fix: resolve region only when profile credentials require it (#582)

ianbotsf · web-flow · commit e245e2ce932c · 2022-04-14T09:45:37.000-07:00
diff --git a/aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProvider.kt b/aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProvider.kt
@@ -17,8 +17,10 @@ import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
 import aws.smithy.kotlin.runtime.io.Closeable
 import aws.smithy.kotlin.runtime.logging.Logger
 import aws.smithy.kotlin.runtime.time.TimestampFormat
+import aws.smithy.kotlin.runtime.util.LazyAsyncValue
 import aws.smithy.kotlin.runtime.util.Platform
 import aws.smithy.kotlin.runtime.util.PlatformProvider
+import aws.smithy.kotlin.runtime.util.asyncLazy
 
 /**
  * A [CredentialsProvider] that gets credentials from a profile in `~/.aws/config` or the shared credentials
@@ -74,7 +76,6 @@ public class ProfileCredentialsProvider(
     private val platformProvider: PlatformProvider = Platform,
     private val httpClientEngine: HttpClientEngine? = null,
 ) : CredentialsProvider, Closeable {
-
     private val namedProviders = mapOf(
         "Environment" to EnvironmentCredentialsProvider(platformProvider::getenv),
         "Ec2InstanceMetadata" to ImdsCredentialsProvider(
@@ -99,7 +100,7 @@ public class ProfileCredentialsProvider(
 
         // if profile is overridden for this provider, attempt to resolve it from there first
         val profileOverride = profileName?.let { profiles[it] }
-        val region = region ?: profileOverride?.get("region") ?: resolveRegion(platformProvider)
+        val region = asyncLazy { region ?: profileOverride?.get("region") ?: resolveRegion(platformProvider) }
 
         val leaf = chain.leaf.toCredentialsProvider(region)
         logger.debug { "Resolving credentials from ${chain.leaf.description()}" }
@@ -121,34 +122,39 @@ public class ProfileCredentialsProvider(
         }
     }
 
-    private fun LeafProvider.toCredentialsProvider(region: String): CredentialsProvider = when (this) {
-        is LeafProvider.NamedSource -> namedProviders[name] ?: throw ProviderConfigurationException("unknown credentials source: $name")
-        is LeafProvider.AccessKey -> StaticCredentialsProvider(credentials)
-        is LeafProvider.WebIdentityTokenRole -> StsWebIdentityCredentialsProvider(
-            roleArn,
-            webIdentityTokenFile,
-            region = region,
-            roleSessionName = sessionName,
-            platformProvider = platformProvider,
-            httpClientEngine = httpClientEngine
-        )
-        is LeafProvider.Sso -> SsoCredentialsProvider(
-            accountId = ssoAccountId,
-            roleName = ssoRoleName,
-            startUrl = ssoStartUrl,
-            ssoRegion = ssoRegion,
-            httpClientEngine = httpClientEngine,
-            platformProvider = platformProvider
-        )
-    }
+    private suspend fun LeafProvider.toCredentialsProvider(region: LazyAsyncValue<String>): CredentialsProvider =
+        when (this) {
+            is LeafProvider.NamedSource -> namedProviders[name]
+                ?: throw ProviderConfigurationException("unknown credentials source: $name")
+
+            is LeafProvider.AccessKey -> StaticCredentialsProvider(credentials)
+
+            is LeafProvider.WebIdentityTokenRole -> StsWebIdentityCredentialsProvider(
+                roleArn,
+                webIdentityTokenFile,
+                region = region.get(),
+                roleSessionName = sessionName,
+                platformProvider = platformProvider,
+                httpClientEngine = httpClientEngine
+            )
+
+            is LeafProvider.Sso -> SsoCredentialsProvider(
+                accountId = ssoAccountId,
+                roleName = ssoRoleName,
+                startUrl = ssoStartUrl,
+                ssoRegion = ssoRegion,
+                httpClientEngine = httpClientEngine,
+                platformProvider = platformProvider
+            )
+        }
 
-    private fun RoleArn.toCredentialsProvider(
+    private suspend fun RoleArn.toCredentialsProvider(
         creds: Credentials,
-        region: String
+        region: LazyAsyncValue<String>,
     ): CredentialsProvider = StsAssumeRoleCredentialsProvider(
         credentialsProvider = StaticCredentialsProvider(creds),
         roleArn = roleArn,
-        region = region,
+        region = region.get(),
         roleSessionName = sessionName,
         externalId = externalId,
         httpClientEngine = httpClientEngine
diff --git a/aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProviderTest.kt b/aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProviderTest.kt
@@ -22,7 +22,6 @@ class ProfileCredentialsProviderTest {
             fs = mapOf(
                 "config" to """
                 [default]
-                region = us-east-2
                 aws_access_key_id = AKID-Default
                 aws_secret_access_key = Default-Secret
                 """.trimIndent()
@@ -50,7 +49,6 @@ class ProfileCredentialsProviderTest {
                 aws_secret_access_key = Default-Secret
                 
                 [profile my-profile]
-                region = us-east-2
                 aws_access_key_id = AKID-Profile
                 aws_secret_access_key = Profile-Secret
                 """.trimIndent()
@@ -74,7 +72,6 @@ class ProfileCredentialsProviderTest {
             env = mapOf(
                 "AWS_CONFIG_FILE" to "config",
                 "AWS_PROFILE" to "my-profile",
-                "AWS_REGION" to "us-west-1"
             ),
             fs = mapOf(
                 "config" to """
