CredentialProviderType m_providerType;
         };
 
         /**
@@ -139,6 +157,11 @@ namespace Aws
         class AWS_CORE_API EnvironmentAWSCredentialsProvider : public AWSCredentialsProvider
         {
         public:
+            /**
+            * Initializes environment credentials provider
+            */
+            EnvironmentAWSCredentialsProvider() : AWSCredentialsProvider(CredentialProviderType::ENVIRONMENT) {}
+            
             /**
             * Reads AWS credentials from the Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN if they exist. If they
             * are not found, empty credentials are returned. Credentials are not cached.
diff --git a/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp b/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp
@@ -43,10 +43,10 @@ AWSCredentials AWSCredentialsProviderChain::GetAWSCredentials()
 
 DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain() : AWSCredentialsProviderChain()
 {
-    AddProvider(Aws::MakeShared<EnvironmentAWSCredentialsProvider>(DefaultCredentialsProviderChainTag));
+    AddProvider(Aws::MakeShared<EnvironmentAWSCredentialsProvider>(DefaultCredentialsProviderChainTag)); // track
     AddProvider(Aws::MakeShared<ProfileConfigFileAWSCredentialsProvider>(DefaultCredentialsProviderChainTag));
     AddProvider(Aws::MakeShared<ProcessCredentialsProvider>(DefaultCredentialsProviderChainTag));
-    AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag));
+    AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag)); // track
     AddProvider(Aws::MakeShared<SSOCredentialsProvider>(DefaultCredentialsProviderChainTag));
     
     // General HTTP Credentials (prev. known as ECS TaskRole credentials) only available when ENVIRONMENT VARIABLE is set
diff --git a/tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp b/tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp
@@ -0,0 +1,166 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#include <aws/testing/AwsCppSdkGTestSuite.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/testing/mocks/aws/client/MockAWSClient.h>
+#include <aws/testing/mocks/http/MockHttpClient.h>
+#include <aws/core/auth/AWSCredentialsProvider.h>
+#include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/platform/Environment.h>
+#include <aws/core/utils/StringUtils.h>
+
+using namespace Aws::Client;
+using namespace Aws::Auth;
+using namespace Aws::Http;
+
+static const char ALLOCATION_TAG[] = "CredentialTrackingTest";
+
+class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
+{
+protected:
+    std::shared_ptr<MockHttpClient> mockHttpClient;
+    std::shared_ptr<MockHttpClientFactory> mockHttpClientFactory;
+
+    void SetUp() override
+    {
+        mockHttpClient = Aws::MakeShared<MockHttpClient>(ALLOCATION_TAG);
+        mockHttpClientFactory = Aws::MakeShared<MockHttpClientFactory>(ALLOCATION_TAG);
+        mockHttpClientFactory->SetClient(mockHttpClient);
+        SetHttpClientFactory(mockHttpClientFactory);
+    }
+
+    void TearDown() override
+    {
+        mockHttpClient->Reset();
+        mockHttpClient = nullptr;
+        mockHttpClientFactory = nullptr;
+        Aws::Http::CleanupHttp();
+        Aws::Http::InitHttp();
+    }
+};
+
+TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
+{
+    // Set environment variables
+    Aws::Environment::SetEnv("AWS_ACCESS_KEY_ID", "test-access-key");
+    Aws::Environment::SetEnv("AWS_SECRET_ACCESS_KEY", "test-secret-key");
+
+    // Setup mock response
+    auto request = CreateHttpRequest(Aws::Http::URI("http://test.com"), 
+                                   Aws::Http::HttpMethod::HTTP_POST, 
+                                   Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto response = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, request);
+    response->SetResponseCode(HttpResponseCode::OK);
+    response->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(response);
+
+    // Create client configuration
+    ClientConfiguration config;
+    config.region = Aws::Region::US_EAST_1;
+
+    // Create mock client
+    MockAWSClient client(config);
+
+    // Make a request
+    AmazonWebServiceRequestMock mockRequest;
+    auto outcome = client.MakeRequest(mockRequest);
+
+    // Verify request succeeded
+    AWS_ASSERT_SUCCESS(outcome);
+
+    // Verify User-Agent contains environment credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasUserAgent());
+    const auto& userAgent = lastRequest.GetUserAgent();
+    
+    // Check for environment credentials feature (should contain "g")
+    EXPECT_TRUE(userAgent.find("g") != Aws::String::npos);
+
+    // Clean up environment variables
+    Aws::Environment::UnSetEnv("AWS_ACCESS_KEY_ID");
+    Aws::Environment::UnSetEnv("AWS_SECRET_ACCESS_KEY");
+}
+
+TEST_F(CredentialTrackingTest, TestDirectEnvironmentProviderTracking)
+{
+    // Create client with direct environment provider
+    ClientConfiguration config;
+    config.region = Aws::Region::US_EAST_1;
+    
+    // Set up environment credentials
+    Aws::Environment::SetEnv("AWS_ACCESS_KEY_ID", "test-access-key");
+    Aws::Environment::SetEnv("AWS_SECRET_ACCESS_KEY", "test-secret-key");
+    
+    // Create client with environment provider directly
+    auto envProvider = Aws::MakeShared<EnvironmentAWSCredentialsProvider>(ALLOCATION_TAG);
+    
+    // Setup mock response
+    auto request = CreateHttpRequest(Aws::Http::URI("http://test.com"), 
+                                   Aws::Http::HttpMethod::HTTP_POST, 
+                                   Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto response = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, request);
+    response->SetResponseCode(HttpResponseCode::OK);
+    response->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(response);
+    
+    MockAWSClient client(config);
+    
+    // Make a request
+    AmazonWebServiceRequestMock mockRequest;
+    auto outcome = client.MakeRequest(mockRequest);
+    
+    // Verify request succeeded
+    AWS_ASSERT_SUCCESS(outcome);
+    
+    // Verify User-Agent contains environment credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasUserAgent());
+    const auto& userAgent = lastRequest.GetUserAgent();
+    
+    // Check for environment credentials feature (should contain "g")
+    EXPECT_TRUE(userAgent.find("g") != Aws::String::npos);
+    
+    // Clean up
+    Aws::Environment::UnSetEnv("AWS_ACCESS_KEY_ID");
+    Aws::Environment::UnSetEnv("AWS_SECRET_ACCESS_KEY");
+}
+
+TEST_F(CredentialTrackingTest, TestNoEnvironmentCredentialsNoTracking)
+{
+    // Ensure no environment variables are set
+    Aws::Environment::UnSetEnv("AWS_ACCESS_KEY_ID");
+    Aws::Environment::UnSetEnv("AWS_SECRET_ACCESS_KEY");
+    
+    // Setup mock response
+    auto request = CreateHttpRequest(Aws::Http::URI("http://test.com"), 
+                                   Aws::Http::HttpMethod::HTTP_POST, 
+                                   Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
+    auto response = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, request);
+    response->SetResponseCode(HttpResponseCode::OK);
+    response->GetResponseBody() << "{}";
+    mockHttpClient->AddResponseToReturn(response);
+    
+    // Create client configuration
+    ClientConfiguration config;
+    config.region = Aws::Region::US_EAST_1;
+    
+    MockAWSClient client(config);
+    
+    // Make a request
+    AmazonWebServiceRequestMock mockRequest;
+    auto outcome = client.MakeRequest(mockRequest);
+    
+    // Verify request succeeded
+    AWS_ASSERT_SUCCESS(outcome);
+    
+    // Verify User-Agent does NOT contain environment credentials tracking
+    auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
+    EXPECT_TRUE(lastRequest.HasUserAgent());
+    const auto& userAgent = lastRequest.GetUserAgent();
+    
+    // Should not contain environment credentials feature "g" when not using env vars
+    EXPECT_TRUE(userAgent.find("g") == Aws::String::npos);
+}
