Difficult to diagnose CredentialProvider failures

[cprice404]

Describe the bug

When I instantiate and attempt to consume a service client, and there is some issue with the credential providers that causes authentication to fail, the failure is opaque and difficult to diagnose.

Expected Behavior

In the Java SDKs, if there is an auth failure in the CredentialProvider chain, an exception is thrown with a very detailed error message indicating which providers it attempted to use to authenticate and why each of them failed. This behavior is pretty crucial for debugging purposes.

Current Behavior

Even with logging at TRACE, this is all the output I see when my auth fails:

02:09:12.668 PM TRC sdkRequestId: 3f91daca-a33e-47d8-8e12-1b4be01a186d; service: EC2; operation: DescribeLaunchTemplates; - request serialized in 11.929645ms
Exception in thread "main" java.lang.RuntimeException: Failed to get a valid set of credentials
	at software.amazon.awssdk.crt.auth.credentials.CredentialsProvider.onGetCredentialsComplete(CredentialsProvider.java:46)

(BTW, the debugging instructions link in your issue template is a 404.)
http://github.com/aws-sdk-kotlin/tree/main/docs/debugging.md

Steps to Reproduce

// Make sure you don't have any default credentials set up, either via
//  ~/.aws/config or ~/.aws/credentials or env vars.
val ec2Client = Ec2Client { region = "us-west-2" }
ec2Client.describeAvailabilityZones(DescribeAvailabilityZonesRequest {})

Possible Solution

Add log messages indicating which providers were attempted and why they failed.

Related question: how do I know which providers are currently supported? Is SSO supported?
What about profiles with the credential_process configured?

Context

I am trying to do dev work where I run some SDK code on my laptop and have it make API calls
up to my AWS account. We do not use static credentials nor default profiles, so my auth info
is currently all provided via sso/credential_process config inside of profiles in ~/.aws/config.

Your Environment

• AWS Kotlin SDK version used: 0.8.0-alpha
• Platform (JVM/JS/Native): JVM
• Operating System and version: OSX Big Sur (x86)

[aajtodd]

@cprice404 Thanks for the report.

I believe all of the credentials providers except for SSO and credential process are available at this point. When not configured explicitly a DefaultChainCredentialsProvider instance is used. The default chain includes Environment, Profile, IMDS, and ECS providers. The default chain is currently implemented in the AWS CRT (common runtime) which is a native C library. You can get messages from the CRT by setting some additional system properties before initializing any clients. See debugging for more information on how to do that.

We do have an issue open to look into implementing the chain ourselves for a different reason. If we go that route it would provide an opportunity to provide more detailed exception messages about the providers attempted.

We'll continue to look into what we can do to improve the status quo though.

[cprice404]

Thanks @aajtodd . (BTW, the debugging instructions link in your issue template is a 404: http://github.com/aws-sdk-kotlin/tree/main/docs/debugging.md , presumably you intended for it to link to that link you pasted above, so it's missing awslabs .)

[aajtodd]

Thank-you for letting us know. Will fix the link now

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.