requiresMinorVersionBump set to true in changelog, StsWebIdentityProvider now public, announcement draft updates

Author: 0marperez

.changes/0b5b53ab-70c0-4c1b-a445-8663ae86d6d1.json

@@ -1,5 +1,6 @@
 {
     "id": "0b5b53ab-70c0-4c1b-a445-8663ae86d6d1",
     "type": "misc",
-    "description": "The order of credentials resolution in config files has been updated to: static credentials, assume role with source profile OR assume role with named provider, web identity token, SSO session, legacy SSO, process"
+    "description": "The order of credentials resolution in config files has been updated to: static credentials, assume role with source profile OR assume role with named provider, web identity token, SSO session, legacy SSO, process",
+    "requiresMinorVersionBump": true
 }

.changes/99a099e1-26c1-4ba1-b0d3-435609ea4e94.json

@@ -1,5 +1,6 @@
 {
     "id": "99a099e1-26c1-4ba1-b0d3-435609ea4e94",
     "type": "misc",
-    "description": "The order of credentials resolution in the credentials provider chain has been updated to: system properties, environment variables, web identity tokens, profile, ECS, EC2"
+    "description": "The order of credentials resolution in the credentials provider chain has been updated to: system properties, environment variables, web identity tokens, profile, ECS, EC2",
+    "requiresMinorVersionBump": true
 }

.changes/announcement.md

@@ -1,44 +1,110 @@
 An upcoming release of the **AWS SDK for Kotlin** will change the order of 
 credentials resolution for the [default credentials provider chain](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html#default-credential-provider-chain)
-and the order of credentials resolution for the AWS shared config files.
+and the order of credentials resolution for AWS shared config files.
 
 # Release date
 
-This feature will ship with the **v1.4.x** release on xx/xx/xxxx.
+This change will be included in the upcoming **v1.4.x** release, expected in the 
+upcoming months.
 
 # What's changing
 
-The SDK will be changing the order in which credentials are resolved when
-using the default credentials provider chain. The new order will be:
+The order of credentials resolution for the default credentials provider chain,
+and the order of credentials resolution for AWS shared config files (profile chain). 
 
-1. System properties
-2. Environment variables
-3. Assume role with web identity token
-4. Shared credentials and config files (profile)
-5. Amazon ECS container credentials
-6. Amazon EC2 Instance Metadata Service
+## Default credentials provider chain
+
+The table below outlines the current and new order in which the SDK will
+resolve credentials from the default credentials provider chain.
+
+| # | Current Order                                                          | New Order                                                              |
+|---|------------------------------------------------------------------------|------------------------------------------------------------------------|
+| 1 | System properties                                                      | System properties                                                      |
+| 2 | Environment variables                                                  | Environment variables                                                  |
+| 3 | **Shared credentials and config files (profile credentials provider)** | **Assume role with web identity token**                                |
+| 4 | **Assume role with web identity token**                                | **Shared credentials and config files (profile credentials provider)** |
+| 5 | Amazon ECS container credentials                                       | Amazon ECS container credentials                                       |
+| 6 | Amazon EC2 Instance Metadata Service                                   | Amazon EC2 Instance Metadata Service                                   |
 
 The [default credentials provider chain documentation](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html#default-credential-provider-chain) 
 contains more details on each credential source.
 
-The SDK will also be changing the order in which credentials are resolved from
-in the shared credentials and config files. The new order will be:
+## Profile chain
+
+The table below outlines the current and new order in which the SDK will 
+resolve credentials from AWS shared config files.
 
-1. Static credentials
-2. Assume role with source profile OR assume role with named provider (mutually exclusive)
-3. Web identity token
-4. SSO session
-5. Legacy SSO
-6. Process
+| # | Current Order                                                                                            | New Order                                                                                   |
+|---|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|
+| 1 | **Assume role with source profile OR assume role with named provider (mutually exclusive)**              | **Static credentials**                                                                      |
+| 2 | Web identity token                                                                                       | **Assume role with source profile OR assume role with named provider (mutually exclusive)** |
+| 3 | SSO session                                                                                              | Web identity token                                                                          |
+| 4 | Legacy SSO                                                                                               | SSO session                                                                                 |
+| 5 | Process                                                                                                  | Legacy SSO                                                                                  |
+| 6 | **Static credentials (moves up to #1 when in a source profile, shifting other credential sources down)** | Process                                                                                     |
 
 # How to migrate
 
 1. Upgrade all of your AWS SDK for Kotlin dependencies to **v.1.4.x**.
-2. Verify that the changes to the default credentials provider chain and credentials files do not introduce any issues in your program.
-3. If issues arise review the new credentials resolution order and adjust your configuration as needed.
+2. Verify that the changes to the default credentials provider chain and profile chain do not introduce any issues in your program.
+3. If issues arise review the new credentials resolution order, the subsections below, and adjust your configuration as needed.
+
+## Default credentials provider chain
+
+You can preserve the current default credentials provider chain behavior by setting
+the credentials provider to a credentials provider chain with the current order, e.g.
+
+```kotlin
+S3Client{
+    region = "..."
+    credentialsProvider = CredentialsProviderChain(
+        SystemPropertyCredentialsProvider(),
+        EnvironmentCredentialsProvider(),
+        StsWebIdentityProvider(),
+        ProfileCredentialsProvider(),
+        EcsCredentialsProvider(),
+        ImdsCredentialsProvider(),
+    )
+}
+```
+
+## Profile credentials provider
+
+The order in which credentials are resolved for shared credentials and config 
+files cannot be customized. If your AWS config file(s) contain multiple valid 
+credential sources within a single profile, you may need to update them to align 
+with the new resolution order. For example, config file `A` should be updated to 
+match config file `B`. This is necessary because static credentials will now 
+take precedence and be selected before assume role credentials with a source profile. 
+Similar adjustments to your configuration may be necessary to maintain current
+behavior. Use the new order as a guide for any required changes.
+
+Config file `A`
+```ini
+[default]
+role_arn = arn:aws:iam::123456789:role/Role
+source_profile = A
+aws_access_key_id = 0
+aws_secret_access_key = 0
+
+[profile A]
+aws_access_key_id = 1
+aws_secret_access_key = 2
+```
+
+Config file `B`
+```ini
+[default]
+role_arn = arn:aws:iam::123456789:role/Role
+source_profile = A
+
+[profile A]
+aws_access_key_id = 1
+aws_secret_access_key = 2
+```
 
 # Feedback
 
 If you have any questions concerning this change, please feel free to engage 
-with us in this discussion. If you encounter a bug with these changes, please 
-[file an issue](https://github.com/awslabs/aws-sdk-kotlin/issues/new/choose).
+with us in this discussion. If you encounter a bug with these changes when 
+released, please [file an issue](https://github.com/awslabs/aws-sdk-kotlin/issues/new/choose).

aws-runtime/aws-config/api/aws-config.api

@@ -199,6 +199,14 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredent
 	public static synthetic fun fromEnvironment-TUY-ock$default (Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider$Companion;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;JLaws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;ILjava/lang/Object;)Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider;
 }
 
+public final class aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CloseableCredentialsProvider {
+	public fun <init> ()V
+	public fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Ljava/lang/String;)V
+	public synthetic fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Ljava/lang/String;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun close ()V
+	public fun resolve (Laws/smithy/kotlin/runtime/collections/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+}
+
 public final class aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider {
 	public fun <init> ()V
 	public fun <init> (Lkotlin/jvm/functions/Function1;)V

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/DefaultChainCredentialsProvider.kt

@@ -86,10 +86,10 @@ public class DefaultChainCredentialsProvider constructor(
  * Wrapper around [StsWebIdentityCredentialsProvider] that delays any exceptions until [resolve] is invoked.
  * This allows it to be part of the default chain and any failures result in the chain to move onto the next provider.
  */
-private class StsWebIdentityProvider(
-    val platformProvider: PlatformProvider = PlatformProvider.System,
-    val httpClient: HttpClientEngine? = null,
-    val region: String? = null,
+public class StsWebIdentityProvider(
+    private val platformProvider: PlatformProvider = PlatformProvider.System,
+    private val httpClient: HttpClientEngine? = null,
+    private val region: String? = null,
 ) : CloseableCredentialsProvider {
     override suspend fun resolve(attributes: Attributes): Credentials {
         val wrapped = StsWebIdentityCredentialsProvider.fromEnvironment(platformProvider = platformProvider, httpClient = httpClient, region = region)