Conversation
Adds support for loading AWS credentials from shared config/credentials files and assembling them into a pluggable credential provider chain. New modules: - aws-config: SEP-conformant INI parser, profile data model, AwsConfigCredentialSource sealed types, handler SPI with ServiceLoader discovery, and built-in handlers for static keys, session keys, and credential_process. - aws-credential-chain: Credential provider chain with builtin slots, Before/After relative ordering, SPI-based provider discovery, cheap environment detection, and actionable error messages when implementation modules are missing. Changes to existing modules: - auth-api: Add CachingIdentityResolver with async background refresh, static stability support, injectable Clock and ScheduledExecutorService. Add invalidate() default method to IdentityResolver interface. Will be used by STS, SSO, etc. - aws-client-core: Add AwsCredentialChainPlugin ClientPlugin, register EnvironmentCredentialProvider and SystemPropertiesCredentialProvider as chain sources via SPI. Both now read AWS_ACCOUNT_ID / aws.accountId per the account ID SEP. - settings.gradle.kts: Include new modules. Architecture overview: - Data model (aws-config) is separated from resolution policy (chain). - Credential sources are detected cheaply from profile properties without needing implementation modules (STS, SSO, IMDS). - Handlers are discovered via ServiceLoader; missing handlers produce errors naming the dependency to add. - Chain ordering uses a fixed enum for builtins and simple Before/After insertion for third-party providers. - CachingIdentityResolver provides background refresh with a shared ScheduledExecutorService passed via ProviderContext. - invalidate() propagates through the chain to force credential refresh on auth failures. TODO items: add SSO, STS, IMDS, ECS, etc.
Allowing custom provider relative positioning around only builtins simplifies the design, removes the possibility of cycles, and removes the need for a topo sort. Also removing aliases.
Automatically add credential chain runtime plugin if AWS auth is used.
Reduces chain to a single, flat chain of fixed slots, including config based credentials.
sugmanue
reviewed
May 19, 2026
| StringBuilder missing = new StringBuilder(); | ||
| for (var i = 0; i < errors.size(); i += 2) { | ||
| if (i > 0) { | ||
| errors.add("; "); |
Contributor
There was a problem hiding this comment.
Suggested change
| errors.add("; "); | |
| missing.append("; "); |
Comment on lines
+12
to
+13
| * Fuzz test for the AWS config file parser. Ensures no input can cause unexpected exceptions, | ||
| * OOM, or infinite loops. The only acceptable exception is {@link ConfigFileParseException}. |
Contributor
There was a problem hiding this comment.
Nits
Suggested change
| * Fuzz test for the AWS config file parser. Ensures no input can cause unexpected exceptions, | |
| * OOM, or infinite loops. The only acceptable exception is {@link ConfigFileParseException}. | |
| * Fuzz test for the AWS config file parser. Helps detect when an input causes unexpected exceptions, | |
| * OOM, or infinite loops. The only acceptable exception is {@link ConfigFileParseException}. |
| String session = p.get("sso_session"); | ||
| String account = p.get("sso_account_id"); | ||
| String role = p.get("sso_role_name"); | ||
| if (session == null || session.isEmpty() |
Contributor
There was a problem hiding this comment.
Nit, a isNullOrEmpty helper will help reading this code.
| String homeDrive = envGetter.apply("HOMEDRIVE"); | ||
| String homePath = envGetter.apply("HOMEPATH"); | ||
| if (homeDrive != null && !homeDrive.isEmpty() && homePath != null && !homePath.isEmpty()) { | ||
| return Paths.get(homeDrive + homePath); |
Contributor
There was a problem hiding this comment.
I have no idea how windows work but this feels better.
Suggested change
| return Paths.get(homeDrive + homePath); | |
| return Paths.get(homeDrive).resolve(homePath); |
| } | ||
|
|
||
| private static java.util.Set<String> profileNameSet(AwsProfileFile file) { | ||
| java.util.Set<String> names = new java.util.LinkedHashSet<>(); |
Contributor
There was a problem hiding this comment.
Nit, replace FQN with import.
| } | ||
|
|
||
| private static List<String> buildCommand(String commandLine) { | ||
| if (System.getProperty("os.name", "").toLowerCase(Locale.ROOT).contains("windows")) { |
Contributor
There was a problem hiding this comment.
Nit, consider adding a helper to detect windows.
Comment on lines
+33
to
+36
| * <pre>{@code | ||
| * var chain = CredentialChain.create(); | ||
| * var result = chain.resolveIdentity(Context.empty()); | ||
| * }</pre> |
Contributor
There was a problem hiding this comment.
Suggested change
| * <pre>{@code | |
| * var chain = CredentialChain.create(); | |
| * var result = chain.resolveIdentity(Context.empty()); | |
| * }</pre> | |
| * {@snippet lang="java" : | |
| * var chain = CredentialChain.create(); | |
| * var result = chain.resolveIdentity(Context.empty()); | |
| * } |
|
|
||
| Services modeled with `@aws.auth#sigv4` or `@aws.auth#sigv4a` automatically get | ||
| `AwsCredentialChainPlugin` added as a default plugin during code generation. | ||
| No manual wiring needed - just add the provider modules you need to your |
| static final ShapeId STS_SERVICE = ShapeId.from("com.amazonaws.sts#AWSSecurityTokenServiceV20110615"); | ||
|
|
||
| private static final String STS_VERSION = "2011-06-15"; | ||
| private static final String DEFAULT_ENDPOINT = "https://sts.amazonaws.com"; |
Contributor
There was a problem hiding this comment.
Don't we need to support regional endpoints declared in env or profile? See here
Comment on lines
+23
to
+27
| * <pre>{@code | ||
| * MyClient.builder() | ||
| * .addPlugin(new AwsCredentialChainPlugin()) | ||
| * .build(); | ||
| * }</pre> |
Contributor
There was a problem hiding this comment.
Suggested change
| * <pre>{@code | |
| * MyClient.builder() | |
| * .addPlugin(new AwsCredentialChainPlugin()) | |
| * .build(); | |
| * }</pre> | |
| * {@snippet lang="java" : | |
| * MyClient.builder() | |
| * .addPlugin(new AwsCredentialChainPlugin()) | |
| * .build(); | |
| * } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add modular credential chain with pluggable provider discovery
Adds a modular AWS credential provider chain that separates credential detection from resolution, enabling independent artifact composition.
New modules:
Changes to existing modules:
SystemPropertiesCredentialProvider (both terminal — stop chain assembly when credentials are present).
Architecture:
TODO: STS, SSO, ECS, Login providers.
Example usage:
Credentials resolve automatically in order:
On Lambda, only aws-client-core is needed (env vars are terminal, nothing else is constructed):
dependencies { implementation("software.amazon.smithy.java:aws-client-core:1.1.0") implementation("software.amazon.smithy.java:aws-credential-chain:1.1.0") }