Add option to overwrite credential search order

Author: dscpinheiro

generator/.DevConfigs/5e8495c7-1b24-4446-98c3-4d744290694e.json

@@ -0,0 +1,9 @@
+{
+    "core": {
+        "updateMinimum": true,
+        "type": "Patch",
+        "changeLogMessages": [
+            "Add `AWSConfigs.AWSCredentialsGenerators` option so that a custom credential resolution order can be specified globally (matching the behavior from `FallbackCredentialsFactory.CredentialsGenerators`)"
+        ]
+    }
+}

sdk/src/Core/AWSConfigs.cs

@@ -28,6 +28,7 @@
 using System.Collections.Generic;
 using Amazon.Runtime;
 using Amazon.Runtime.Telemetry;
+using Amazon.Runtime.Credentials;
 
 namespace Amazon
 {
@@ -72,32 +73,23 @@ public static partial class AWSConfigs
     {
         #region Private static members
 
-        private static char[] validSeparators = new char[] { ' ', ',' };
-
         // Tests can override this DateTime source.
         internal static Func<DateTime> utcNowSource = GetUtcNow;
 
-        // Deprecated configs
         internal static string _awsRegion = GetConfig(AWSRegionKey);
         internal static string _awsProfileName = GetConfig(AWSProfileNameKey);
         internal static string _awsAccountsLocation = GetConfig(AWSProfilesLocationKey);
         internal static bool _useSdkCache = GetConfigBool(UseSdkCacheKey, defaultValue: true);
         internal static bool _initializeCollections = GetConfigBool(InitializeCollectionsKey, defaultValue: false);
-        // for reading from awsconfigs.xml
-        private static object _lock = new object();
-        private static List<string> standardConfigs = new List<string>() { "region", "logging", "correctForClockSkew" };
         private static TelemetryProvider _telemetryProvider = new DefaultTelemetryProvider();
 
-#pragma warning disable 414
-        private static bool configPresent = true;
-#pragma warning restore 414
-
 #if NET8_0_OR_GREATER
         internal static bool _disableDangerousDisablePathAndQueryCanonicalization = GetConfigBool(DisableDangerousDisablePathAndQueryCanonicalizationKey, defaultValue: false);
 #endif
 
         // New config section
-        private static RootConfig _rootConfig = new RootConfig();
+        private static readonly RootConfig _rootConfig = new();
+        
         #endregion
 
         #region Clock Skew
@@ -226,12 +218,12 @@ public static string AWSProfilesLocation
 
         /// <summary>
         /// Key for the StreamingUtf8JsonReaderBufferSize property.
-        /// <seealso cref="Amazon.AWSConfigs.StreamingUtf8JsonReaderBufferSize"/>"/>
+        /// <seealso cref="StreamingUtf8JsonReaderBufferSize"/>
         /// </summary>
         public const string StreamingUtf8JsonReaderBufferSizeKey = "StreamingUtf8JsonReaderBufferSize";
 
         /// <summary>
-        /// Configures the default buffer size for the the StreamingUtf8JsonReader/>
+        /// Configures the default buffer size for the the StreamingUtf8JsonReader
         /// used for buffering data from the stream passed into its constructor. If this isn't set, the SDK will default to 4096 bytes.
         /// 
         /// Setting this property is not thread safe and should only be set at application startup.
@@ -324,7 +316,32 @@ public static bool DisableDangerousDisablePathAndQueryCanonicalization
             set { _rootConfig.DisableDangerousDisablePathAndQueryCanonicalization = value; }
         }
 #endif
-#endregion
+        #endregion
+
+        #region CredentialsGenerators
+
+        /// <summary>
+        /// Global configuration option to override the search order for credentials when creating SDK service clients without credentials.
+        /// <para />
+        /// This option is equivalent to the <see cref="FallbackCredentialsFactory.CredentialsGenerators"/>, but it should only be used 
+        /// if the <a href="https://docs.aws.amazon.com/sdk-for-net/v4/developer-guide/creds-assign.html">default order</a> does not meet your application needs.
+        /// <para />
+        /// When set, all service clients will use the specified providers so you must guarantee they return valid
+        /// credentials for the operations to succeed.
+        /// <para />
+        /// Setting this property is not thread safe and should only be set at application startup.
+        /// </summary>
+        /// <remarks>
+        /// This option is only used in the <see cref="DefaultAWSCredentialsIdentityResolver"/>, it's not considered by the 
+        /// deprecated <see cref="FallbackCredentialsFactory"/> when resolving credentials.
+        /// </remarks>
+        public static List<DefaultAWSCredentialsIdentityResolver.CredentialsGenerator> AWSCredentialsGenerators
+        {
+            get { return _rootConfig.AWSCredentialsGenerators; }
+            set { _rootConfig.AWSCredentialsGenerators = value; }
+        }
+        
+        #endregion
 
         #region AWS Config Sections
 
@@ -462,48 +479,6 @@ private static bool GetConfigBool(string name, bool defaultValue = false)
             return defaultValue;
         }
 
-        private static T GetConfigEnum<T>(string name)
-        {
-            var type = typeof(T);
-            if (!type.IsEnum) throw new InvalidOperationException(string.Format(CultureInfo.InvariantCulture, "Type {0} must be enum", type.FullName));
-
-            string value = GetConfig(name);
-            if (string.IsNullOrEmpty(value))
-                return default(T);
-            T result = ParseEnum<T>(value);
-            return result;
-        }
-
-        private static T ParseEnum<T>(string value)
-        {
-            T t;
-            if (TryParseEnum<T>(value, out t))
-                return t;
-            Type type = typeof(T);
-            string messageFormat = "Unable to parse value {0} as enum of type {1}. Valid values are: {2}";
-            string enumNames = string.Join(", ", Enum.GetNames(type));
-            throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, messageFormat, value, type.FullName, enumNames));
-        }
-
-        private static bool TryParseEnum<T>(string value, out T result)
-        {
-            result = default(T);
-
-            if (string.IsNullOrEmpty(value))
-                return false;
-
-            try
-            {
-                T t = (T)Enum.Parse(typeof(T), value, true);
-                result = t;
-                return true;
-            }
-            catch (ArgumentException)
-            {
-                return false;
-            }
-        }
-
         /// <summary>
         /// This method should never be called directly.
         /// Call AWSSDKUtils.CorrectedUtcNow instead.

sdk/src/Core/Amazon.Runtime/Credentials/DefaultAWSCredentialsIdentityResolver.cs

@@ -27,28 +27,35 @@
 namespace Amazon.Runtime.Credentials
 {
     /// <summary>
-    /// A resolver that provides an AWSCredentials identity. 
+    /// A resolver that provides an <see cref="AWSCredentials"/> identity.
+    /// <para />
+    /// The default search order used is described in the <a href="https://docs.aws.amazon.com/sdk-for-net/v4/developer-guide/creds-assign.html">
+    /// developer guide</a>, but it can be overwritten by setting the <see cref="AWSConfigs.AWSCredentialsGenerators"/> property.
     /// </summary>
     public class DefaultAWSCredentialsIdentityResolver : IIdentityResolver<AWSCredentials>
     {
         private const string AWS_PROFILE_ENVIRONMENT_VARIABLE = "AWS_PROFILE";
         private const string DEFAULT_PROFILE_NAME = "default";
 
+        /// <summary>
+        /// A method that should either return valid <see cref="AWSCredentials"/> or throw an exception (so
+        /// that the SDK can move on and attempt the next generator in the credential chain).
+        /// </summary>
+        public delegate AWSCredentials CredentialsGenerator();
+
         private static readonly ReaderWriterLockSlim _cachedCredentialsLock = new();
-        private delegate AWSCredentials CredentialsGenerator();
         private AWSCredentials _cachedCredentials;
         private readonly List<CredentialsGenerator> _credentialsGenerators;
         private readonly CredentialProfileStoreChain _credentialProfileChain = new();
         private readonly EnvironmentState _lastKnownEnvironmentState = new();
-
-        private static readonly Lazy<DefaultAWSCredentialsIdentityResolver> _defaultInstance = new Lazy<DefaultAWSCredentialsIdentityResolver>();
+        private static readonly Lazy<DefaultAWSCredentialsIdentityResolver> _defaultInstance = new();
 
         public DefaultAWSCredentialsIdentityResolver()
         {
             _cachedCredentials = null;
             _credentialsGenerators = new List<CredentialsGenerator>
             {
-#if BCL
+#if NETFRAMEWORK
                 () => new AppConfigAWSCredentials(), // Test explicit keys/profile name first.
 #endif
                 () => new EnvironmentVariablesAWSCredentials(), // Look for credentials set in environment vars.
@@ -144,8 +151,19 @@ private AWSCredentials InternalGetCredentials()
                     return _cachedCredentials;
                 }
 
+                List<CredentialsGenerator> providersToUse;
+                if (AWSConfigs.AWSCredentialsGenerators != null)
+                {
+                    Logger.GetLogger(typeof(DefaultAWSCredentialsIdentityResolver)).DebugFormat("Using custom credential search order defined in {0}", nameof(AWSConfigs));
+                    providersToUse = AWSConfigs.AWSCredentialsGenerators;
+                }
+                else 
+                {
+                    providersToUse = _credentialsGenerators;
+                }
+
                 List<Exception> errors = new List<Exception>();
-                foreach (CredentialsGenerator generator in _credentialsGenerators)
+                foreach (CredentialsGenerator generator in providersToUse)
                 {
                     try
                     {

sdk/src/Core/Amazon.Runtime/Credentials/FallbackCredentialsFactory.cs

@@ -13,6 +13,7 @@
  * permissions and limitations under the License.
  */
 using Amazon.Runtime.CredentialManagement;
+using Amazon.Runtime.Credentials;
 using Amazon.Runtime.Internal.Util;
 using System;
 using System.Collections.Generic;
@@ -40,6 +41,13 @@ static FallbackCredentialsFactory()
         }
 
         public delegate AWSCredentials CredentialsGenerator();
+
+        /// <summary>
+        /// When migrating to version 4 of the SDK the <see cref="DefaultAWSCredentialsIdentityResolver"/> will be the default identity resolver.
+        /// Changing this property will not affect global override for the default credential provider chain. 
+        /// <para />
+        /// To change the default credential provider chain use the the <see cref="AWSConfigs.AWSCredentialsGenerators"/> property.
+        /// </summary>
         public static List<CredentialsGenerator> CredentialsGenerators { get; set; }
 
         public static void Reset()

sdk/src/Core/Amazon.Util/Internal/RootConfig.cs

@@ -1,10 +1,7 @@
-using System;
+using Amazon.Runtime.Credentials;
 using System.Collections.Generic;
-using System.Linq;
-using System.Text;
 using System.Xml.Linq;
 
-
 namespace Amazon.Util.Internal
 {
     /// <summary>
@@ -53,6 +50,8 @@ public RegionEndpoint RegionEndpoint
         public bool DisableDangerousDisablePathAndQueryCanonicalization { get; set; }
 #endif
 
+        public List<DefaultAWSCredentialsIdentityResolver.CredentialsGenerator> AWSCredentialsGenerators { get; set; }
+
         private const string _rootAwsSectionName = "aws";
         public RootConfig()
         {