Merge branch 'main' into remove-unused-test-set

.github/workflows/ci.yml

@@ -2,9 +2,8 @@ name: CI
 
 on:
   push:
-    branches:
-      - '*'
-      - '!main'
+    branches-ignore:
+      - 'main'
 
 env:
   BUILDER_VERSION: v0.9.43

.github/workflows/handle-stale-discussions.yml

@@ -0,0 +1,18 @@
+name: HandleStaleDiscussions
+on:
+  schedule:
+    - cron: '0 */4 * * *'
+  discussion_comment:
+    types: [created]
+
+jobs:
+  handle-stale-discussions:
+    name: Handle stale discussions
+    runs-on: ubuntu-latest
+    permissions:
+      discussions: write
+    steps:
+      - name: Stale discussions action
+        uses: aws-github-ops/handle-stale-discussions@v1
+        env:
+          GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}

.github/workflows/stale_issue.yml

@@ -9,6 +9,9 @@ jobs:
   cleanup:
     runs-on: ubuntu-latest
     name: Stale issue job
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
     - uses: aws-actions/stale-issue-cleanup@v3
       with:
@@ -32,7 +35,7 @@ jobs:
         # Issue timing
         days-before-stale: 2
         days-before-close: 5
-        days-before-ancient: 365
+        days-before-ancient: 36500
 
         # If you don't want to mark a issue as being ancient based on a
         # threshold of "upvotes", you can set this here. An "upvote" is

CMakeLists.txt

@@ -54,13 +54,6 @@ if (WIN32)
         source_group("Header Files\\aws\\auth" FILES ${AWS_AUTH_HEADERS})
         source_group("Source Files" FILES ${AWS_AUTH_SRC})
     endif ()
-    set(PLATFORM_LIBS "")
-elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux")
-    set(PLATFORM_LIBS "")
-elseif (APPLE)
-    set(PLATFORM_LIBS "")
-elseif (CMAKE_SYSTEM_NAME STREQUAL "FreeBSD" OR CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
-    set(PLATFORM_LIBS "")
 endif()
 
 file(GLOB AUTH_HEADERS
@@ -96,7 +89,7 @@ aws_use_package(aws-c-sdkutils)
 aws_use_package(aws-c-cal)
 aws_use_package(aws-c-http)
 
-target_link_libraries(${PROJECT_NAME} PUBLIC ${DEP_AWS_LIBS} ${PLATFORM_LIBS})
+target_link_libraries(${PROJECT_NAME} PUBLIC ${DEP_AWS_LIBS})
 
 aws_prepare_shared_lib_exports(${PROJECT_NAME})
 

include/aws/auth/credentials.h

@@ -323,7 +323,7 @@ struct aws_credentials_provider_x509_options {
  * identity provider like Elastic Kubernetes Service
  * https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
  * The required parameters used in the request (region, roleArn, sessionName, tokenFilePath) are automatically resolved
- * by SDK from envrionment variables or config file.
+ * by SDK from envrionment variables or config file if not set.
  ---------------------------------------------------------------------------------
  | Parameter           | Environment Variable Name    | Config File Property Name |
  ----------------------------------------------------------------------------------
@@ -332,6 +332,10 @@ struct aws_credentials_provider_x509_options {
  | role_session_name   | AWS_ROLE_SESSION_NAME        | role_session_name         |
  | token_file_path     | AWS_WEB_IDENTITY_TOKEN_FILE  | web_identity_token_file   |
  |--------------------------------------------------------------------------------|
+ * The order of resolution is the following
+ * 1. Parameters
+ * 2. Environment Variables
+ * 3. Config File
  */
 struct aws_credentials_provider_sts_web_identity_options {
     struct aws_credentials_provider_shutdown_options shutdown_options;
@@ -355,6 +359,33 @@ struct aws_credentials_provider_sts_web_identity_options {
 
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
+
+    /*
+     * (Optional)
+     * Override of what profile to use, if not set, 'default' will be used.
+     */
+    struct aws_byte_cursor profile_name_override;
+
+    /*
+     * (Optional)
+     * Override of region, if not set, it will be resolved from env or profile.
+     */
+    struct aws_byte_cursor region;
+    /*
+     * (Optional)
+     * Override of role_arn, if not set, it will be resolved from env or profile.
+     */
+    struct aws_byte_cursor role_arn;
+    /*
+     * (Optional)
+     * Override of role_session_name, if not set, it will be resolved from env or profile.
+     */
+    struct aws_byte_cursor role_session_name;
+    /*
+     * (Optional)
+     * Override of token_file_path, if not set, it will be resolved from env or profile.
+     */
+    struct aws_byte_cursor token_file_path;
 };
 
 /*
@@ -467,7 +498,6 @@ struct aws_credentials_provider_sts_options {
     "Expiration": "2019-05-29T00:21:43Z"
    }
  * Version here identifies the command output format version.
- * This provider is not part of the default provider chain.
  */
 struct aws_credentials_provider_process_options {
     struct aws_credentials_provider_shutdown_options shutdown_options;
@@ -476,6 +506,12 @@ struct aws_credentials_provider_process_options {
      * if not provided, we will try environment variable: AWS_PROFILE.
      */
     struct aws_byte_cursor profile_to_use;
+
+    /**
+     * (Optional)
+     * Use a cached config profile collection. You can also pass a merged collection.
+     */
+    struct aws_profile_collection *config_profile_collection_cached;
 };
 
 /**
@@ -507,6 +543,12 @@ struct aws_credentials_provider_chain_default_options {
      * If this option is provided, `config_file_name_override` and `credentials_file_name_override` will be ignored.
      */
     struct aws_profile_collection *profile_collection_cached;
+
+    /*
+     * (Optional)
+     * Override of what profile to use, if not set, 'default' will be used.
+     */
+    struct aws_byte_cursor profile_name_override;
 };
 
 typedef int(aws_credentials_provider_delegate_get_credentials_fn)(

source/aws_imds_client.c

@@ -30,6 +30,8 @@
 #define IMDS_CONNECT_TIMEOUT_DEFAULT_IN_SECONDS 2
 #define IMDS_DEFAULT_RETRIES 1
 
+AWS_STATIC_STRING_FROM_LITERAL(s_imds_host, "169.254.169.254");
+
 enum imds_token_state {
     AWS_IMDS_TS_INVALID,
     AWS_IMDS_TS_VALID,
@@ -157,7 +159,7 @@ struct aws_imds_client *aws_imds_client_new(
     manager_options.initial_window_size = IMDS_RESPONSE_SIZE_LIMIT;
     manager_options.socket_options = &socket_options;
     manager_options.tls_connection_options = NULL;
-    manager_options.host = aws_byte_cursor_from_c_str("169.254.169.254");
+    manager_options.host = aws_byte_cursor_from_string(s_imds_host);
     manager_options.port = 80;
     manager_options.max_connections = 10;
     manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
@@ -384,6 +386,7 @@ static int s_on_incoming_headers_fn(
     return AWS_OP_SUCCESS;
 }
 
+AWS_STATIC_STRING_FROM_LITERAL(s_imds_host_header, "Host");
 AWS_STATIC_STRING_FROM_LITERAL(s_imds_accept_header, "Accept");
 AWS_STATIC_STRING_FROM_LITERAL(s_imds_accept_header_value, "*/*");
 AWS_STATIC_STRING_FROM_LITERAL(s_imds_user_agent_header, "User-Agent");
@@ -417,6 +420,14 @@ static int s_make_imds_http_query(
         goto on_error;
     }
 
+    struct aws_http_header host_header = {
+        .name = aws_byte_cursor_from_string(s_imds_host_header),
+        .value = aws_byte_cursor_from_string(s_imds_host),
+    };
+    if (aws_http_message_add_header(request, host_header)) {
+        goto on_error;
+    }
+
     struct aws_http_header accept_header = {
         .name = aws_byte_cursor_from_string(s_imds_accept_header),
         .value = aws_byte_cursor_from_string(s_imds_accept_header_value),

source/credentials_provider_default_chain.c

@@ -273,6 +273,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
     struct aws_tls_ctx *tls_ctx = NULL;
     struct aws_credentials_provider *environment_provider = NULL;
     struct aws_credentials_provider *profile_provider = NULL;
+    struct aws_credentials_provider *process_provider = NULL;
     struct aws_credentials_provider *sts_provider = NULL;
     struct aws_credentials_provider *ecs_or_imds_provider = NULL;
     struct aws_credentials_provider *chain_provider = NULL;
@@ -305,11 +306,13 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
 #endif /* BYO_CRYPTO */
     }
 
-    enum { providers_size = 4 };
+    enum { providers_size = 5 };
     struct aws_credentials_provider *providers[providers_size];
     AWS_ZERO_ARRAY(providers);
     size_t index = 0;
 
+    /* Providers that touch fast local resources... */
+
     struct aws_credentials_provider_environment_options environment_options;
     AWS_ZERO_STRUCT(environment_options);
     environment_provider = aws_credentials_provider_new_environment(allocator, &environment_options);
@@ -319,12 +322,15 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
 
     providers[index++] = environment_provider;
 
+    /* Providers that will make a network call only if the relevant configuration is present... */
+
     struct aws_credentials_provider_profile_options profile_options;
     AWS_ZERO_STRUCT(profile_options);
     profile_options.bootstrap = options->bootstrap;
     profile_options.tls_ctx = tls_ctx;
     profile_options.shutdown_options = sub_provider_shutdown_options;
     profile_options.profile_collection_cached = options->profile_collection_cached;
+    profile_options.profile_name_override = options->profile_name_override;
     profile_provider = aws_credentials_provider_new_profile(allocator, &profile_options);
     if (profile_provider != NULL) {
         providers[index++] = profile_provider;
@@ -338,13 +344,28 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
     sts_options.tls_ctx = tls_ctx;
     sts_options.shutdown_options = sub_provider_shutdown_options;
     sts_options.config_profile_collection_cached = options->profile_collection_cached;
+    sts_options.profile_name_override = options->profile_name_override;
     sts_provider = aws_credentials_provider_new_sts_web_identity(allocator, &sts_options);
     if (sts_provider != NULL) {
         providers[index++] = sts_provider;
         /* 1 shutdown call from the web identity provider's shutdown */
         aws_atomic_fetch_add(&impl->shutdowns_remaining, 1);
     }
 
+    struct aws_credentials_provider_process_options process_options;
+    AWS_ZERO_STRUCT(process_options);
+    process_options.shutdown_options = sub_provider_shutdown_options;
+    process_options.config_profile_collection_cached = options->profile_collection_cached;
+    process_options.profile_to_use = options->profile_name_override;
+    process_provider = aws_credentials_provider_new_process(allocator, &process_options);
+    if (process_provider != NULL) {
+        providers[index++] = process_provider;
+        /* 1 shutdown call from the process provider's shutdown */
+        aws_atomic_fetch_add(&impl->shutdowns_remaining, 1);
+    }
+
+    /* Providers that will always make a network call unless explicitly disabled... */
+
     ecs_or_imds_provider = s_aws_credentials_provider_new_ecs_or_imds(
         allocator, &sub_provider_shutdown_options, options->bootstrap, tls_ctx);
     if (ecs_or_imds_provider != NULL) {
@@ -370,6 +391,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
      */
     aws_credentials_provider_release(environment_provider);
     aws_credentials_provider_release(profile_provider);
+    aws_credentials_provider_release(process_provider);
     aws_credentials_provider_release(sts_provider);
     aws_credentials_provider_release(ecs_or_imds_provider);
 
@@ -411,6 +433,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
     } else {
         aws_credentials_provider_release(ecs_or_imds_provider);
         aws_credentials_provider_release(profile_provider);
+        aws_credentials_provider_release(process_provider);
         aws_credentials_provider_release(sts_provider);
         aws_credentials_provider_release(environment_provider);
     }

source/credentials_provider_environment.c

@@ -30,7 +30,7 @@ static int s_credentials_provider_environment_get_credentials_async(
     aws_get_environment_value(allocator, s_secret_access_key_env_var, &secret_access_key);
     aws_get_environment_value(allocator, s_session_token_env_var, &session_token);
 
-    if (access_key_id != NULL && secret_access_key != NULL) {
+    if (access_key_id != NULL && access_key_id->len > 0 && secret_access_key != NULL && secret_access_key->len > 0) {
         credentials =
             aws_credentials_new_from_string(allocator, access_key_id, secret_access_key, session_token, UINT64_MAX);
         if (credentials == NULL) {

source/credentials_provider_process.c

@@ -32,7 +32,6 @@ static int s_get_credentials_from_process(
     };
 
     struct aws_run_command_result result;
-    int ret = AWS_OP_ERR;
     if (aws_run_command_result_init(provider->allocator, &result)) {
         goto on_finish;
     }
@@ -50,7 +49,7 @@ static int s_get_credentials_from_process(
     struct aws_parse_credentials_from_json_doc_options parse_options = {
         .access_key_id_name = "AccessKeyId",
         .secret_access_key_name = "SecretAccessKey",
-        .token_name = "Token",
+        .token_name = "SessionToken",
         .expiration_name = "Expiration",
         .token_required = false,
         .expiration_required = false,
@@ -71,7 +70,6 @@ static int s_get_credentials_from_process(
         AWS_LS_AUTH_CREDENTIALS_PROVIDER,
         "(id=%p) Process credentials provider successfully sourced credentials.",
         (void *)provider);
-    ret = AWS_OP_SUCCESS;
 
 on_finish:
 
@@ -87,7 +85,7 @@ static int s_get_credentials_from_process(
     callback(credentials, error_code, user_data);
     aws_run_command_result_cleanup(&result);
     aws_credentials_release(credentials);
-    return ret;
+    return AWS_OP_SUCCESS;
 }
 
 static void s_credentials_provider_process_destroy(struct aws_credentials_provider *provider) {
@@ -155,21 +153,23 @@ static void s_check_or_get_with_profile_config(
 }
 
 static struct aws_byte_cursor s_stderr_redirect_to_stdout = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL(" 2>&1");
-static struct aws_string *s_get_command(struct aws_allocator *allocator, struct aws_byte_cursor profile_cursor) {
+static struct aws_string *s_get_command(
+    struct aws_allocator *allocator,
+    const struct aws_credentials_provider_process_options *options) {
 
     struct aws_byte_buf command_buf;
     AWS_ZERO_STRUCT(command_buf);
     struct aws_string *command = NULL;
     struct aws_profile_collection *config_profiles = NULL;
     struct aws_string *profile_name = NULL;
     const struct aws_profile *profile = NULL;
-
-    config_profiles = s_load_profile(allocator);
-    if (profile_cursor.len == 0) {
-        profile_name = aws_get_profile_name(allocator, NULL);
+    if (options->config_profile_collection_cached) {
+        config_profiles = aws_profile_collection_acquire(options->config_profile_collection_cached);
     } else {
-        profile_name = aws_string_new_from_array(allocator, profile_cursor.ptr, profile_cursor.len);
+        config_profiles = s_load_profile(allocator);
     }
+    profile_name = aws_get_profile_name(allocator, &options->profile_to_use);
+
     if (config_profiles && profile_name) {
         profile = aws_profile_collection_get_profile(config_profiles, profile_name);
     }
@@ -205,7 +205,7 @@ static struct aws_string *s_get_command(struct aws_allocator *allocator, struct
 
 on_finish:
     aws_string_destroy(profile_name);
-    aws_profile_collection_destroy(config_profiles);
+    aws_profile_collection_release(config_profiles);
     aws_byte_buf_clean_up_secure(&command_buf);
     return command;
 }
@@ -237,7 +237,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_process(
     AWS_ZERO_STRUCT(*provider);
     AWS_ZERO_STRUCT(*impl);
 
-    impl->command = s_get_command(allocator, options->profile_to_use);
+    impl->command = s_get_command(allocator, options);
     if (!impl->command) {
         goto on_error;
     }