Add business metrics support for STS, SSO and Profile credential providers

[S-Saranya1]

Adds business metric tracking for credentials

Motivation and Context

Keeping track of how users are providing credentials to SDKs and which credentials providers are being used.

Modifications

This PR adds business metrics support for these credential providers:

CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider
CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_PROCESS("v") - ProfileCredentialsProvider + ProcessCredentialsProvider

Key Technical Changes

1. Source Propagation: Introduces source parameter on credential provider builders to track credential provider chains

   • Example: Profile AssumeRole with environment variables → User-Agent contains m/n,g,i (profile + env vars + assume role)

2. Provider Name Updates: Changes existing providerName() methods to return business metric codes instead of full class names

3. Chain Tracking: Supports credential scenarios like (In ProfileCredentialsUtils)

   • Profile with credential_source , source_profile, web identity token , SSO session, credentials_process
   • Fallback chains when primary providers fail

Example User-Agent Outputs

• Simple environment variables: m/g
• Profile AssumeRole chain: m/n,o,i
• Failed AssumeRole fallback: m/g (only successful provider shown)

Deviations from specs:

Not using SSO legacy("u") because it doesn't make sense - It's already tracked as legacy via the CREDENTIALS_PROFILE_SSO_LEGACY ("t") value. Once in the SSO provider legacy doesn't really matter. The regular CREDENTIALS_PROFILE_SSO value of ("s") can be used for both cases. You can't really set a legacy client without coming from the profile

Testing

• Added unit tests for these

  CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
  CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
  CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
  CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
  CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
  CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider

Performed integ test for these cases

CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider

Scenarios like: "p,0,i" and "o,n,i" for assume role with credential source and source profile, "r,s" for modern SSO session configuration, and "q,k" for profile-based web identity token flows. Legacy SSO testing with "t,s" business metrics is pending completion.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have read the CONTRIBUTING document
• Local run of mvn install succeeds
• My code follows the code style of this project
• My change requires a change to the Javadoc documentation
• I have updated the Javadoc documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
• My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

• I confirm that this pull request can be released under the Apache 2 license

[alextwoods]

A nit on "source" naming - at a quick glance, I might read that as being the source credentials rather than just a feature ID - I know its longer, but maybe sourceFeatureId?

Additionally - it looks like the logic here from 264-273 is duplicated below on line 284, does it make sense to refactor to a method?

[S-Saranya1]

Handled the duplicate logic, Agree with sourceFeatureId naming. Need to make the changes to all the files, will make the changes at last after team review, incase if anyone have anything different.

[S-Saranya1]

Removed this standalone test and consolidated it into StsCredentialsProviderUserAgentTest.java as a parameterized test.

[sonarqubecloud]

Quality Gate failed

Failed conditions
60.4% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[github-actions]

This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one.