aws · zoewangg · Oct 17, 2025 · Oct 14, 2025
@@ -0,0 +1,6 @@
+{
+    "type": "removal",
+    "category": "AWS SDK for Java v2 Codegenerator",
+    "contributor": "",
+    "description": "Remove `useSraAuth` setting from customization config."
+}
@@ -287,11 +287,6 @@ public class CustomizationConfig {
      */
     private boolean requiredTraitValidationEnabled = false;
 
-    /**
-     * Whether SRA based auth logic should be used.
-     */
-    private boolean useSraAuth = true;
-
     /**
      * Whether to generate auth scheme params based on endpoint params.
      */
@@ -834,16 +829,6 @@ public void setRequiredTraitValidationEnabled(boolean requiredTraitValidationEna
         this.requiredTraitValidationEnabled = requiredTraitValidationEnabled;
     }
 
-    public void setUseSraAuth(boolean useSraAuth) {
-        this.useSraAuth = useSraAuth;
-    }
-
-    // TODO(post-sra-identity-auth): Remove this customization and all related switching logic, keeping only the
-    //  useSraAuth==true branch going forward.
-    public boolean useSraAuth() {
-        return useSraAuth;
-    }
-
     public void setEnableEndpointAuthSchemeParams(boolean enableEndpointAuthSchemeParams) {
         this.enableEndpointAuthSchemeParams = enableEndpointAuthSchemeParams;
     }

@@ -31,14 +31,12 @@
 public final class AuthSchemeSpecUtils {
     private static final Set<String> DEFAULT_AUTH_SCHEME_PARAMS = setOf("region", "operation");
     private final IntermediateModel intermediateModel;
-    private final boolean useSraAuth;
     private final Set<String> allowedEndpointAuthSchemeParams;
     private final boolean allowedEndpointAuthSchemeParamsConfigured;
 
     public AuthSchemeSpecUtils(IntermediateModel intermediateModel) {
         this.intermediateModel = intermediateModel;
         CustomizationConfig customization = intermediateModel.getCustomizationConfig();
-        this.useSraAuth = customization.useSraAuth();
         if (customization.getAllowedEndpointAuthSchemeParamsConfigured()) {
             this.allowedEndpointAuthSchemeParams = Collections.unmodifiableSet(
                 new HashSet<>(customization.getAllowedEndpointAuthSchemeParams()));
@@ -49,10 +47,6 @@ public AuthSchemeSpecUtils(IntermediateModel intermediateModel) {
         }
     }
 
-    public boolean useSraAuth() {
-        return useSraAuth;
-    }
-
     private String basePackage() {
         return intermediateModel.getMetadata().getFullAuthSchemePackageName();
     }

@@ -40,18 +40,15 @@
 import javax.lang.model.element.Modifier;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.auth.credentials.TokenUtils;
-import software.amazon.awssdk.auth.signer.Aws4Signer;
 import software.amazon.awssdk.auth.token.credentials.StaticTokenProvider;
 import software.amazon.awssdk.auth.token.credentials.aws.DefaultAwsTokenProvider;
-import software.amazon.awssdk.auth.token.signer.aws.BearerTokenSigner;
 import software.amazon.awssdk.awscore.auth.AuthSchemePreferenceResolver;
 import software.amazon.awssdk.awscore.client.builder.AwsDefaultClientBuilder;
 import software.amazon.awssdk.awscore.client.config.AwsClientOption;
 import software.amazon.awssdk.awscore.endpoint.AwsClientEndpointProvider;
 import software.amazon.awssdk.codegen.internal.Utils;
 import software.amazon.awssdk.codegen.model.intermediate.IntermediateModel;
 import software.amazon.awssdk.codegen.model.intermediate.OperationModel;
-import software.amazon.awssdk.codegen.model.service.AuthType;
 import software.amazon.awssdk.codegen.model.service.ClientContextParam;
 import software.amazon.awssdk.codegen.poet.ClassSpec;
 import software.amazon.awssdk.codegen.poet.PoetExtension;
@@ -72,7 +69,6 @@
 import software.amazon.awssdk.core.checksums.RequestChecksumCalculationResolver;
 import software.amazon.awssdk.core.checksums.ResponseChecksumValidation;
 import software.amazon.awssdk.core.checksums.ResponseChecksumValidationResolver;
-import software.amazon.awssdk.core.client.config.SdkAdvancedClientOption;
 import software.amazon.awssdk.core.client.config.SdkClientConfiguration;
 import software.amazon.awssdk.core.client.config.SdkClientOption;
 import software.amazon.awssdk.core.endpointdiscovery.providers.DefaultEndpointDiscoveryProviderChain;
@@ -81,7 +77,6 @@
 import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
 import software.amazon.awssdk.core.interceptor.SdkInternalExecutionAttribute;
 import software.amazon.awssdk.core.retry.RetryMode;
-import software.amazon.awssdk.core.signer.Signer;
 import software.amazon.awssdk.http.Protocol;
 import software.amazon.awssdk.http.ProtocolNegotiation;
 import software.amazon.awssdk.http.SdkHttpConfigurationOption;
@@ -147,15 +142,13 @@ public TypeSpec poetSpec() {
                                       .build());
         }
 
-        if (authSchemeSpecUtils.useSraAuth()) {
-            builder.addField(FieldSpec.builder(ParameterizedTypeName.get(ClassName.get(Map.class),
-                                                                         ClassName.get(String.class),
-                                                                         GENERIC_AUTH_SCHEME_TYPE),
-                                               "additionalAuthSchemes")
-                                      .addModifiers(PRIVATE, FINAL)
-                                      .initializer("new $T<>()", HashMap.class)
-                                      .build());
-        }
+        builder.addField(FieldSpec.builder(ParameterizedTypeName.get(ClassName.get(Map.class),
+                                                                     ClassName.get(String.class),
+                                                                     GENERIC_AUTH_SCHEME_TYPE),
+                                           "additionalAuthSchemes")
+                                  .addModifiers(PRIVATE, FINAL)
+                                  .initializer("new $T<>()", HashMap.class)
+                                  .build());
 
         builder.addMethod(serviceEndpointPrefixMethod());
         builder.addMethod(serviceNameMethod());
@@ -164,18 +157,13 @@ public TypeSpec poetSpec() {
         mergeInternalDefaultsMethod().ifPresent(builder::addMethod);
 
         builder.addMethod(finalizeServiceConfigurationMethod());
-        if (!authSchemeSpecUtils.useSraAuth()) {
-            defaultAwsAuthSignerMethod().ifPresent(builder::addMethod);
-        }
         builder.addMethod(signingNameMethod());
         builder.addMethod(defaultEndpointProviderMethod());
 
-        if (authSchemeSpecUtils.useSraAuth()) {
-            builder.addMethod(authSchemeProviderMethod());
-            builder.addMethod(defaultAuthSchemeProviderMethod());
-            builder.addMethod(putAuthSchemeMethod());
-            builder.addMethod(authSchemesMethod());
-        }
+        builder.addMethod(authSchemeProviderMethod());
+        builder.addMethod(defaultAuthSchemeProviderMethod());
+        builder.addMethod(putAuthSchemeMethod());
+        builder.addMethod(authSchemesMethod());
 
         if (hasRequestAlgorithmMember(model)) {
             builder.addMethod(requestChecksumCalculationMethod());
@@ -206,9 +194,6 @@ public TypeSpec poetSpec() {
 
         if (AuthUtils.usesBearerAuth(model)) {
             builder.addMethod(defaultBearerTokenProviderMethod());
-            if (!authSchemeSpecUtils.useSraAuth()) {
-                builder.addMethod(defaultTokenAuthSignerMethod());
-            }
         }
         addServiceHttpConfigIfNeeded(builder, model);
         builder.addMethod(invokePluginsMethod());
@@ -249,15 +234,6 @@ private MethodSpec signingNameMethod() {
                          .build();
     }
 
-    private Optional<MethodSpec> defaultAwsAuthSignerMethod() {
-        return awsAuthSignerDefinitionMethodBody().map(body -> MethodSpec.methodBuilder("defaultSigner")
-                                                                         .returns(Signer.class)
-                                                                         .addModifiers(PRIVATE)
-                                                                         .addCode(body)
-                                                                         .build());
-
-    }
-
     private MethodSpec serviceEndpointPrefixMethod() {
         return MethodSpec.methodBuilder("serviceEndpointPrefix")
                          .addAnnotation(Override.class)
@@ -288,14 +264,10 @@ private MethodSpec mergeServiceDefaultsMethod() {
         builder.beginControlFlow("return config.merge(c -> ");
         builder.addCode("c.option($T.ENDPOINT_PROVIDER, defaultEndpointProvider())", SdkClientOption.class);
 
-        if (authSchemeSpecUtils.useSraAuth()) {
-            if (!model.getCustomizationConfig().isEnableEnvironmentBearerToken()) {
-                builder.addCode(".option($T.AUTH_SCHEME_PROVIDER, defaultAuthSchemeProvider(config))", SdkClientOption.class);
-            }
-            builder.addCode(".option($T.AUTH_SCHEMES, authSchemes())", SdkClientOption.class);
-        } else if (defaultAwsAuthSignerMethod().isPresent()) {
-            builder.addCode(".option($T.SIGNER, defaultSigner())\n", SdkAdvancedClientOption.class);
+        if (!model.getCustomizationConfig().isEnableEnvironmentBearerToken()) {
+            builder.addCode(".option($T.AUTH_SCHEME_PROVIDER, defaultAuthSchemeProvider(config))", SdkClientOption.class);
         }
+        builder.addCode(".option($T.AUTH_SCHEMES, authSchemes())", SdkClientOption.class);
         builder.addCode(".option($T.CRC32_FROM_COMPRESSED_DATA_ENABLED, $L)\n",
                         SdkClientOption.class, crc32FromCompressedDataEnabled);
 
@@ -309,9 +281,6 @@ private MethodSpec mergeServiceDefaultsMethod() {
             builder.addCode(".lazyOption($1T.TOKEN_PROVIDER, p -> $2T.toSdkTokenProvider(p.get($1T.TOKEN_IDENTITY_PROVIDER)))",
                             AwsClientOption.class, TokenUtils.class);
             builder.addCode(".option($T.TOKEN_IDENTITY_PROVIDER, defaultTokenProvider())\n", AwsClientOption.class);
-            if (!authSchemeSpecUtils.useSraAuth()) {
-                builder.addCode(".option($T.TOKEN_SIGNER, defaultTokenSigner())", SdkAdvancedClientOption.class);
-            }
         }
         builder.addStatement("");
 
@@ -323,14 +292,6 @@ private MethodSpec mergeServiceDefaultsMethod() {
     }
 
     private void configureEnvironmentBearerToken(MethodSpec.Builder builder) {
-        if (!authSchemeSpecUtils.useSraAuth()) {
-            ValidationEntry entry = ValidationEntry.create(ValidationErrorId.INVALID_CODEGEN_CUSTOMIZATION,
-                                                           ValidationErrorSeverity.DANGER,
-                                                           "The enableEnvironmentBearerToken customization requires"
-                                                           + " the useSraAuth customization but it is disabled.");
-
-            throw ModelInvalidException.fromEntry(entry);
-        }
         if (!AuthUtils.usesBearerAuth(model)) {
             ValidationEntry entry =
                 ValidationEntry.create(ValidationErrorId.INVALID_CODEGEN_CUSTOMIZATION,
@@ -409,9 +370,7 @@ private MethodSpec finalizeServiceConfigurationMethod() {
 
         List<ClassName> builtInInterceptors = new ArrayList<>();
 
-        if (authSchemeSpecUtils.useSraAuth()) {
-            builtInInterceptors.add(authSchemeSpecUtils.authSchemeInterceptor());
-        }
+        builtInInterceptors.add(authSchemeSpecUtils.authSchemeInterceptor());
         builtInInterceptors.add(endpointRulesSpecUtils.resolverInterceptorName());
         builtInInterceptors.add(endpointRulesSpecUtils.requestModifierInterceptorName());
 
@@ -827,32 +786,6 @@ private CodeBlock serviceSpecificHttpConfigMethodBody(String serviceDefaultFqcn,
         return builder.build();
     }
 
-    private Optional<CodeBlock> awsAuthSignerDefinitionMethodBody() {
-        AuthType authType = model.getMetadata().getAuthType();
-        switch (authType) {
-            case V4:
-                return Optional.of(v4SignerDefinitionMethodBody());
-            case S3:
-            case S3V4:
-                return Optional.of(s3SignerDefinitionMethodBody());
-            case BEARER:
-            case NONE:
-                return Optional.empty();
-            default:
-                throw new UnsupportedOperationException("Unsupported signer type: " + authType);
-        }
-    }
-
-    private CodeBlock v4SignerDefinitionMethodBody() {
-        return CodeBlock.of("return $T.create();", Aws4Signer.class);
-    }
-
-
-    private CodeBlock s3SignerDefinitionMethodBody() {
-        return CodeBlock.of("return $T.create();\n",
-                            ClassName.get("software.amazon.awssdk.auth.signer", "AwsS3V4Signer"));
-    }
-
     private MethodSpec defaultEndpointProviderMethod() {
         return MethodSpec.methodBuilder("defaultEndpointProvider")
                          .addModifiers(PRIVATE)
@@ -961,14 +894,6 @@ private MethodSpec defaultBearerTokenProviderMethod() {
                          .build();
     }
 
-    private MethodSpec defaultTokenAuthSignerMethod() {
-        return MethodSpec.methodBuilder("defaultTokenSigner")
-                         .returns(Signer.class)
-                         .addModifiers(PRIVATE)
-                         .addStatement("return $T.create()", BearerTokenSigner.class)
-                         .build();
-    }
-
     private MethodSpec authSchemesMethod() {
         TypeName returns = ParameterizedTypeName.get(ClassName.get(Map.class), ClassName.get(String.class),
                                                      ParameterizedTypeName.get(ClassName.get(AuthScheme.class),
@@ -1133,21 +1058,7 @@ private MethodSpec validateClientOptionsMethod() {
                                                .addParameter(SdkClientConfiguration.class, "c")
                                                .returns(void.class);
 
-        if (AuthUtils.usesAwsAuth(model) && !authSchemeSpecUtils.useSraAuth()) {
-            builder.addStatement("$T.notNull(c.option($T.SIGNER), $S)",
-                                 Validate.class,
-                                 SdkAdvancedClientOption.class,
-                                 "The 'overrideConfiguration.advancedOption[SIGNER]' must be configured in the client builder.");
-        }
-
         if (AuthUtils.usesBearerAuth(model)) {
-            if (!authSchemeSpecUtils.useSraAuth()) {
-                builder.addStatement("$T.notNull(c.option($T.TOKEN_SIGNER), $S)",
-                                     Validate.class,
-                                     SdkAdvancedClientOption.class,
-                                     "The 'overrideConfiguration.advancedOption[TOKEN_SIGNER]' "
-                                     + "must be configured in the client builder.");
-            }
             builder.addStatement("$T.notNull(c.option($T.TOKEN_IDENTITY_PROVIDER), $S)",
                                  Validate.class,
                                  AwsClientOption.class,