feat: add system properties credentials provider & include it in default credentials provider chain (#1037)

Author: 0marperez

.changes/ec4b3c6c-c63f-499d-a032-026139b4627e.json

@@ -0,0 +1,8 @@
+{
+    "id": "ec4b3c6c-c63f-499d-a032-026139b4627e",
+    "type": "feature",
+    "description": "Add `SystemPropertyCredentialsProvider` and make it first in default chain credentials provider",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#1033"
+    ]
+}

aws-runtime/aws-config/api/aws-config.api

@@ -161,6 +161,13 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredent
 	public static synthetic fun fromEnvironment-TUY-ock$default (Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider$Companion;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;JLaws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;ILjava/lang/Object;)Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider;
 }
 
+public final class aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider {
+	public fun <init> ()V
+	public fun <init> (Lkotlin/jvm/functions/Function1;)V
+	public synthetic fun <init> (Lkotlin/jvm/functions/Function1;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun resolve (Laws/smithy/kotlin/runtime/util/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+}
+
 public final class aws/sdk/kotlin/runtime/auth/credentials/internal/ManagedBearerTokenProviderKt {
 	public static final fun manage (Laws/smithy/kotlin/runtime/http/auth/CloseableBearerTokenProvider;)Laws/smithy/kotlin/runtime/http/auth/BearerTokenProvider;
 }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/DefaultChainCredentialsProvider.kt

@@ -52,6 +52,7 @@ public class DefaultChainCredentialsProvider constructor(
     private val engine = httpClient ?: DefaultHttpEngine()
 
     private val chain = CredentialsProviderChain(
+        SystemPropertyCredentialsProvider(platformProvider::getProperty),
         EnvironmentCredentialsProvider(platformProvider::getenv),
         ProfileCredentialsProvider(profileName = profileName, platformProvider = platformProvider, httpClient = engine, region = region),
         // STS web identity provider can be constructed from either the profile OR 100% from the environment

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProvider.kt

@@ -0,0 +1,42 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.sdk.kotlin.runtime.auth.credentials
+
+import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
+import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
+import aws.smithy.kotlin.runtime.telemetry.logging.trace
+import aws.smithy.kotlin.runtime.util.Attributes
+import aws.smithy.kotlin.runtime.util.PlatformProvider
+import kotlin.coroutines.coroutineContext
+
+private const val PROVIDER_NAME = "SystemProperties"
+
+private val ACCESS_KEY_ID = AwsSdkSetting.AwsAccessKeyId.sysProp
+private val SECRET_ACCESS_KEY = AwsSdkSetting.AwsSecretAccessKey.sysProp
+private val SESSION_TOKEN = AwsSdkSetting.AwsSessionToken.sysProp
+
+/**
+ * A [CredentialsProvider] which reads `aws.accessKeyId`, `aws.secretAccessKey`, and `aws.sessionToken` from system properties.
+ */
+public class SystemPropertyCredentialsProvider
+public constructor(private val getProperty: (String) -> String? = PlatformProvider.System::getProperty) : CredentialsProvider {
+
+    private fun requireProperty(variable: String): String =
+        getProperty(variable) ?: throw ProviderConfigurationException("Missing value for system property `$variable`")
+
+    override suspend fun resolve(attributes: Attributes): Credentials {
+        coroutineContext.trace<SystemPropertyCredentialsProvider> {
+            "Attempting to load credentials from system properties $ACCESS_KEY_ID/$SECRET_ACCESS_KEY/$SESSION_TOKEN"
+        }
+        return Credentials(
+            accessKeyId = requireProperty(ACCESS_KEY_ID),
+            secretAccessKey = requireProperty(SECRET_ACCESS_KEY),
+            sessionToken = getProperty(SESSION_TOKEN),
+            providerName = PROVIDER_NAME,
+        )
+    }
+}

aws-runtime/aws-config/common/test-resources/default-provider-chain/prefer_system_properties/env.json

@@ -0,0 +1,5 @@
+{
+  "HOME": "/home",
+  "AWS_ACCESS_KEY_ID": "incorrect_key",
+  "AWS_SECRET_ACCESS_KEY": "incorrect_secret"
+}

aws-runtime/aws-config/common/test-resources/default-provider-chain/prefer_system_properties/fs.home..aws/config

@@ -0,0 +1,7 @@
+[default]
+region = us-east-1
+role_arn = arn:aws:iam::123456789:role/integration-test
+source_profile = base
+
+[profile base]
+region = us-east-1

aws-runtime/aws-config/common/test-resources/default-provider-chain/prefer_system_properties/fs.home..aws/credentials

@@ -0,0 +1,3 @@
+[base]
+aws_access_key_id = AKIAFAKE
+aws_secret_access_key = FAKE

aws-runtime/aws-config/common/test-resources/default-provider-chain/prefer_system_properties/system-properties.json

@@ -0,0 +1,4 @@
+{
+  "aws.accessKeyId": "correct_key",
+  "aws.secretAccessKey": "correct_secret"
+}

aws-runtime/aws-config/common/test-resources/default-provider-chain/prefer_system_properties/test-case.json

@@ -0,0 +1,10 @@
+{
+  "name": "prefer system properties",
+  "docs": "prefer system properties over environment and profile",
+  "result": {
+    "Ok": {
+      "access_key_id": "correct_key",
+      "secret_access_key": "correct_secret"
+    }
+  }
+}

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProviderTest.kt

@@ -0,0 +1,51 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.sdk.kotlin.runtime.auth.credentials
+
+import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
+import io.kotest.matchers.string.shouldContain
+import kotlinx.coroutines.test.runTest
+import org.junit.jupiter.api.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertFailsWith
+
+class SystemPropertyCredentialsProviderTest {
+    private fun provider(vararg vars: Pair<String, String>) = SystemPropertyCredentialsProvider((vars.toMap())::get)
+
+    @Test
+    fun readAllSystemProperties() = runTest {
+        val provider = provider(
+            AwsSdkSetting.AwsAccessKeyId.sysProp to "abc",
+            AwsSdkSetting.AwsSecretAccessKey.sysProp to "def",
+            AwsSdkSetting.AwsSessionToken.sysProp to "ghi",
+        )
+        assertEquals(provider.resolve(), Credentials("abc", "def", "ghi", providerName = "SystemProperties"))
+    }
+
+    @Test
+    fun readAllSystemPropertiesExceptSessionToken() = runTest {
+        val provider = provider(
+            AwsSdkSetting.AwsAccessKeyId.sysProp to "abc",
+            AwsSdkSetting.AwsSecretAccessKey.sysProp to "def",
+        )
+        assertEquals(provider.resolve(), Credentials("abc", "def", null, providerName = "SystemProperties"))
+    }
+
+    @Test
+    fun throwsExceptionWhenMissingAccessKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(AwsSdkSetting.AwsSecretAccessKey.sysProp to "def").resolve()
+        }.message.shouldContain("Missing value for system property `aws.accessKeyId`")
+    }
+
+    @Test
+    fun throwsExceptionWhenMissingSecretKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(AwsSdkSetting.AwsAccessKeyId.sysProp to "abc").resolve()
+        }.message.shouldContain("Missing value for system property `aws.secretAccessKey`")
+    }
+}