Add feature IDs for credential providers (#3717)

Author: dscpinheiro

sdk/src/Core/Amazon.Runtime/CredentialManagement/AWSCredentialsFactory.cs

@@ -12,17 +12,17 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
-using Amazon.Runtime.Internal;
 using Amazon.Runtime.CredentialManagement.Internal;
+using Amazon.Runtime.Credentials.Internal;
+using Amazon.Runtime.Internal.Settings;
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Util;
+using Amazon.Util.Internal;
 using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.IO;
 using System.Linq;
-using Amazon.Runtime.Credentials.Internal;
-using Amazon.Runtime.Internal.Settings;
-using Amazon.Util.Internal;
 
 namespace Amazon.Runtime.CredentialManagement
 {
@@ -202,7 +202,9 @@ private static AWSCredentials GetAWSCredentialsInternal(
                 switch (profileType)
                 {
                     case CredentialProfileType.Basic:
-                        return  new BasicAWSCredentials(options.AccessKey, options.SecretKey, options.AwsAccountId);
+                        var basicCredentials = new BasicAWSCredentials(options.AccessKey, options.SecretKey, options.AwsAccountId);
+                        basicCredentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROFILE);
+                        return basicCredentials;
                     case CredentialProfileType.Session:
                         return new SessionAWSCredentials(options.AccessKey, options.SecretKey, options.Token, options.AwsAccountId);
                     case CredentialProfileType.AssumeRole:
@@ -249,7 +251,11 @@ private static AWSCredentials GetAWSCredentialsInternal(
                             ExternalId = options.ExternalID,
                             MfaSerialNumber = options.MfaSerial
                         };
-                        return new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions);
+
+                        var assumeRoleCredentials = new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions);
+                        assumeRoleCredentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROFILE_SOURCE_PROFILE);
+                        return assumeRoleCredentials;
+                    
                     case CredentialProfileType.AssumeRoleCredentialSource:
                     case CredentialProfileType.AssumeRoleCredentialSourceSessionName:
                         // get credentials specified by credentialSource
@@ -269,10 +275,16 @@ private static AWSCredentials GetAWSCredentialsInternal(
 
                         roleSessionName = options.RoleSessionName ?? RoleSessionNamePrefix + AWSSDKUtils.CorrectedUtcNow.Ticks;
                         assumeRoleOptions = new AssumeRoleAWSCredentialsOptions();
-                        return new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions);
+
+                        var assumeRoleSourceCredentials = new AssumeRoleAWSCredentials(sourceCredentials, options.RoleArn, roleSessionName, assumeRoleOptions);
+                        assumeRoleSourceCredentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROFILE_NAMED_PROVIDER);
+                        return assumeRoleSourceCredentials;
+                    
                     case CredentialProfileType.AssumeRoleWithWebIdentity:
                     case CredentialProfileType.AssumeRoleWithWebIdentitySessionName:
-                        return new AssumeRoleWithWebIdentityCredentials(options.WebIdentityTokenFile, options.RoleArn, options.RoleSessionName);
+                        var assumeRoleWebIdentityCredentials = new AssumeRoleWithWebIdentityCredentials(options.WebIdentityTokenFile, options.RoleArn, options.RoleSessionName);
+                        assumeRoleWebIdentityCredentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN);
+                        return assumeRoleWebIdentityCredentials;
 
                     case CredentialProfileType.SSO:
                     {
@@ -282,11 +294,11 @@ private static AWSCredentials GetAWSCredentialsInternal(
                             Scopes = options.SsoRegistrationScopes?.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(p => p.Trim()).ToList()
                         };
 
-                        return new SSOAWSCredentials(
-                            options.SsoAccountId, options.SsoRegion,
-                            options.SsoRoleName, options.SsoStartUrl,
-                            ssoCredentialsOptions
-                        );
+                        var isLegacyFormat = string.IsNullOrEmpty(options.SsoSession);
+                        var ssoCredentials = new SSOAWSCredentials(options.SsoAccountId, options.SsoRegion, options.SsoRoleName, options.SsoStartUrl, ssoCredentialsOptions);
+                        ssoCredentials.FeatureIdSources.Add(isLegacyFormat ? UserAgentFeatureId.CREDENTIALS_PROFILE_SSO_LEGACY : UserAgentFeatureId.CREDENTIALS_PROFILE_SSO);
+
+                        return ssoCredentials;
                     }
 
                     case CredentialProfileType.SAMLRole:
@@ -308,7 +320,9 @@ private static AWSCredentials GetAWSCredentialsInternal(
                             return ThrowOrReturnNull("Federated credentials are not available on this platform.", null, throwIfInvalid);
                         }
                     case CredentialProfileType.CredentialProcess:
-                        return new ProcessAWSCredentials(options.CredentialProcess, options.AwsAccountId);
+                        var processCredentials = new ProcessAWSCredentials(options.CredentialProcess, options.AwsAccountId);
+                        processCredentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROFILE_PROCESS);
+                        return processCredentials;
 
                     default:
                         var defaultMessage = profileName == null

sdk/src/Core/Amazon.Runtime/Credentials/AWSCredentials.cs

@@ -13,8 +13,9 @@
  * permissions and limitations under the License.
  */
 
-
 using Amazon.Runtime.Identity;
+using Amazon.Runtime.Internal.UserAgent;
+using System.Collections.Generic;
 
 namespace Amazon.Runtime
 {
@@ -23,6 +24,16 @@ namespace Amazon.Runtime
     /// </summary>
     public abstract class AWSCredentials : BaseIdentity
     {
+        /// <summary>
+        /// Internal property that can be used to specify how this instance of AWS credentials were resolved.
+        /// </summary>
+        /// <remarks>
+        /// Credential providers MUST add to this property to have their specific feature ID tracked.
+        /// <para />
+        /// If empty, no value will be included in the user agent header.
+        /// </remarks>
+        internal HashSet<UserAgentFeatureId> FeatureIdSources { get; set; } = new();
+
         /// <summary>
         /// Returns a copy of ImmutableCredentials
         /// </summary>

sdk/src/Core/Amazon.Runtime/Credentials/AssumeRoleAWSCredentials.cs

@@ -13,16 +13,17 @@
  * permissions and limitations under the License.
  */
 using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Runtime.SharedInterfaces;
 using Amazon.RuntimeDependencies;
 using Amazon.Util.Internal;
 using System;
+using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Net;
-using System.Diagnostics.CodeAnalysis;
-using ThirdParty.RuntimeBackports;
 using System.Threading.Tasks;
+using ThirdParty.RuntimeBackports;
 
 namespace Amazon.Runtime
 {
@@ -33,7 +34,6 @@ namespace Amazon.Runtime
     public class AssumeRoleAWSCredentials : RefreshingAWSCredentials
     {
         private RegionEndpoint DefaultSTSClientRegion = RegionEndpoint.USEast1;
-
         private Logger _logger = Logger.GetLogger(typeof(AssumeRoleAWSCredentials));
 
         /// <summary>
@@ -85,6 +85,7 @@ public AssumeRoleAWSCredentials(AWSCredentials sourceCredentials, string roleArn
             RoleArn = roleArn;
             RoleSessionName = roleSessionName;
             Options = options;
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_STS_ASSUME_ROLE);
 
             // Make sure to fetch new credentials well before the current credentials expire to avoid
             // any request being made with expired credentials.

sdk/src/Core/Amazon.Runtime/Credentials/AssumeRoleWithWebIdentityCredentials.cs

@@ -26,6 +26,7 @@
 using System.Net;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
+using Amazon.Runtime.Internal.UserAgent;
 
 namespace Amazon.Runtime
 {
@@ -65,6 +66,7 @@ public partial class AssumeRoleWithWebIdentityCredentials : RefreshingAWSCredent
         private AssumeRoleWithWebIdentityCredentialsOptions _options;
 
         #region Properties
+        
         /// <summary>
         /// The absolute path to the file on disk containing an OIDC token
         /// </summary>
@@ -79,7 +81,8 @@ public partial class AssumeRoleWithWebIdentityCredentials : RefreshingAWSCredent
         /// An identifier for the assumed role session.
         /// </summary>
         public string RoleSessionName { get; }
-#endregion Properties
+
+        #endregion Properties
 
         /// <summary>
         /// Constructs an AssumeRoleWithWebIdentityCredentials object.
@@ -122,6 +125,7 @@ public AssumeRoleWithWebIdentityCredentials(string webIdentityTokenFile, string
             RoleArn = roleArn;
             RoleSessionName = string.IsNullOrEmpty(roleSessionName) ? _roleSessionNameDefault : roleSessionName;
             _options = options;
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_STS_ASSUME_ROLE_WEB_ID);
 
             // Make sure to fetch new credentials well before the current credentials expire to avoid
             // any request being made with expired credentials.
@@ -138,7 +142,11 @@ public static AssumeRoleWithWebIdentityCredentials FromEnvironmentVariables()
             var webIdentityTokenFile = Environment.GetEnvironmentVariable(WebIdentityTokenFileEnvVariable);
             var roleArn = Environment.GetEnvironmentVariable(RoleArnEnvVariable);
             var roleSessionName = Environment.GetEnvironmentVariable(RoleSessionNameEnvVariable);
-            return new AssumeRoleWithWebIdentityCredentials(webIdentityTokenFile, roleArn, roleSessionName);
+
+            var credentials = new AssumeRoleWithWebIdentityCredentials(webIdentityTokenFile, roleArn, roleSessionName);
+            credentials.FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN);
+            
+            return credentials;
         }
 
         protected override CredentialsRefreshState GenerateNewCredentials()

sdk/src/Core/Amazon.Runtime/Credentials/BasicAWSCredentials.cs

@@ -13,6 +13,7 @@
  * permissions and limitations under the License.
  */
 
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Util;
 
@@ -29,10 +30,8 @@ public class BasicAWSCredentials : AWSCredentials
 
         #endregion
 
-
         #region Constructors
 
-
         /// <summary>
         /// Constructs a BasicAWSCredentials object for the specified accessKey and secretKey.
         /// </summary>
@@ -57,12 +56,12 @@ public BasicAWSCredentials(string accessKey, string secretKey, string accountId)
             if (!string.IsNullOrEmpty(accessKey))
             {
                 _credentials = new ImmutableCredentials(accessKey, secretKey, null, accountId);
+                FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_CODE);
             }
         }
 
         #endregion
 
-
         #region Abstract class overrides
 
         /// <summary>
@@ -92,7 +91,6 @@ public override bool Equals(object obj)
                 new object[] { _credentials },
                 new object[] { bac._credentials });
         }
-
         public override int GetHashCode()
         {
             return Hashing.Hash(_credentials);

sdk/src/Core/Amazon.Runtime/Credentials/DefaultInstanceProfileAWSCredentials.cs

@@ -12,6 +12,7 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Util;
 using System;
@@ -77,14 +78,18 @@ public static DefaultInstanceProfileAWSCredentials Instance
         private DefaultInstanceProfileAWSCredentials()
         {
             // if IMDS is turned off, no need to spin up the timer task
-            if (!EC2InstanceMetadata.IsIMDSEnabled) return;
+            if (!EC2InstanceMetadata.IsIMDSEnabled)
+            {
+                return;
+            }
 
             _logger = Logger.GetLogger(typeof(DefaultInstanceProfileAWSCredentials));
-            
             _credentialsRetrieverTimer = new Timer(RenewCredentials, null, TimeSpan.Zero, _neverTimespan); // This invokes synchronous calls in seperate thread.
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_IMDS);
         }
 
         #region Overrides
+        
         /// <summary>
         /// Returns a copy of the most recent instance profile credentials.
         /// </summary>
@@ -262,7 +267,8 @@ public override async Task<ImmutableCredentials> GetCredentialsAsync()
 
             return credentials;
         }
-#endregion
+
+        #endregion
 
         #region Private members
         private void RenewCredentials(object unused)
@@ -366,7 +372,8 @@ private static void CheckIsIMDSEnabled()
         }
 #endregion
 
-#region IDisposable Support
+        #region IDisposable Support
+
         private bool _isDisposed = false;
 
         protected virtual void Dispose(bool disposing)
@@ -395,6 +402,7 @@ public void Dispose()
             Dispose(true);
             GC.SuppressFinalize(this);
         }
-#endregion
+
+        #endregion
     }
 }

sdk/src/Core/Amazon.Runtime/Credentials/EnvironmentVariablesAWSCredentials.cs

@@ -12,6 +12,7 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using System;
 using System.Globalization;
@@ -56,6 +57,8 @@ public EnvironmentVariablesAWSCredentials()
 
             // We need to do an initial fetch to validate that we can use environment variables to get the credentials.
             FetchCredentials();
+
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_ENV_VARS);
         }
 
         #endregion

sdk/src/Core/Amazon.Runtime/Credentials/FederatedAWSCredentials.cs

@@ -14,20 +14,19 @@
  */
 
 using Amazon.Runtime.CredentialManagement;
-using Amazon.Runtime.Internal;
 using Amazon.Runtime.CredentialManagement.Internal;
+using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Runtime.SharedInterfaces;
-using Amazon.Util;
 using Amazon.RuntimeDependencies;
 using Amazon.Util.Internal;
-using ThirdParty.RuntimeBackports;
 using System;
 using System.Diagnostics.CodeAnalysis;
-using System.Collections.Generic;
 using System.Globalization;
 using System.Net;
 using System.Threading.Tasks;
+using ThirdParty.RuntimeBackports;
 
 namespace Amazon.Runtime
 {
@@ -45,7 +44,6 @@ public class FederatedAWSCredentials : RefreshingAWSCredentials
         private static readonly RegionEndpoint DefaultSTSClientRegion = RegionEndpoint.USEast1;
         private static readonly TimeSpan MaximumCredentialTimespan = TimeSpan.FromHours(1);
         private static readonly TimeSpan DefaultPreemptExpiryTime = TimeSpan.FromMinutes(15);
-
         private readonly SAMLRoleSessionManager sessionManager = new SAMLRoleSessionManager();
 
         /// <summary>
@@ -79,6 +77,7 @@ public FederatedAWSCredentials(SAMLEndpoint samlEndpoint, string roleArn,
             SAMLEndpoint = samlEndpoint ?? throw new ArgumentNullException("samlEndpoint");
             RoleArn = roleArn;
             PreemptExpiryTime = DefaultPreemptExpiryTime;
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_STS_FEDERATION_TOKEN);
         }
 
         /// <summary>

sdk/src/Core/Amazon.Runtime/Credentials/GenericContainerCredentials.cs

@@ -13,6 +13,7 @@
  * permissions and limitations under the License.
  */
 
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Util;
 using Amazon.Util.Internal;
 using System;
@@ -69,6 +70,7 @@ public GenericContainerCredentials()
         {
             PreemptExpiryTime = TimeSpan.FromMinutes(15);
             DetermineEndpoint();
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_HTTP);
         }
 
         protected override CredentialsRefreshState GenerateNewCredentials()

sdk/src/Core/Amazon.Runtime/Credentials/ProcessAWSCredentials.cs

@@ -19,6 +19,7 @@
 using System.Diagnostics;
 using System.Threading.Tasks;
 using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.UserAgent;
 using Amazon.Runtime.Internal.Util;
 using Amazon.Util.Internal;
 using System.Diagnostics.CodeAnalysis;
@@ -100,6 +101,8 @@ public ProcessAWSCredentials(string processCredentialInfo, string accountId)
             // Make sure to fetch new credentials well before the current credentials expire to avoid
             // any request being made with expired credentials.
             PreemptExpiryTime = TimeSpan.FromMinutes(15);
+
+            FeatureIdSources.Add(UserAgentFeatureId.CREDENTIALS_PROCESS);
         }
 
         #endregion