aws · 0marperez · Nov 19, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
@@ -0,0 +1,5 @@
+{
+    "id": "930c7904-1735-466b-9acc-c46e960c26c9",
+    "type": "feature",
+    "description": "Adds a new credentials provider for AWS Login token authentication"
+}
@@ -8,4 +8,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Minor version bump check
-        uses: awslabs/aws-kotlin-repo-tools/.github/actions/minor-version-bump@main
+        uses: aws/aws-kotlin-repo-tools/.github/actions/minor-version-bump@main
@@ -28,7 +28,7 @@ jobs:
           env-vars-for-codebuild: GITHUB_REPOSITORY, UPLOAD, RELEASE_METRICS, IDENTIFIER
 
       - name: Process metrics
-        uses: awslabs/aws-kotlin-repo-tools/.github/actions/artifact-size-metrics/download-and-process@main
+        uses: aws/aws-kotlin-repo-tools/.github/actions/artifact-size-metrics/download-and-process@main
         with:
           download: 'true'
 
@@ -49,4 +49,3 @@ concurrency:
 permissions:
   id-token: write
   contents: read
-
@@ -92,11 +92,27 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/InvalidJsonCredential
 	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/Throwable;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 }
 
+public final class aws/sdk/kotlin/runtime/auth/credentials/InvalidLoginTokenException : aws/sdk/kotlin/runtime/ConfigurationException {
+	public fun <init> (Ljava/lang/String;Ljava/lang/Throwable;)V
+	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/Throwable;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+}
+
 public final class aws/sdk/kotlin/runtime/auth/credentials/InvalidSsoTokenException : aws/sdk/kotlin/runtime/ConfigurationException {
 	public fun <init> (Ljava/lang/String;Ljava/lang/Throwable;)V
 	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/Throwable;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 }
 
+public final class aws/sdk/kotlin/runtime/auth/credentials/LoginCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CloseableCredentialsProvider {
+	public fun <init> (Ljava/lang/String;Ljava/lang/String;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/time/Clock;)V
+	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/String;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/time/Clock;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun close ()V
+	public final fun getHttpClient ()Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;
+	public final fun getLoginSession ()Ljava/lang/String;
+	public final fun getPlatformProvider ()Laws/smithy/kotlin/runtime/util/PlatformProvider;
+	public final fun getRegion ()Ljava/lang/String;
+	public fun resolve (Laws/smithy/kotlin/runtime/collections/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+}
+
 public final class aws/sdk/kotlin/runtime/auth/credentials/ProcessCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider {
 	public fun <init> (Ljava/lang/String;Laws/smithy/kotlin/runtime/util/PlatformProvider;JJ)V
 	public synthetic fun <init> (Ljava/lang/String;Laws/smithy/kotlin/runtime/util/PlatformProvider;JJILkotlin/jvm/internal/DefaultConstructorMarker;)V
@@ -237,6 +253,63 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/internal/ManagedCrede
 	public static final fun manage (Laws/smithy/kotlin/runtime/auth/awscredentials/CloseableCredentialsProvider;)Laws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider;
 }
 
+public abstract class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field Companion Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$Companion;
+	public abstract fun getValue ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$AuthcodeExpired : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$AuthcodeExpired;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$Companion {
+	public final fun fromValue (Ljava/lang/String;)Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode;
+	public final fun values ()Ljava/util/List;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$InsufficientPermissions : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$InsufficientPermissions;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$InvalidRequest : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$InvalidRequest;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$SdkUnknown : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public fun <init> (Ljava/lang/String;)V
+	public final fun component1 ()Ljava/lang/String;
+	public final fun copy (Ljava/lang/String;)Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$SdkUnknown;
+	public static synthetic fun copy$default (Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$SdkUnknown;Ljava/lang/String;ILjava/lang/Object;)Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$SdkUnknown;
+	public fun equals (Ljava/lang/Object;)Z
+	public fun getValue ()Ljava/lang/String;
+	public fun hashCode ()I
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$ServerError : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$ServerError;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$TokenExpired : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$TokenExpired;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$UserCredentialsChanged : aws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode {
+	public static final field INSTANCE Laws/sdk/kotlin/runtime/auth/credentials/internal/signin/model/OAuth2ErrorCode$UserCredentialsChanged;
+	public fun getValue ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
 public abstract class aws/sdk/kotlin/runtime/config/AbstractAwsSdkClientFactory : aws/smithy/kotlin/runtime/client/AbstractSdkClientFactory {
 	public fun <init> ()V
 	protected fun finalizeEnvironmentalConfig (Laws/smithy/kotlin/runtime/client/SdkClient$Builder;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Laws/smithy/kotlin/runtime/util/LazyAsyncValue;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;

@@ -76,6 +76,7 @@ dependencies {
     codegen(project(":codegen:aws-sdk-codegen"))
     codegen(libs.smithy.cli)
     codegen(libs.smithy.model)
+    codegen(libs.smithy.aws.smoke.test.model)
 }
 
 smithyBuild {
@@ -188,6 +189,41 @@ smithyBuild {
             """,
             )
         }
+
+        create("signin-credentials-provider") {
+            imports = listOf(
+                awsModelFile("signin.json"),
+            )
+
+            val serviceShape = "com.amazonaws.signin#Signin"
+            smithyKotlinPlugin {
+                serviceShapeId = serviceShape
+                packageName = "$basePackage.signin"
+                packageVersion = project.version.toString()
+                packageDescription = "Internal Signin credentials provider"
+                sdkId = "Signin"
+                buildSettings {
+                    generateDefaultBuildFiles = false
+                    generateFullProject = false
+                }
+                apiSettings {
+                    visibility = "internal"
+                }
+            }
+
+            transforms = listOf(
+                """
+            {
+                "name": "awsSmithyKotlinIncludeOperations",
+                "args": {
+                    "operations": [
+                        "com.amazonaws.signin#CreateOAuth2Token"
+                    ]
+                }
+            }
+            """,
+            )
+        }
     }
 }
 

@@ -0,0 +1,96 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.sdk.kotlin.runtime.auth.credentials
+
+import aws.sdk.kotlin.runtime.auth.credentials.internal.signin.SigninClient
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.withBusinessMetric
+import aws.smithy.kotlin.runtime.auth.awscredentials.CloseableCredentialsProvider
+import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
+import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
+import aws.smithy.kotlin.runtime.collections.Attributes
+import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
+import aws.smithy.kotlin.runtime.telemetry.logging.logger
+import aws.smithy.kotlin.runtime.time.Clock
+import aws.smithy.kotlin.runtime.util.PlatformProvider
+import kotlinx.coroutines.runBlocking
+import kotlin.coroutines.coroutineContext
+
+/**
+ * [CredentialsProvider] that uses AWS Login to source credentials.
+ *
+ * The provider does not initiate or perform the AWS Login flow. It is expected that you have
+ * already performed the login flow using the AWS CLI (`aws login`). The provider
+ * expects a valid non-expired access token for the AWS Login session in `~/.aws/login/cache` or
+ * the directory specified by the `AWS_LOGIN_CACHE_DIRECTORY` environment variable.
+ * If a cached token is not found, is expired, or the file is malformed an exception will be thrown.
+ *
+ * **Instantiating AWS Login provider directly**
+ *
+ * You can programmatically construct the AWS Login provider in your application, and provide the necessary
+ * information to load and retrieve temporary credentials using an access token from `~/.aws/login/cache` or
+ * the directory specified by the `AWS_LOGIN_CACHE_DIRECTORY` environment variable.
+ *
+ * ```
+ * // Wrap the provider with a caching provider to cache the credentials until their expiration time
+ * val loginProvider = LoginCredentialsProvider(
+ *      loginSession = "my-login-session"
+ * ).cached()
+ * ```
+ * It is important that you wrap the provider with [CachedCredentialsProvider] if you are programmatically constructing
+ * the provider directly. This prevents your application from accessing the cached access token and requesting new
+ * credentials each time the provider is used to source credentials.
+ *
+ * @param loginSession The Login Session from the profile
+ * @param region The AWS region used to call the log in service.
+ * @param httpClient The [HttpClientEngine] instance to use to make requests. NOTE: This engine's resources and lifetime
+ * are NOT managed by the provider. Caller is responsible for closing.
+ * @param platformProvider The platform provider
+ * @param clock The source of time for the provider
+ */
+public class LoginCredentialsProvider public constructor(
+    public val loginSession: String,
+    public val region: String? = null,
+    public val httpClient: HttpClientEngine? = null,
+    public val platformProvider: PlatformProvider = PlatformProvider.System,
+    private val clock: Clock = Clock.System,
+) : CloseableCredentialsProvider {
+    private val cacheDirectory = resolveCacheDir(platformProvider)
+    private val client = runBlocking { signinClient(region, httpClient) }
+
+    override suspend fun resolve(attributes: Attributes): Credentials {
+        val logger = coroutineContext.logger<LoginCredentialsProvider>()
+
+        val loginTokenProvider =
+            LoginTokenProvider(
+                loginSession,
+                region,
+                httpClient = httpClient,
+                platformProvider = platformProvider,
+                clock = clock,
+                cacheDirectory = cacheDirectory,
+                client = client,
+            )
+
+        logger.trace { "Attempting to load token using token provider for login-session: `$loginSession`" }
+        val creds = loginTokenProvider.resolve(attributes)
+
+        return creds.withBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_LOGIN)
+    }
+
+    override fun close() {
+        client.close()
+    }
+}
+
+internal fun resolveCacheDir(platformProvider: PlatformProvider) =
+    platformProvider.getenv("AWS_LOGIN_IN_CACHE_DIRECTORY") ?: platformProvider.filepath("~", ".aws", "login", "cache")
+
+internal suspend fun signinClient(providedRegion: String? = null, providedHttpClient: HttpClientEngine? = null) =
+    SigninClient.fromEnvironment {
+        region = providedRegion
+        httpClient = providedHttpClient
+    }