feat: make user-supplied region available to credentials providers (#997)

Author: 0marperez

.changes/f4579d2b-4173-489e-b4fa-872beed6b1ef.json

@@ -0,0 +1,8 @@
+{
+    "id": "f4579d2b-4173-489e-b4fa-872beed6b1ef",
+    "type": "feature",
+    "description": "Make user-supplied region available to config resolution providers",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#583"
+    ]
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProvider.kt

@@ -8,6 +8,7 @@ package aws.sdk.kotlin.runtime.auth.credentials
 import aws.sdk.kotlin.runtime.auth.credentials.profile.LeafProvider
 import aws.sdk.kotlin.runtime.auth.credentials.profile.ProfileChain
 import aws.sdk.kotlin.runtime.auth.credentials.profile.RoleArn
+import aws.sdk.kotlin.runtime.client.AwsClientOption
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
 import aws.sdk.kotlin.runtime.config.imds.ImdsClient
 import aws.sdk.kotlin.runtime.config.profile.loadAwsSharedConfig
@@ -19,10 +20,7 @@ import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
 import aws.smithy.kotlin.runtime.io.closeIfCloseable
 import aws.smithy.kotlin.runtime.telemetry.logging.logger
 import aws.smithy.kotlin.runtime.time.TimestampFormat
-import aws.smithy.kotlin.runtime.util.Attributes
-import aws.smithy.kotlin.runtime.util.LazyAsyncValue
-import aws.smithy.kotlin.runtime.util.PlatformProvider
-import aws.smithy.kotlin.runtime.util.asyncLazy
+import aws.smithy.kotlin.runtime.util.*
 import kotlin.coroutines.coroutineContext
 
 /**
@@ -102,7 +100,7 @@ public class ProfileCredentialsProvider(
 
         // if profile is overridden for this provider, attempt to resolve it from there first
         val profileOverride = profileName?.let { sharedConfig.profiles[it] }
-        val region = asyncLazy { region ?: profileOverride?.getOrNull("region") ?: resolveRegion(platformProvider) }
+        val region = asyncLazy { region ?: profileOverride?.getOrNull("region") ?: attributes.getOrNull(AwsClientOption.Region) ?: resolveRegion(platformProvider) }
 
         val leaf = chain.leaf.toCredentialsProvider(region)
         logger.debug { "Resolving credentials from ${chain.leaf.description()}" }

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProviderTest.kt

@@ -5,11 +5,13 @@
 
 package aws.sdk.kotlin.runtime.auth.credentials
 
+import aws.sdk.kotlin.runtime.client.AwsClientOption
 import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
 import aws.smithy.kotlin.runtime.httptest.TestConnection
 import aws.smithy.kotlin.runtime.httptest.buildTestConnection
 import aws.smithy.kotlin.runtime.net.Host
 import aws.smithy.kotlin.runtime.util.TestPlatformProvider
+import aws.smithy.kotlin.runtime.util.attributesOf
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.test.runTest
 import kotlin.test.Test
@@ -137,4 +139,160 @@ class ProfileCredentialsProviderTest {
         // region is overridden from the environment which should take precedence
         assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), req.actual.url.host)
     }
+
+    @Test
+    fun testExplicitRegion() = runTest {
+        val testArn = "arn:aws:iam:1234567/test-role"
+        val testProvider = TestPlatformProvider(
+            env = mapOf(
+                "AWS_CONFIG_FILE" to "config",
+                "AWS_REGION" to "eu-west-3",
+            ),
+            fs = mapOf(
+                "config" to """
+                [default]
+                role_arn = $testArn
+                source_profile = B
+
+                [profile B]
+                aws_access_key_id = AKID-Profile
+                aws_secret_access_key = Profile-Secret
+                region = af-south-1 
+                """.trimIndent(),
+            ),
+        )
+
+        val testEngine = buildTestConnection {
+            expect(StsTestUtils.stsResponse(testArn))
+        }
+
+        ProfileCredentialsProvider(
+            platformProvider = testProvider,
+            httpClient = testEngine,
+            region = "us-west-2",
+        ).resolve(
+            attributesOf {
+                AwsClientOption.Region to "cn-north-1"
+            },
+        )
+
+        testEngine.assertRequests()
+        val requests = testEngine.requests().first()
+        assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), requests.actual.url.host)
+    }
+
+    @Test
+    fun testProfileRegion() = runTest {
+        val testArn = "arn:aws:iam:1234567/test-role"
+        val testProvider = TestPlatformProvider(
+            env = mapOf(
+                "AWS_CONFIG_FILE" to "config",
+                "AWS_REGION" to "eu-west-3",
+            ),
+            fs = mapOf(
+                "config" to """
+                [default]
+                role_arn = $testArn
+                region = us-west-2
+                source_profile = B
+
+                [profile B]
+                aws_access_key_id = AKID-Profile
+                aws_secret_access_key = Profile-Secret
+                """.trimIndent(),
+            ),
+        )
+
+        val testEngine = buildTestConnection {
+            expect(StsTestUtils.stsResponse(testArn))
+        }
+
+        ProfileCredentialsProvider(
+            platformProvider = testProvider,
+            httpClient = testEngine,
+            profileName = "default",
+        ).resolve(
+            attributesOf {
+                AwsClientOption.Region to "cn-north-1"
+            },
+        )
+
+        testEngine.assertRequests()
+        val requests = testEngine.requests().first()
+        assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), requests.actual.url.host)
+    }
+
+    @Test
+    fun testAttributeRegion() = runTest {
+        val testArn = "arn:aws:iam:1234567/test-role"
+        val testProvider = TestPlatformProvider(
+            env = mapOf(
+                "AWS_CONFIG_FILE" to "config",
+                "AWS_REGION" to "eu-west-3",
+            ),
+            fs = mapOf(
+                "config" to """
+                [default]
+                role_arn = $testArn
+                source_profile = B
+
+                [profile B]
+                aws_access_key_id = AKID-Profile
+                aws_secret_access_key = Profile-Secret
+                """.trimIndent(),
+            ),
+        )
+
+        val testEngine = buildTestConnection {
+            expect(StsTestUtils.stsResponse(testArn))
+        }
+
+        ProfileCredentialsProvider(
+            platformProvider = testProvider,
+            httpClient = testEngine,
+        ).resolve(
+            attributesOf {
+                AwsClientOption.Region to "us-west-2"
+            },
+        )
+
+        testEngine.assertRequests()
+        val requests = testEngine.requests().first()
+        assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), requests.actual.url.host)
+    }
+
+    @Test
+    fun testPlatformRegion() = runTest {
+        val testArn = "arn:aws:iam:1234567/test-role"
+        val testProvider = TestPlatformProvider(
+            env = mapOf(
+                "AWS_CONFIG_FILE" to "config",
+                "AWS_REGION" to "us-west-2",
+            ),
+            fs = mapOf(
+                "config" to """
+                [default]
+                role_arn = $testArn
+                source_profile = B
+
+                [profile B]
+                aws_access_key_id = AKID-Profile
+                aws_secret_access_key = Profile-Secret
+                """.trimIndent(),
+            ),
+        )
+
+        val testEngine = buildTestConnection {
+            expect(StsTestUtils.stsResponse(testArn))
+        }
+
+        ProfileCredentialsProvider(
+            platformProvider = testProvider,
+            httpClient = testEngine,
+        ).resolve()
+
+        testEngine.assertRequests()
+        val requests = testEngine.requests().first()
+        assertEquals(Host.Domain("sts.us-west-2.amazonaws.com"), requests.actual.url.host)
+    }
 }