Removed STS assume role in sts provider.

added to clientconfiguration so we know where the token is coming from (env/profile)

Author: kai-ion

src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h

@@ -441,12 +441,37 @@ namespace Aws
               ResponseChecksumValidation responseChecksumValidation = ResponseChecksumValidation::WHEN_SUPPORTED;
             } checksumConfig;
 
+            /**
+             * Configuration source types for tracking where values come from
+             */
+            enum class ConfigSourceType {
+                ENVIRONMENT,
+                PROFILE,
+                DEFAULT_VALUE
+            };
+            
+            /**
+             * Structure to hold both config value and its source
+             */
+            struct ConfigSource {
+                Aws::String value;
+                ConfigSourceType source;
+                ConfigSource(const Aws::String& val, ConfigSourceType src) : value(val), source(src) {}
+            };
+            
             /**
              * A helper function to read config value from env variable or aws profile config
              */
             static Aws::String LoadConfigFromEnvOrProfile(const Aws::String& envKey, const Aws::String& profile,
                                                           const Aws::String& profileProperty, const Aws::Vector<Aws::String>& allowedValues,
                                                           const Aws::String& defaultValue);
+            
+            /**
+             * A helper function to read config value and track its source
+             */
+            static ConfigSource LoadConfigFromEnvOrProfileWithSource(const Aws::String& envKey, const Aws::String& profile,
+                                                                     const Aws::String& profileProperty, const Aws::Vector<Aws::String>& allowedValues,
+                                                                     const Aws::String& defaultValue);
 
             /**
              * A wrapper for interfacing with telemetry functionality. Defaults to Noop provider.
@@ -539,6 +564,11 @@ namespace Aws
                * The OAuth 2.0 access token or OpenID Connect ID token
                */
               Aws::String tokenFilePath;
+              
+              /**
+               * Credential source type for user agent tracking
+               */
+              Aws::String credentialSource;
 
               /**
                * Time out for the credentials future call.

src/aws-cpp-sdk-core/include/aws/core/client/UserAgent.h

@@ -33,10 +33,12 @@ enum class UserAgentFeature {
   RESOLVED_ACCOUNT_ID,
   GZIP_REQUEST_COMPRESSION,
   CREDENTIALS_ENV_VARS,
+  CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN,
   CREDENTIALS_PROFILE,
   CREDENTIALS_PROFILE_PROCESS,
   CREDENTIALS_IMDS,
   CREDENTIALS_STS_ASSUME_ROLE,
+  CREDENTIALS_STS_WEB_IDENTITY_TOKEN,
   CREDENTIALS_HTTP,
 };
 

src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

@@ -105,10 +105,6 @@ AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials()
   std::unique_lock<std::mutex> lock{m_refreshMutex};
   m_refreshSignal.wait_for(lock, m_providerFuturesTimeoutMs, [&refreshDone]() -> bool { return refreshDone; });
 
-  if (!credentials.IsEmpty()) {
-    credentials.AddUserAgentFeature(Aws::Client::UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE);
-  }
-
   return credentials;
 }
 

src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp

@@ -73,6 +73,18 @@ static T LoadEnumFromString(const std::array<std::pair<const char*, T>, N>& mapp
   return mapping->second;
 }
 
+// Helper to load raw values without lowercasing (for file paths, ARNs, etc.)
+static Aws::String LoadRawFromEnvOrProfile(const Aws::String& envKey,
+                                           const Aws::String& profile,
+                                           const Aws::String& profileProperty,
+                                           const Aws::String& defaultValue) {
+    Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
+    if (option.empty()) {
+        option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
+    }
+    return option.empty() ? defaultValue : Aws::Utils::StringUtils::Trim(option.c_str());
+}
+
 ClientConfiguration::ProviderFactories ClientConfiguration::ProviderFactories::defaultFactories = []()
 {
     ProviderFactories factories;
@@ -327,23 +339,25 @@ void setConfigFromEnvOrProfile(ClientConfiguration &config)
     // Uses default retry mode with the specified max attempts from metadata_service_num_attempts
     config.credentialProviderConfig.imdsConfig.imdsRetryStrategy = InitRetryStrategy(attempts, "");
 
-    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_ARN_ENV_VAR,
-          config.profileName,
-          AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
-
-      config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_SESSION_NAME_ENV_VAR,
-          config.profileName,
-          AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
-
-      config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR,
-          config.profileName,
-          AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
+    auto roleArnSrc = ClientConfiguration::LoadConfigFromEnvOrProfileWithSource(
+        AWS_IAM_ROLE_ARN_ENV_VAR, config.profileName, AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION, {}, "");
+    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = roleArnSrc.value;
+
+    config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = LoadRawFromEnvOrProfile(
+        AWS_IAM_ROLE_SESSION_NAME_ENV_VAR, config.profileName, AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION, "");
+
+    auto tokenFileSrc = ClientConfiguration::LoadConfigFromEnvOrProfileWithSource(
+        AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR, config.profileName, AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION, {}, "");
+    config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = tokenFileSrc.value;
+
+    if (!roleArnSrc.value.empty() && !tokenFileSrc.value.empty()) {
+        using Src = ClientConfiguration::ConfigSourceType;
+        const bool fromEnv = (roleArnSrc.source == Src::ENVIRONMENT) || (tokenFileSrc.source == Src::ENVIRONMENT);
+        config.credentialProviderConfig.stsCredentialsProviderConfig.credentialSource =
+            fromEnv ? "env_web_identity" : "web_identity";
+    } else {
+        config.credentialProviderConfig.stsCredentialsProviderConfig.credentialSource.clear();
+    }
 }
 
 ClientConfiguration::ClientConfiguration()
@@ -552,35 +566,79 @@ std::shared_ptr<RetryStrategy> InitRetryStrategy(Aws::String retryMode)
     return InitRetryStrategy(maxAttempts, retryMode);
 }
 
-Aws::String ClientConfiguration::LoadConfigFromEnvOrProfile(const Aws::String& envKey,
-                                                            const Aws::String& profile,
-                                                            const Aws::String& profileProperty,
-                                                            const Aws::Vector<Aws::String>& allowedValues,
-                                                            const Aws::String& defaultValue)
+ClientConfiguration::ConfigSource ClientConfiguration::LoadConfigFromEnvOrProfileWithSource(const Aws::String& envKey,
+                                                                                            const Aws::String& profile,
+                                                                                            const Aws::String& profileProperty,
+                                                                                            const Aws::Vector<Aws::String>& allowedValues,
+                                                                                            const Aws::String& defaultValue)
 {
-    Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
-    if (option.empty()) {
+    Aws::String option;
+    ConfigSourceType sourceType = ConfigSourceType::DEFAULT_VALUE;
+
+    if (!envKey.empty()) {
+        option = Aws::Environment::GetEnv(envKey.c_str());
+        if (!option.empty()) {
+            sourceType = ConfigSourceType::ENVIRONMENT;
+        }
+    }
+
+    if (option.empty() && !profileProperty.empty()) {
         option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
+        if (!option.empty()) {
+            sourceType = ConfigSourceType::PROFILE;
+        }
     }
-    option = Aws::Utils::StringUtils::ToLower(option.c_str());
+
+    option = Aws::Utils::StringUtils::Trim(option.c_str());
+
     if (option.empty()) {
-        return defaultValue;
+        return ConfigSource(defaultValue, ConfigSourceType::DEFAULT_VALUE);
     }
 
-    if (!allowedValues.empty() && std::find(allowedValues.cbegin(), allowedValues.cend(), option) == allowedValues.cend()) {
-        Aws::OStringStream expectedStr;
-        expectedStr << "[";
-        for(const auto& allowed : allowedValues) {
-            expectedStr << allowed << ";";
+    // Validate only if we have an allowed list (enum-like). Do NOT mutate case of the returned value.
+    if (!allowedValues.empty()) {
+        const Aws::String optionLower = Aws::Utils::StringUtils::ToLower(option.c_str());
+
+        // Build a lowercased view of the allowed set once
+        bool allowed = std::any_of(allowedValues.cbegin(), allowedValues.cend(),
+            [&](const Aws::String& v){ return optionLower == Aws::Utils::StringUtils::ToLower(v.c_str()); });
+
+        if (!allowed) {
+            Aws::OStringStream expectedStr;
+            expectedStr << "[";
+            for (size_t i = 0; i < allowedValues.size(); ++i) {
+                expectedStr << allowedValues[i];
+                if ( i + 1 < allowedValues.size() ) expectedStr << ";";
+            }
+            expectedStr << "]";
+
+            const char* src = (sourceType == ConfigSourceType::ENVIRONMENT) ? "environment" :
+                              (sourceType == ConfigSourceType::PROFILE)     ? "profile"      : "default";
+
+            AWS_LOGSTREAM_WARN(
+                CLIENT_CONFIG_TAG,
+                "Unrecognized value from " << src
+                << (sourceType == ConfigSourceType::ENVIRONMENT ? (Aws::String(" (") + envKey + ")") :
+                    sourceType == ConfigSourceType::PROFILE ? (Aws::String(" (") + profile + ":" + profileProperty + ")") : "")
+                << ": \"" << option << "\". Using default: \"" << defaultValue
+                << "\". Expected one of: " << expectedStr.str()
+            );
+
+            return ConfigSource(defaultValue, ConfigSourceType::DEFAULT_VALUE);
         }
-        expectedStr << "]";
-
-        AWS_LOGSTREAM_WARN(CLIENT_CONFIG_TAG, "Unrecognised value for " << envKey << ": " << option <<
-                                              ". Using default instead: " << defaultValue <<
-                                              ". Expected empty or one of: " << expectedStr.str());
-        option = defaultValue;
     }
-    return option;
+
+    // Return original (un-lowercased) token and the actual source
+    return ConfigSource(option, sourceType);
+}
+
+Aws::String ClientConfiguration::LoadConfigFromEnvOrProfile(const Aws::String& envKey,
+                                                            const Aws::String& profile,
+                                                            const Aws::String& profileProperty,
+                                                            const Aws::Vector<Aws::String>& allowedValues,
+                                                            const Aws::String& defaultValue)
+{
+    return LoadConfigFromEnvOrProfileWithSource(envKey, profile, profileProperty, allowedValues, defaultValue).value;
 }
 
 } // namespace Client

src/aws-cpp-sdk-core/source/client/UserAgent.cpp

@@ -43,10 +43,12 @@ const std::pair<UserAgentFeature, const char*> BUSINESS_METRIC_MAPPING[] = {
     {UserAgentFeature::RESOLVED_ACCOUNT_ID, "T"},
     {UserAgentFeature::GZIP_REQUEST_COMPRESSION, "L"},
     {UserAgentFeature::CREDENTIALS_ENV_VARS, "g"},
+    {UserAgentFeature::CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN, "h"},
     {UserAgentFeature::CREDENTIALS_PROFILE, "n"},
     {UserAgentFeature::CREDENTIALS_PROFILE_PROCESS, "v"},
     {UserAgentFeature::CREDENTIALS_IMDS, "0"},
     {UserAgentFeature::CREDENTIALS_STS_ASSUME_ROLE, "i"},
+    {UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN, "q"},
     {UserAgentFeature::CREDENTIALS_HTTP, "z"},
 };
 
@@ -129,6 +131,13 @@ UserAgent::UserAgent(const ClientConfiguration& clientConfiguration,
   if (accountIdMode.has_value()) {
     m_features.emplace(accountIdMode.value());
   }
+
+  const auto& sts = clientConfiguration.credentialProviderConfig.stsCredentialsProviderConfig;
+  if (sts.credentialSource == "env_web_identity") {
+    m_features.emplace(UserAgentFeature::CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN);
+  } else if (sts.credentialSource == "web_identity") {
+    m_features.emplace(UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN);
+  }
 }
 
 Aws::String UserAgent::SerializeWithFeatures(const Aws::Set<UserAgentFeature>& features) const {