AWS SDK

rev. 37276c5e0ace204ec6c0f1a727e085b17e15d36a

Files changed:

tmp-codegen-diff/aws-sdk/README.md

@@ -1,1 +57,57 @@

 <!--
 IMPORTANT:
 This README file is auto-generated by the build system in smithy-lang/smithy-rs.
 To update it, edit the `aws/SDK_README.md.hb` Handlebars template in that repository.
 -->
-6
 # The AWS SDK for Rust [![Docs](https://img.shields.io/badge/docs-blue)](https://awslabs.github.io/aws-sdk-rust/) ![MSRV](https://img.shields.io/badge/msrv-1.86.0-red) [![Usage Guide](https://img.shields.io/badge/Developer_Guide-blue)](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/welcome.html)
-8
 This repo contains the AWS SDK for Rust and its [public roadmap](https://github.com/orgs/awslabs/projects/50/views/1).
-10
 The SDK is code generated from [Smithy models](https://smithy.io/2.0/index.html) that represent each AWS service.
 The code used to generate the SDK can be found in [smithy-rs](https://github.com/smithy-lang/smithy-rs).
-13
 ## Getting Started with the SDK
-15
 > Examples are available for many services and operations, check out the [examples folder](./examples).

-17
 > For a step-by-step guide including several advanced use cases, check out the [Developer Guide](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/welcome.html).
-19
 The SDK provides one crate per AWS service. You must add [Tokio](https://crates.io/crates/tokio) as a dependency within your Rust project to execute asynchronous code.
-21
 . Create a new Rust project: `cargo new sdk-example`
 . Add dependencies to DynamoDB and Tokio to your **Cargo.toml** file:
-24
     ```toml
     [dependencies]
     aws-config = { version= "1.8.3", features = ["behavior-version-latest"] }
     aws-config = { version= "1.8.4", features = ["behavior-version-latest"] }
     aws-sdk-dynamodb = "0.0.0-local"
     tokio = { version = "1", features = ["full"] }
     ```
-31
 . Provide your AWS credentials with the default credential provider chain, which currently looks in:
    - Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION`
    - The default credentials files located in `~/.aws/config` and `~/.aws/credentials` (location can vary per platform)
    - Web Identity Token credentials from the environment or container (including EKS)
    - ECS Container Credentials (IAM roles for tasks)
    - EC2 Instance Metadata Service (IAM Roles attached to instance)

↧ Expand context

-38
 . Make a request using DynamoDB
-40
 ```rust
 use aws_sdk_dynamodb::{Client, Error};
-43
 #[tokio::main]
 async fn main() -> Result<(), Error> {
     let shared_config = aws_config::load_from_env().await;
     let client = Client::new(&shared_config);
     let req = client.list_tables().limit(10);
     let resp = req.send().await?;
     println!("Current DynamoDB tables: {:?}", resp.table_names);
     Ok(())
-52
+}
 ```
-54
 ### Prerequisites
-56
 In order to use the SDK, you must already have Rust and Cargo installed. If you don't, [these instructions](https://doc.rust-lang.org/book/ch01-01-installation.html) describe how to install Rust and Cargo.

tmp-codegen-diff/aws-sdk/sdk/aws-config/Cargo.toml

@@ -1,1 +34,34 @@

 # Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
 [package]
 name = "aws-config"
 version = "1.8.3"
 version = "1.8.4"
 authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>", "Russell Cohen <rcoh@amazon.com>"]
 description = "AWS SDK config and credential provider implementations."
 edition = "2021"
 exclude = ["test-data/*", "integration-tests/*"]
 license = "Apache-2.0"
 repository = "https://github.com/smithy-lang/smithy-rs"
 [package.metadata.docs.rs]
 all-features = true
 targets = ["x86_64-unknown-linux-gnu"]
 cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples"]

↧ Expand context

 rustdoc-args = ["--cfg", "docsrs"]
-16
 [package.metadata.smithy-rs-release-tooling]
 stable = true
 [package.metadata.cargo-udeps.ignore]
 normal = ["proc-macro2"]
-21
 [features]
 behavior-version-latest = []
 credentials-process = ["tokio/process"]
 default = ["default-https-client", "rt-tokio", "credentials-process", "sso"]
 rt-tokio = ["aws-smithy-async/rt-tokio", "aws-smithy-runtime/rt-tokio", "tokio/rt"]
 client-hyper = ["aws-smithy-runtime/default-https-client"]
 rustls = ["client-hyper"]
 default-https-client = ["aws-smithy-runtime/default-https-client"]
 sso = ["dep:aws-sdk-sso", "dep:aws-sdk-ssooidc", "dep:ring", "dep:hex", "dep:zeroize", "aws-smithy-runtime-api/http-auth"]
 test-util = ["aws-runtime/test-util"]
 allow-compilation = []
-33
 [dependencies]

@@ -44,44 +157,157 @@

↥ Expand context

-44
 [dependencies.aws-runtime]
 path = "../aws-runtime"
 version = "1.5.10"
-48
 [dependencies.aws-sdk-sts]
 path = "../sts"
 default-features = false
 version = "0.0.0-local"
-53
 [dependencies.aws-smithy-async]
 path = "../aws-smithy-async"
 version = "1.2.5"
-57
 [dependencies.aws-smithy-http]
 path = "../aws-smithy-http"
 version = "0.62.3"
-61
 [dependencies.aws-smithy-json]
 path = "../aws-smithy-json"

 version = "0.61.4"
-65
 [dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client"]
 version = "1.8.6"
-70
 [dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["client"]
 version = "1.8.5"
 version = "1.8.6"
-75
 [dependencies.aws-smithy-types]
 path = "../aws-smithy-types"
 version = "1.3.2"
-79
 [dependencies.aws-types]
 path = "../aws-types"
 version = "1.3.8"
-83
 [dependencies.time]
 version = "0.3.4"
 features = ["parsing"]
-87
 [dependencies.tokio]
 version = "1.13.1"
 features = ["sync"]
-91
 [dependencies.tracing]
 version = "0.1"
-94
 [dependencies.aws-sdk-sso]
 path = "../sso"
 default-features = false
 optional = true
 version = "0.0.0-local"
-100
 [dependencies.ring]
 version = "0.17.5"
 optional = true
-104
 [dependencies.hex]
 version = "0.4.3"
 optional = true
-108
 [dependencies.zeroize]
 version = "1"
 optional = true
-112
 [dependencies.aws-sdk-ssooidc]
 path = "../ssooidc"
 default-features = false
 optional = true
 version = "0.0.0-local"
-118
 [dev-dependencies]
 tracing-test = "0.2.4"
 serde_json = "1"
-122
 [dev-dependencies.aws-smithy-async]
 path = "../aws-smithy-async"
 features = ["rt-tokio", "test-util"]
 version = "1.2.5"
-127
 [dev-dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client", "test-util"]
 version = "1.8.6"
--
 [dev-dependencies.aws-smithy-http-client]
 path = "../aws-smithy-http-client"
 features = ["default-client", "test-util"]
 version = "1.0.6"
-132
 [dev-dependencies.aws-smithy-runtime]
 path = "../aws-smithy-runtime"
 features = ["client", "test-util"]
 version = "1.8.6"
-+
 [dev-dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["test-util"]
 version = "1.8.5"
 version = "1.8.6"
-142
 [dev-dependencies.futures-util]
 version = "0.3.29"
 default-features = false
-146
 [dev-dependencies.tracing-subscriber]
 version = "0.3.16"
 features = ["fmt", "json"]
-150
 [dev-dependencies.tokio]

↧ Expand context

 version = "1.23.1"
 features = ["full", "test-util"]
-154
 [dev-dependencies.serde]
 version = "1"
 features = ["derive"]

tmp-codegen-diff/aws-sdk/sdk/aws-config/external-types.toml

@@ -1,1 +39,41 @@

↥ Expand context

 # IMPORTANT: Types from `aws-sdk-*` crates MUST NOT be allowed to be
 # exposed in `aws-config`'s public API. Otherwise, `aws-config` will
 # require manual version bumping every time an automated version bump
 # to the exposed SDK crates happens.
 allowed_external_types = [
    "aws_credential_types::provider::credentials::ProvideCredentials",
    "aws_credential_types::provider::credentials::Result",
    "aws_credential_types::provider::token::ProvideToken",

    "aws_runtime::env_config::error::EnvConfigFileLoadError",
    "aws_runtime::env_config::file::Builder",
    "aws_runtime::env_config::file::EnvConfigFileKind",
    "aws_runtime::env_config::file::EnvConfigFiles",
    "aws_runtime::env_config::parse::EnvConfigParseError",
    "aws_runtime::env_config::property::Property",
    "aws_runtime::env_config::section::EnvConfigSections",
    "aws_runtime::env_config::section::Profile",
    "aws_smithy_async::rt::sleep::AsyncSleep",
    "aws_smithy_async::time::TimeSource",
    "aws_smithy_http_client::test_util::replay::StaticReplayClient",
    "aws_smithy_runtime::client::identity::cache::IdentityCache",
    "aws_smithy_runtime::client::identity::cache::lazy::LazyCacheBuilder",
    "aws_smithy_runtime_api::client::auth::AuthSchemePreference",
    "aws_smithy_runtime_api::client::orchestrator::HttpRequest",
    "aws_smithy_runtime_api::box_error::BoxError",
    "aws_smithy_runtime_api::client::behavior_version::BehaviorVersion",
    "aws_smithy_runtime_api::client::dns::ResolveDns",
    "aws_smithy_runtime_api::client::http::HttpClient",
    "aws_smithy_runtime_api::client::identity::ResolveCachedIdentity",
    "aws_smithy_runtime_api::client::identity::ResolveIdentity",
    "aws_smithy_runtime_api::client::orchestrator::HttpResponse",
    "aws_smithy_runtime_api::client::retries::classifiers::ClassifyRetry",
    "aws_smithy_runtime_api::client::retries::classifiers::SharedRetryClassifier",
    "aws_smithy_runtime_api::client::stalled_stream_protection::StalledStreamProtectionConfig",

↧ Expand context

    "aws_smithy_types::checksum_config::RequestChecksumCalculation",
    "aws_smithy_types::checksum_config::ResponseChecksumValidation",
    "aws_smithy_types::retry::*",
    "aws_smithy_types::timeout::OperationTimeoutConfig",
    "aws_smithy_types::timeout::TimeoutConfig",
    "aws_smithy_types::timeout::TimeoutConfigBuilder",
    "aws_types::*",
-41
+]

tmp-codegen-diff/aws-sdk/sdk/aws-config/fuzz/Cargo.toml

@@ -1,1 +30,30 @@

↥ Expand context

 # Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
 [[bin]]
 name = "profile-parser"
 path = "fuzz_targets/profile-parser.rs"
 test = false
 doc = false
-7
 [package]
 name = "aws-types-fuzz"
 version = "0.0.0"
 authors = ["Automatically generated"]
 publish = false

 edition = "2021"
-14
 [package.metadata]
 cargo-fuzz = true
-17
 [dependencies]
 libfuzzer-sys = "=0.4.7"
-20
 [dependencies.aws-config]
 path = ".."
 version = "1.8.3"
 version = "1.8.4"
-24
 [dependencies.aws-types]
 path = "../../../sdk/build/aws-sdk/sdk/aws-types"
 version = "1.3.8"
-28
 [workspace]
 members = ["."]

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/credential_process.rs

@@ -1,1 +42,43 @@

↥ Expand context

  * SPDX-License-Identifier: Apache-2.0
  */
-5
 #![cfg(feature = "credentials-process")]
-7
 //! Credentials Provider for external process
-9
 use crate::json_credentials::{json_parse_loop, InvalidJsonCredentials};
 use crate::sensitive_command::CommandWithSensitiveArgs;
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_json::deserialize::Token;
 use std::borrow::Cow;
 use std::process::Command;
 use std::time::SystemTime;
 use time::format_description::well_known::Rfc3339;
 use time::OffsetDateTime;
-22
 /// External process credentials provider

↧ Expand context

 ///
 /// This credentials provider runs a configured external process and parses
 /// its output to retrieve credentials.
 ///
 /// The external process must exit with status 0 and output the following
 /// JSON format to `stdout` to provide credentials:
 ///
 /// ```json
 /// {
 ///     "Version:" 1,
 ///     "AccessKeyId": "access key id",
 ///     "SecretAccessKey": "secret access key",
 ///     "SessionToken": "session token",
 ///     "Expiration": "time that the expiration will expire"
 /// }
 /// ```
 ///
 /// The `Version` must be set to 1. `AccessKeyId` and `SecretAccessKey` are always required.
 /// `SessionToken` must be set if a session token is associated with the `AccessKeyId`.
 /// The `Expiration` is optional, and must be given in the RFC 3339 date time format (e.g.,

@@ -95,96 +162,168 @@

↥ Expand context

         };
         let output = tokio::process::Command::from(command)
             .output()
             .await
             .map_err(|e| {
                 CredentialsError::provider_error(format!(
                     "Error retrieving credentials from external process: {}",
-103
+                    e
                 ))
             })?;
-106
         // Security: command arguments can be logged at trace level
         tracing::trace!(command = ?self.command, status = ?output.status, "executed command (unredacted)");
-109
         if !output.status.success() {
             let reason =
                 std::str::from_utf8(&output.stderr).unwrap_or("could not decode stderr as UTF-8");
             return Err(CredentialsError::provider_error(format!(
                 "Error retrieving credentials: external process exited with code {}. Stderr: {}",
                 output.status, reason

             )));
-117
+        }
-118
         let output = std::str::from_utf8(&output.stdout).map_err(|e| {
             CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process: could not decode output as UTF-8: {}",
-122
+                e
             ))
         })?;
-125
         parse_credential_process_json_credentials(output, self.profile_account_id.as_ref()).map_err(
             |invalid| {
         parse_credential_process_json_credentials(output, self.profile_account_id.as_ref())
             .map(|mut creds| {
                 creds
                     .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                     .push(AwsCredentialFeature::CredentialsProcess);
                 creds
             })
             .map_err(|invalid| {
                 CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process, could not parse response: {}",
                 invalid
             ))
             },
--
+        )
             })
-139
+    }
-140
+}
-141
 #[derive(Debug, Default)]
 pub(crate) struct Builder {
     command: Option<CommandWithSensitiveArgs<String>>,
     profile_account_id: Option<AccountId>,
-146
+}
-147
 impl Builder {

↧ Expand context

     pub(crate) fn command(mut self, command: CommandWithSensitiveArgs<String>) -> Self {
         self.command = Some(command);
         self
-152
+    }
-153
     #[allow(dead_code)] // only used in unit tests
     pub(crate) fn account_id(mut self, account_id: impl Into<AccountId>) -> Self {
         self.set_account_id(Some(account_id.into()));
         self
-158
+    }
-159
     pub(crate) fn set_account_id(&mut self, account_id: Option<AccountId>) {
         self.profile_account_id = account_id;
-162
+    }
-163
     pub(crate) fn build(self) -> CredentialProcessProvider {
         CredentialProcessProvider {
             command: self.command.expect("should be set"),
             profile_account_id: self.profile_account_id,
-168
+        }

@@ -237,243 +296,303 @@

↥ Expand context

     let access_key_id = access_key_id.ok_or(InvalidJsonCredentials::MissingField("AccessKeyId"))?;
     let secret_access_key =
         secret_access_key.ok_or(InvalidJsonCredentials::MissingField("SecretAccessKey"))?;
     let expiration = expiration.map(parse_expiration).transpose()?;
     if expiration.is_none() {
         tracing::debug!("no expiration provided for credentials provider credentials. these credentials will never be refreshed.")
-249
+    }
     let mut builder = Credentials::builder()
         .access_key_id(access_key_id)
         .secret_access_key(secret_access_key)
         .provider_name("CredentialProcess");
     builder.set_session_token(session_token.map(String::from));
     builder.set_expiry(expiration);
     builder.set_account_id(account_id.map(AccountId::from));
     Ok(builder.build())
-258
+}
-259
 fn parse_expiration(expiration: impl AsRef<str>) -> Result<SystemTime, InvalidJsonCredentials> {
     OffsetDateTime::parse(expiration.as_ref(), &Rfc3339)
         .map(SystemTime::from)

         .map_err(|err| InvalidJsonCredentials::InvalidField {
             field: "Expiration",
             err: err.into(),
         })
-267
+}
-268
 #[cfg(test)]
 mod test {
     use crate::credential_process::CredentialProcessProvider;
     use crate::sensitive_command::CommandWithSensitiveArgs;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use std::time::{Duration, SystemTime};
     use time::format_description::well_known::Rfc3339;
     use time::OffsetDateTime;
     use tokio::time::timeout;
-279
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[tokio::test]
     #[cfg_attr(windows, ignore)]
     async fn test_credential_process() {

↧ Expand context

         let provider = CredentialProcessProvider::new(String::from(
             r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "SessionToken": "TESTSESSIONTOKEN", "AccountId": "123456789001", "Expiration": "2022-05-02T18:36:00+00:00" }'"#,
         ));
         let creds = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds.access_key_id(), "ASIARTESTID");
         assert_eq!(creds.secret_access_key(), "TESTSECRETKEY");
         assert_eq!(creds.session_token(), Some("TESTSESSIONTOKEN"));
         assert_eq!(creds.account_id().unwrap().as_str(), "123456789001");
         assert_eq!(
             creds.expiry(),
             Some(
                 SystemTime::try_from(
                     OffsetDateTime::parse("2022-05-02T18:36:00+00:00", &Rfc3339)
                         .expect("static datetime")
-298
+                )
                 .expect("static datetime")
-300
+            )
         );
-302
+    }
-303

@@ -312,319 +342,364 @@

↥ Expand context

     async fn credentials_process_timeouts() {
         let provider = CredentialProcessProvider::new(String::from("sleep 1000"));
         let _creds = timeout(Duration::from_millis(1), provider.provide_credentials())
             .await
             .expect_err("timeout forced");
-324
+    }
-325
     #[tokio::test]
     async fn credentials_with_fallback_account_id() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("012345678901", creds.account_id().unwrap().as_str());
-336
+    }
-337
     #[tokio::test]

     async fn fallback_account_id_shadowed_by_account_id_in_process_output() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("111122223333", creds.account_id().unwrap().as_str());
-348
+    }
-+
     #[tokio::test]
     async fn credential_feature() {
         let provider = CredentialProcessProvider::builder()
             .command(CommandWithSensitiveArgs::new(String::from(
                 r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
             )))
             .account_id("012345678901")
             .build();
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsProcess],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
-+
+    }
-364
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/environment/credentials.rs

@@ -1,1 +142,148 @@

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 use std::env::VarError;
-7
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_types::os_shim_internal::Env;
-13
 /// Load Credentials from Environment Variables
 ///
 /// `EnvironmentVariableCredentialsProvider` uses the following variables:
 /// - `AWS_ACCESS_KEY_ID`
 /// - `AWS_SECRET_ACCESS_KEY` with fallback to `SECRET_ACCESS_KEY`
 /// - `AWS_SESSION_TOKEN` (optional)
 /// - `AWS_ACCOUNT_ID` (optional)
 #[derive(Debug, Clone)]
 pub struct EnvironmentVariableCredentialsProvider {
     env: Env,
-24
+}
-25
 impl EnvironmentVariableCredentialsProvider {
     fn credentials(&self) -> provider::Result {
         let access_key = self
             .env
             .get("AWS_ACCESS_KEY_ID")
             .and_then(err_if_blank)
             .map_err(to_cred_error)?;
         let secret_key = self
             .env
             .get("AWS_SECRET_ACCESS_KEY")
             .and_then(err_if_blank)
             .or_else(|_| self.env.get("SECRET_ACCESS_KEY"))
             .and_then(err_if_blank)
             .map_err(to_cred_error)?;
         let session_token =
             self.env
                 .get("AWS_SESSION_TOKEN")
                 .ok()
                 .and_then(|token| match token.trim() {
                     "" => None,
                     s => Some(s.to_string()),
                 });
         let account_id =
             self.env
                 .get("AWS_ACCOUNT_ID")
                 .ok()
                 .and_then(|account_id| match account_id.trim() {
                     "" => None,
                     s => Some(AccountId::from(s)),
                 });
         let mut builder = Credentials::builder()
             .access_key_id(access_key)
             .secret_access_key(secret_key)
             .provider_name(ENV_PROVIDER);
         builder.set_session_token(session_token);
         builder.set_account_id(account_id);
         Ok(builder.build())
         let mut creds = builder.build();
         creds
             .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
             .push(AwsCredentialFeature::CredentialsEnvVars);
         Ok(creds)
-67
+    }
-68
+}
-69
 impl EnvironmentVariableCredentialsProvider {
     /// Create a `EnvironmentVariableCredentialsProvider`
     pub fn new() -> Self {
         Self::new_with_env(Env::real())
-74
+    }
-75
     /// Create a new `EnvironmentVariableCredentialsProvider` with `Env` overridden
     ///
     /// This function is intended for tests that mock out the process environment.
     pub(crate) fn new_with_env(env: Env) -> Self {
         Self { env }
-81
+    }
-82
+}
-83
 impl Default for EnvironmentVariableCredentialsProvider {
     fn default() -> Self {
         Self::new()
-87
+    }
-88
+}
-89
 const ENV_PROVIDER: &str = "EnvironmentVariable";
-91
 impl ProvideCredentials for EnvironmentVariableCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-96
+    {
         future::ProvideCredentials::ready(self.credentials())
-98
+    }
-99
+}
-100
 fn to_cred_error(err: VarError) -> CredentialsError {
     match err {
         VarError::NotPresent => CredentialsError::not_loaded("environment variable not set"),
         e @ VarError::NotUnicode(_) => CredentialsError::unhandled(e),
-105
+    }
-106
+}
-107
 fn err_if_blank(value: String) -> Result<String, VarError> {
     if value.trim().is_empty() {
         Err(VarError::NotPresent)
     } else {
         Ok(value)
-113
+    }
-114
+}
-115
 #[cfg(test)]
 mod test {
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::{error::CredentialsError, ProvideCredentials};
     use aws_types::os_shim_internal::Env;
     use futures_util::FutureExt;
-122
     use super::EnvironmentVariableCredentialsProvider;
-124
     fn make_provider(vars: &[(&str, &str)]) -> EnvironmentVariableCredentialsProvider {
         EnvironmentVariableCredentialsProvider {
             env: Env::from_slice(vars),
-128
+        }

↧ Expand context

-129
+    }
-130
     #[test]
     fn valid_no_token() {
         let provider = make_provider(&[
             ("AWS_ACCESS_KEY_ID", "access"),
             ("AWS_SECRET_ACCESS_KEY", "secret"),
         ]);
         let creds = provider
             .provide_credentials()
             .now_or_never()
             .unwrap()
             .expect("valid credentials");
         assert_eq!(creds.session_token(), None);
         assert_eq!(creds.access_key_id(), "access");
         assert_eq!(creds.secret_access_key(), "secret");
-145
+    }
-146
     #[test]
     fn valid_with_token() {

@@ -223,229 +259,285 @@

↥ Expand context

             .expect_err("no credentials defined");
         assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));
-231
+    }
-232
     #[test]
     fn empty_keys_env_vars() {
         for [access_key_value, secret_key_value] in &[
             &["", ""],
             &[" ", ""],
             &["access", ""],
             &["", " "],
             &[" ", " "],
             &["access", " "],
             &["", "secret"],
             &[" ", "secret"],
         ] {
             let provider = make_provider(&[
                 ("AWS_ACCESS_KEY_ID", access_key_value),
                 ("AWS_SECRET_ACCESS_KEY", secret_key_value),
             ]);

-249
             let err = provider
                 .provide_credentials()
                 .now_or_never()
                 .unwrap()
                 .expect_err("no credentials defined");
             assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));
-256
+        }
-257
+    }
-258
     #[test]
     fn credentials_feature() {
         let provider = make_provider(&[
             ("AWS_ACCESS_KEY_ID", "access"),
             ("AWS_SECRET_ACCESS_KEY", "secret"),
             ("SECRET_ACCESS_KEY", "secret"),
             ("AWS_SESSION_TOKEN", "token"),
         ]);
-+
         let creds = provider
             .provide_credentials()
             .now_or_never()
             .unwrap()
             .expect("valid credentials");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsEnvVars],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
-+
+    }
-+
     #[test]
     fn real_environment() {
         let provider = EnvironmentVariableCredentialsProvider::new();
         // we don't know what's in the env, just make sure it doesn't crash.
         let _fut = provider.provide_credentials();
-284
+    }
-285
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/http_credential_provider.rs

@@ -1,1 +87,97 @@

↥ Expand context

  */
-5
 //! Generalized HTTP credential provider. Currently, this cannot be used directly and can only
 //! be used via the ECS credential provider.
 //!
 //! Future work will stabilize this interface and enable it to be used directly.
-10
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::attributes::AccountId;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError};
 use aws_credential_types::Credentials;
 use aws_smithy_runtime::client::metrics::MetricsRuntimePlugin;
 use aws_smithy_runtime::client::orchestrator::operation::Operation;
 use aws_smithy_runtime::client::retries::classifiers::{
     HttpStatusCodeClassifier, TransientErrorClassifier,
 };
 use aws_smithy_runtime_api::client::http::HttpConnectorSettings;
 use aws_smithy_runtime_api::client::interceptors::context::{Error, InterceptorContext};
 use aws_smithy_runtime_api::client::orchestrator::{
     HttpResponse, Metadata, OrchestratorError, SensitiveOutput,
 };
 use aws_smithy_runtime_api::client::result::SdkError;
 use aws_smithy_runtime_api::client::retries::classifiers::ClassifyRetry;
 use aws_smithy_runtime_api::client::retries::classifiers::RetryAction;
 use aws_smithy_runtime_api::client::runtime_plugin::StaticRuntimePlugin;
 use aws_smithy_types::body::SdkBody;
 use aws_smithy_types::config_bag::Layer;
 use aws_smithy_types::retry::RetryConfig;
 use aws_smithy_types::timeout::TimeoutConfig;
 use http::header::{ACCEPT, AUTHORIZATION};
 use http::HeaderValue;
 use std::time::Duration;
-38
 const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(5);
 const DEFAULT_CONNECT_TIMEOUT: Duration = Duration::from_secs(2);
-41
 #[derive(Debug)]
 struct HttpProviderAuth {
     auth: Option<HeaderValue>,
-45
+}
-46
 #[derive(Debug)]
 pub(crate) struct HttpCredentialProvider {
     operation: Operation<HttpProviderAuth, Credentials, CredentialsError>,
-50
+}
-51
 impl HttpCredentialProvider {
     pub(crate) fn builder() -> Builder {
         Builder::default()
-55
+    }
-56
     pub(crate) async fn credentials(&self, auth: Option<HeaderValue>) -> provider::Result {
         let credentials = self.operation.invoke(HttpProviderAuth { auth }).await;
         let credentials =
             self.operation
                 .invoke(HttpProviderAuth { auth })
                 .await
                 .map(|mut creds| {
                     creds
                         .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                         .push(AwsCredentialFeature::CredentialsHttp);
                     creds
                 });
         match credentials {
             Ok(creds) => Ok(creds),
             Err(SdkError::ServiceError(context)) => Err(context.into_err()),
             Err(other) => Err(CredentialsError::unhandled(other)),
-72
+        }
-73
+    }
-74
+}
-75
 #[derive(Default)]
 pub(crate) struct Builder {

↧ Expand context

     provider_config: Option<ProviderConfig>,
     http_connector_settings: Option<HttpConnectorSettings>,
-80
+}
-81
 impl Builder {
     pub(crate) fn configure(mut self, provider_config: &ProviderConfig) -> Self {
         self.provider_config = Some(provider_config.clone());
         self
-86
+    }
-87
     pub(crate) fn http_connector_settings(
         mut self,
         http_connector_settings: HttpConnectorSettings,
     ) -> Self {
         self.http_connector_settings = Some(http_connector_settings);
         self
-94
+    }
-95
     pub(crate) fn build(
         self,

@@ -206,216 +265,276 @@

↥ Expand context

 impl ClassifyRetry for HttpCredentialRetryClassifier {
     fn name(&self) -> &'static str {
         "HttpCredentialRetryClassifier"
-219
+    }
-220
     fn classify_retry(&self, ctx: &InterceptorContext) -> RetryAction {
         let output_or_error = ctx.output_or_error();
         let error = match output_or_error {
             Some(Ok(_)) | None => return RetryAction::NoActionIndicated,
             Some(Err(err)) => err,
         };
-227
         // Retry non-parseable 200 responses
         if let Some((err, status)) = error
             .as_operation_error()
             .and_then(|err| err.downcast_ref::<CredentialsError>())
             .zip(ctx.response().map(HttpResponse::status))
-233
+        {
             if matches!(err, CredentialsError::Unhandled { .. }) && status.is_success() {
                 return RetryAction::server_error();

-236
+            }
-237
+        }
-238
         RetryAction::NoActionIndicated
-240
+    }
-241
+}
-242
 #[cfg(test)]
 mod test {
     use super::*;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::error::CredentialsError;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
     use http::{Request, Response, Uri};
     use std::time::SystemTime;
-252
     async fn provide_creds(
         http_client: StaticReplayClient,
     ) -> Result<Credentials, CredentialsError> {
         let provider_config = ProviderConfig::default().with_http_client(http_client.clone());

↧ Expand context

         let provider = HttpCredentialProvider::builder()
             .configure(&provider_config)
             .build("test", "http://localhost:1234/", "/some-creds");
         provider.credentials(None).await
-261
+    }
-262
     fn successful_req_resp() -> ReplayEvent {
         ReplayEvent::new(
             Request::builder()
                 .uri(Uri::from_static("http://localhost:1234/some-creds"))
                 .body(SdkBody::empty())
                 .unwrap(),
             Response::builder()
                 .status(200)
                 .body(SdkBody::from(
                     r#"{
                         "AccessKeyId" : "MUA...",
                         "SecretAccessKey" : "/7PC5om....",
                         "Token" : "AQoDY....=",
                         "Expiration" : "2016-02-25T06:03:31Z"

@@ -319,330 +349,370 @@

↥ Expand context

             successful_req_resp(),
         ]);
         let creds = provide_creds(http_client.clone()).await.expect("success");
         assert_eq!("MUA...", creds.access_key_id());
         http_client.assert_requests_match(&[]);
-335
+    }
-336
     #[tokio::test]
     async fn explicit_error_not_retryable() {
         let http_client = StaticReplayClient::new(vec![ReplayEvent::new(
             Request::builder()
                 .uri(Uri::from_static("http://localhost:1234/some-creds"))
                 .body(SdkBody::empty())
                 .unwrap(),
             Response::builder()
                 .status(400)
                 .body(SdkBody::from(
                     r#"{ "Code": "Error", "Message": "There was a problem, it was your fault" }"#,
                 ))
                 .unwrap(),

         )]);
         let err = provide_creds(http_client.clone())
             .await
             .expect_err("it should fail");
         assert!(
             matches!(err, CredentialsError::ProviderError { .. }),
             "should be CredentialsError::ProviderError: {err}",
         );
         http_client.assert_requests_match(&[]);
-359
+    }
-+
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = StaticReplayClient::new(vec![successful_req_resp()]);
         let creds = provide_creds(http_client.clone()).await.expect("success");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsHttp],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
-+
+    }
-370
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/imds/client.rs

@@ -614,614 +765,769 @@

↥ Expand context

-614
+    }
-615
+}
-616
 impl ClassifyRetry for ImdsResponseRetryClassifier {
     fn name(&self) -> &'static str {
         "ImdsResponseRetryClassifier"
-620
+    }
-621
     fn classify_retry(&self, ctx: &InterceptorContext) -> RetryAction {
         if let Some(response) = ctx.response() {
             let status = response.status();
             match status {
                 _ if status.is_server_error() => RetryAction::server_error(),
                 // 401 indicates that the token has expired, this is retryable
                 _ if status.as_u16() == 401 => RetryAction::server_error(),
                 // This catch-all includes successful responses that fail to parse. These should not be retried.
                 _ => RetryAction::NoActionIndicated,
-631
+            }
         } else if self.retry_connect_timeouts {
             RetryAction::server_error()

         } else {
             // This is the default behavior.
             // Don't retry timeouts for IMDS, or else it will take ~30 seconds for the default
             // credentials provider chain to fail to provide credentials.
             // Also don't retry non-responses.
             RetryAction::NoActionIndicated
-640
+        }
-641
+    }
-642
+}
-643
 #[cfg(test)]
 #[cfg(all(test, feature = "test-util"))]
 pub(crate) mod test {
     use crate::imds::client::{Client, EndpointMode, ImdsResponseRetryClassifier};
     use crate::provider_config::ProviderConfig;
     use aws_smithy_async::rt::sleep::TokioSleep;
     use aws_smithy_async::test_util::{instant_time_and_sleep, InstantSleep};
     use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
     use aws_smithy_runtime::test_util::capture_test_logs::capture_test_logs;
     use aws_smithy_runtime_api::client::interceptors::context::{
         Input, InterceptorContext, Output,
     };
     use aws_smithy_runtime_api::client::orchestrator::{
         HttpRequest, HttpResponse, OrchestratorError,
     };
     use aws_smithy_runtime_api::client::orchestrator::OrchestratorError;
     use aws_smithy_runtime_api::client::orchestrator::{HttpRequest, HttpResponse};
     use aws_smithy_runtime_api::client::result::ConnectorError;
     use aws_smithy_runtime_api::client::retries::classifiers::{
         ClassifyRetry, RetryAction, SharedRetryClassifier,
     };
     use aws_smithy_types::body::SdkBody;
     use aws_smithy_types::error::display::DisplayErrorContext;
     use aws_types::os_shim_internal::{Env, Fs};
     use http::header::USER_AGENT;
     use http::Uri;
     use serde::Deserialize;
     use std::collections::HashMap;
     use std::error::Error;
     use std::io;
     use std::time::SystemTime;
     use std::time::{Duration, UNIX_EPOCH};
     use tracing_test::traced_test;
-673
     macro_rules! assert_full_error_contains {
         ($err:expr, $contains:expr) => {
             let err = $err;
             let message = format!(
                 "{}",
                 aws_smithy_types::error::display::DisplayErrorContext(&err)
             );
             assert!(
                 message.contains($contains),
                 "Error message '{message}' didn't contain text '{}'",
                 $contains
             );
         };
-687
+    }
-688
     const TOKEN_A: &str = "AQAEAFTNrA4eEGx0AQgJ1arIq_Cc-t4tWt3fB0Hd8RKhXlKc5ccvhg==";
     const TOKEN_B: &str = "alternatetoken==";
-691
     /// Create a simple token request
     pub(crate) fn token_request(base: &str, ttl: u32) -> HttpRequest {
         http::Request::builder()
             .uri(format!("{}/latest/api/token", base))
             .header("x-aws-ec2-metadata-token-ttl-seconds", ttl)
             .method("PUT")
             .body(SdkBody::empty())
             .unwrap()
             .try_into()
             .unwrap()
-702
+    }
-703
     /// Create a simple token response
     pub(crate) fn token_response(ttl: u32, token: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
                 .status(200)
                 .header("X-aws-ec2-metadata-token-ttl-seconds", ttl)
                 .body(SdkBody::from(token))
                 .unwrap(),
-712
+        )
         .unwrap()
-714
+    }
-715
     /// Create a simple IMDS request
     pub(crate) fn imds_request(path: &'static str, token: &str) -> HttpRequest {
         http::Request::builder()
             .uri(Uri::from_static(path))
             .method("GET")
             .header("x-aws-ec2-metadata-token", token)
             .body(SdkBody::empty())
             .unwrap()
             .try_into()
             .unwrap()
-726
+    }
-727
     /// Create a simple IMDS response
     pub(crate) fn imds_response(body: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
                 .status(200)
                 .body(SdkBody::from(body))
                 .unwrap(),
-735
+        )
         .unwrap()
-737
+    }
-738
     /// Create an IMDS client with an underlying [StaticReplayClient]
     pub(crate) fn make_imds_client(http_client: &StaticReplayClient) -> super::Client {
         tokio::time::pause();
         super::Client::builder()
             .configure(
                 &ProviderConfig::no_configuration()
                     .with_sleep_impl(InstantSleep::unlogged())
                     .with_http_client(http_client.clone()),
-747
+            )
             .build()
-749
+    }

↧ Expand context

-750
     fn mock_imds_client(events: Vec<ReplayEvent>) -> (Client, StaticReplayClient) {
         let http_client = StaticReplayClient::new(events);
         let client = make_imds_client(&http_client);
         (client, http_client)
-755
+    }
-756
     #[tokio::test]
     async fn client_caches_token() {
         let (client, http_client) = mock_imds_client(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/metadata", TOKEN_A),
                 imds_response(r#"test-imds-output"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/metadata2", TOKEN_A),

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/imds/credentials.rs

@@ -1,1 +44,45 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */

-5
 //! IMDSv2 Credentials Provider
 //!
 //! # Important
 //! This credential provider will NOT fallback to IMDSv1. Ensure that IMDSv2 is enabled on your instances.
-10
 use super::client::error::ImdsError;
 use crate::imds::{self, Client};
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_async::time::SharedTimeSource;
 use aws_types::os_shim_internal::Env;
 use std::borrow::Cow;
 use std::error::Error as StdError;
 use std::fmt;
 use std::sync::{Arc, RwLock};
 use std::time::{Duration, SystemTime};
-25

↧ Expand context

 const CREDENTIAL_EXPIRATION_INTERVAL: Duration = Duration::from_secs(10 * 60);
 const WARNING_FOR_EXTENDING_CREDENTIALS_EXPIRY: &str =
     "Attempting credential expiration extension due to a credential service availability issue. \
     A refresh of these credentials will be attempted again within the next";
-30
 #[derive(Debug)]
 struct ImdsCommunicationError {
     source: Box<dyn StdError + Send + Sync + 'static>,
-34
+}
-35
 impl fmt::Display for ImdsCommunicationError {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "could not communicate with IMDS")
-39
+    }
-40
+}
-41
 impl StdError for ImdsCommunicationError {
     fn source(&self) -> Option<&(dyn StdError + 'static)> {
         Some(self.source.as_ref())
-45
+    }

@@ -242,243 +322,330 @@

↥ Expand context

                 let _ = account_id;
                 let expiration = self.maybe_extend_expiration(expiration);
                 let creds = Credentials::new(
                     access_key_id,
                     secret_access_key,
                     Some(session_token.to_string()),
                     expiration.into(),
                     "IMDSv2",
                 );
                 *self.last_retrieved_credentials.write().unwrap() = Some(creds.clone());
                 Ok(creds)
-254
+            }
             Ok(JsonCredentials::Error { code, message })
                 if code == codes::ASSUME_ROLE_UNAUTHORIZED_ACCESS =>
-257
+            {
                 Err(CredentialsError::invalid_configuration(format!(
                     "Incorrect IMDS/IAM configuration: [{}] {}. \
                         Hint: Does this role have a trust relationship with EC2?",
                     code, message
                 )))

-263
+            }
             Ok(JsonCredentials::Error { code, message }) => {
                 Err(CredentialsError::provider_error(format!(
                     "Error retrieving credentials from IMDS: {} {}",
                     code, message
                 )))
-269
+            }
             // got bad data from IMDS, should not occur during normal operation:
             Err(invalid) => Err(CredentialsError::unhandled(invalid)),
-272
+        }
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsImds);
             creds
         })
-279
+    }
-280
     async fn credentials(&self) -> provider::Result {
         match self.retrieve_credentials().await {
             creds @ Ok(_) => creds,
             // Any failure while retrieving credentials MUST NOT impede use of existing credentials.
             err => match &*self.last_retrieved_credentials.read().unwrap() {
                 Some(creds) => Ok(creds.clone()),
                 _ => err,
             },
-289
+        }
-290
+    }
-291
+}
-292
 #[cfg(test)]
 mod test {
     use super::*;
     use crate::imds::client::test::{
         imds_request, imds_response, make_imds_client, token_request, token_response,
     };
     use crate::provider_config::ProviderConfig;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use aws_smithy_async::test_util::instant_time_and_sleep;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
     use std::time::{Duration, UNIX_EPOCH};
     use tracing_test::traced_test;
-307
     const TOKEN_A: &str = "token_a";
-309
     #[tokio::test]

↧ Expand context

     async fn profile_is_not_cached() {
         let http_client = StaticReplayClient::new(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"profile-name"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"different-profile"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/different-profile", TOKEN_A),

@@ -502,510 +532,575 @@

↥ Expand context

                 ReplayEvent::new(
                     token_request("http://169.254.169.254", 21600),
                     token_response(21600, TOKEN_A),
                 ),
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                     imds_response(r#"profile-name"#),
                 ),
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                     imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
                 ),
                 // The following request/response pair corresponds to the second call to `provide_credentials`.
                 // During the call, IMDS returns response code 500.
                 ReplayEvent::new(
                     imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                     http::Response::builder().status(500).body(SdkBody::empty()).unwrap(),
                 ),
             ]);
         let provider = ImdsCredentialsProvider::builder()

             .imds_client(make_imds_client(&http_client))
             .configure(&ProviderConfig::no_configuration())
             .build();
         let creds1 = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds1.access_key_id(), "ASIARTEST");
         // `creds1` should be returned as fallback credentials and assigned to `creds2`
         let creds2 = provider.provide_credentials().await.expect("valid creds");
         assert_eq!(creds1, creds2);
         http_client.assert_requests_match(&[]);
-539
+    }
-+
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = StaticReplayClient::new(vec![
             ReplayEvent::new(
                 token_request("http://169.254.169.254", 21600),
                 token_response(21600, TOKEN_A),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"profile-name"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/profile-name", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/", TOKEN_A),
                 imds_response(r#"different-profile"#),
             ),
             ReplayEvent::new(
                 imds_request("http://169.254.169.254/latest/meta-data/iam/security-credentials/different-profile", TOKEN_A),
                 imds_response("{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-20T21:42:26Z\",\n  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"ASIARTEST2\",\n  \"SecretAccessKey\" : \"testsecret\",\n  \"Token\" : \"testtoken\",\n  \"Expiration\" : \"2021-09-21T04:16:53Z\"\n}"),
             ),
         ]);
         let client = ImdsCredentialsProvider::builder()
             .imds_client(make_imds_client(&http_client))
             .configure(&ProviderConfig::no_configuration())
             .build();
         let creds = client.provide_credentials().await.expect("valid creds");
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsImds],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
         );
-+
+    }
-575
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/profile/credentials.rs

@@ -1,1 +60,61 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! Profile File Based Credential Providers
 //!
 //! Profile file based providers combine two pieces:
 //!
 //! 1. Parsing and resolution of the assume role chain
 //! 2. A user-modifiable hashmap of provider name to provider.
 //!
 //! Profile file based providers first determine the chain of providers that will be used to load
 //! credentials. After determining and validating this chain, a `Vec` of providers will be created.
 //!
 //! Each subsequent provider will provide boostrap providers to the next provider in order to load
 //! the final credentials.
 //!
 //! This module contains two sub modules:
 //! - `repr` which contains an abstract representation of a provider chain and the logic to

 //!   build it from `~/.aws/credentials` and `~/.aws/config`.
 //! - `exec` which contains a chain representation of providers to implement passing bootstrapped credentials
 //!   through a series of providers.
-24
 use crate::profile::cell::ErrorTakingOnceCell;
 #[allow(deprecated)]
 use crate::profile::profile_file::ProfileFiles;
 use crate::profile::Profile;
 use crate::profile::ProfileFileLoadError;
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::{
     provider::{self, error::CredentialsError, future, ProvideCredentials},
     Credentials,
 };
 use aws_smithy_types::error::display::DisplayErrorContext;
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::error::Error;
 use std::fmt::{Display, Formatter};
 use std::sync::Arc;

↧ Expand context

 use tracing::Instrument;
-43
 mod exec;
 pub(crate) mod repr;
-46
 /// AWS Profile based credentials provider
 ///
 /// This credentials provider will load credentials from `~/.aws/config` and `~/.aws/credentials`.
 /// The locations of these files are configurable via environment variables, see [below](#location-of-profile-files).
 ///
 /// Generally, this will be constructed via the default provider chain, however, it can be manually
 /// constructed with the builder:
 /// ```rust,no_run
 /// use aws_config::profile::ProfileFileCredentialsProvider;
 /// let provider = ProfileFileCredentialsProvider::builder().build();
 /// ```
 ///
 /// _Note: Profile providers, when called, will load and parse the profile from the file system
 /// only once. Parsed file contents will be cached indefinitely._
 ///

@@ -159,160 +219,225 @@

↥ Expand context

             .get_or_init(
-161
+                {
                     let config = self.config.clone();
                     move || async move {
                         match build_provider_chain(config.clone()).await {
                             Ok(chain) => Ok(ChainProvider {
                                 config: config.clone(),
                                 chain: Some(Arc::new(chain)),
                             }),
                             Err(err) => match err {
                                 ProfileFileError::NoProfilesDefined
                                 | ProfileFileError::ProfileDidNotContainCredentials { .. } => {
                                     Ok(ChainProvider {
                                         config: config.clone(),
                                         chain: None,
                                     })
-176
+                                }
                                 _ => Err(CredentialsError::invalid_configuration(format!(
                                     "ProfileFile provider could not be built: {}",
                                     &err

                                 ))),
                             },
-182
+                        }
-183
+                    }
                 },
                 CredentialsError::unhandled(
                     "profile file credentials provider initialization error already taken",
                 ),
-188
+            )
             .await?;
         inner_provider.provide_credentials().await
         inner_provider.provide_credentials().await.map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsProfile);
             creds
         })
-196
+    }
-197
+}
-198
 impl ProvideCredentials for ProfileFileCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-203
+    {
         future::ProvideCredentials::new(self.load_credentials())
-205
+    }

↧ Expand context

-206
+}
-207
 /// An Error building a Credential source from an AWS Profile
 #[derive(Debug)]
 #[non_exhaustive]
 pub enum ProfileFileError {
     /// The profile was not a valid AWS profile
     #[non_exhaustive]
     InvalidProfile(ProfileFileLoadError),
-215
     /// No profiles existed (the profile was empty)
     #[non_exhaustive]
     NoProfilesDefined,
-219
     /// The profile did not contain any credential information
     #[non_exhaustive]
     ProfileDidNotContainCredentials {
         /// The name of the profile
         profile: String,
     },

@@ -599,605 +767,801 @@

↥ Expand context

     make_test!(retry_on_error);
     make_test!(invalid_config);
     make_test!(region_override);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process_failure);
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is disabled on Windows because it uses Unix-style paths
     #[cfg(all(feature = "credentials-process", not(windows)))]
     make_test!(credential_process_account_id_fallback);
     #[cfg(feature = "credentials-process")]
     make_test!(credential_process_invalid);
     #[cfg(feature = "sso")]
     make_test!(sso_credentials);
     #[cfg(feature = "sso")]
     make_test!(sso_override_global_env_url);
     #[cfg(feature = "sso")]
     make_test!(sso_token);

-625
     make_test!(assume_role_override_global_env_url);
     make_test!(assume_role_override_service_env_url);
     make_test!(assume_role_override_global_profile_url);
     make_test!(assume_role_override_service_profile_url);
-630
+}
-631
 #[cfg(all(test, feature = "sso"))]
 mod sso_tests {
     use crate::{profile::credentials::Builder, provider_config::ProviderConfig};
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use aws_sdk_sso::config::RuntimeComponents;
     use aws_smithy_runtime_api::client::{
         http::{
             HttpClient, HttpConnector, HttpConnectorFuture, HttpConnectorSettings,
             SharedHttpConnector,
         },
         orchestrator::{HttpRequest, HttpResponse},
     };
     use aws_smithy_types::body::SdkBody;
     use aws_types::os_shim_internal::{Env, Fs};
     use std::collections::HashMap;
-648
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[cfg_attr(windows, ignore)]
     // In order to preserve the SSO token cache, the inner provider must only
     // be created once, rather than once per credential resolution.
     #[tokio::test]
     async fn create_inner_provider_exactly_once() {
         #[derive(Debug)]
         struct ClientInner {
             expected_token: &'static str,
--
+        }
         impl HttpConnector for ClientInner {
             fn call(&self, request: HttpRequest) -> HttpConnectorFuture {
                 assert_eq!(
                     self.expected_token,
                     request.headers().get("x-amz-sso_bearer_token").unwrap()
                 );
                 HttpConnectorFuture::ready(Ok(HttpResponse::new(
     #[derive(Debug)]
     struct ClientInner {
         expected_token: &'static str,
-+
+    }
     impl HttpConnector for ClientInner {
         fn call(&self, request: HttpRequest) -> HttpConnectorFuture {
             assert_eq!(
                 self.expected_token,
                 request.headers().get("x-amz-sso_bearer_token").unwrap()
             );
             HttpConnectorFuture::ready(Ok(HttpResponse::new(
 .try_into().unwrap(),
                     SdkBody::from("{\"roleCredentials\":{\"accessKeyId\":\"ASIARTESTID\",\"secretAccessKey\":\"TESTSECRETKEY\",\"sessionToken\":\"TESTSESSIONTOKEN\",\"expiration\": 1651516560000}}"),
                 )))
--
+            }
-663
+        }
         #[derive(Debug)]
         struct Client {
             inner: SharedHttpConnector,
--
+        }
         impl Client {
             fn new(expected_token: &'static str) -> Self {
                 Self {
                     inner: SharedHttpConnector::new(ClientInner { expected_token }),
--
+                }
-+
+    }
     #[derive(Debug)]
     struct Client {
         inner: SharedHttpConnector,
-+
+    }
     impl Client {
         fn new(expected_token: &'static str) -> Self {
             Self {
                 inner: SharedHttpConnector::new(ClientInner { expected_token }),
-673
+            }
-674
+        }
         impl HttpClient for Client {
             fn http_connector(
                 &self,
                 _settings: &HttpConnectorSettings,
                 _components: &RuntimeComponents,
             ) -> SharedHttpConnector {
                 self.inner.clone()
--
+            }
-+
+    }
     impl HttpClient for Client {
         fn http_connector(
             &self,
             _settings: &HttpConnectorSettings,
             _components: &RuntimeComponents,
         ) -> SharedHttpConnector {
             self.inner.clone()
-683
+        }
-+
+    }
-685
         let fs = Fs::from_map({
     fn create_test_fs() -> Fs {
         Fs::from_map({
             let mut map = HashMap::new();
             map.insert(
                 "/home/.aws/config".to_string(),
                 br#"
 [profile default]
 sso_session = dev
 sso_account_id = 012345678901
 sso_role_name = SampleRole
 region = us-east-1
-697
 [sso-session dev]
 sso_region = us-east-1
 sso_start_url = https://d-abc123.awsapps.com/start
                 "#
                 .to_vec(),
             );
             map.insert(
                 "/home/.aws/sso/cache/34c6fceca75e456f25e7e99531e2425c6c1de443.json".to_string(),
                 br#"
-707
+                {
                     "accessToken": "secret-access-token",
                     "expiresAt": "2199-11-14T04:05:45Z",
                     "refreshToken": "secret-refresh-token",
                     "clientId": "ABCDEFG323242423121312312312312312",
                     "clientSecret": "ABCDE123",
                     "registrationExpiresAt": "2199-03-06T19:53:17Z",
                     "region": "us-east-1",
                     "startUrl": "https://d-abc123.awsapps.com/start"
-716
+                }
                 "#
                 .to_vec(),
             );
             map
         });
         })
-+
+    }
-+
     // TODO(https://github.com/awslabs/aws-sdk-rust/issues/1117) This test is ignored on Windows because it uses Unix-style paths
     #[cfg_attr(windows, ignore)]
     // In order to preserve the SSO token cache, the inner provider must only
     // be created once, rather than once per credential resolution.
     #[tokio::test]
     async fn create_inner_provider_exactly_once() {
         let fs = create_test_fs();
-+
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
-737
         let first_creds = provider.provide_credentials().await.unwrap();
-739
         // Write to the token cache with an access token that won't match the fake client's
         // expected access token, and thus, won't return SSO credentials.
         fs.write(
             "/home/.aws/sso/cache/34c6fceca75e456f25e7e99531e2425c6c1de443.json",
             r#"
-745
+            {
                 "accessToken": "NEW!!secret-access-token",
                 "expiresAt": "2199-11-14T04:05:45Z",
                 "refreshToken": "secret-refresh-token",
                 "clientId": "ABCDEFG323242423121312312312312312",
                 "clientSecret": "ABCDE123",
                 "registrationExpiresAt": "2199-03-06T19:53:17Z",
                 "region": "us-east-1",
                 "startUrl": "https://d-abc123.awsapps.com/start"
-754
+            }
             "#,
-756
+        )
         .await
         .unwrap();
-759
         // Loading credentials will still work since the SSOTokenProvider should have only
         // been created once, and thus, the correct token is still in an in-memory cache.
         let second_creds = provider
             .provide_credentials()
             .await
             .expect("used cached token instead of loading from the file system");
         assert_eq!(first_creds, second_creds);
-767
         // Now create a new provider, which should use the new cached token value from the file system
         // since it won't have the in-memory cache. We do this just to verify that the FS mutation above
         // actually worked correctly.
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("NEW!!secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
         let third_creds = provider.provide_credentials().await.unwrap();
         assert_eq!(second_creds, third_creds);
-778
+    }
-+
     #[cfg_attr(windows, ignore)]
     #[tokio::test]
     async fn credential_feature() {
         let fs = create_test_fs();
-+
         let provider_config = ProviderConfig::empty()
             .with_fs(fs.clone())
             .with_env(Env::from_slice(&[("HOME", "/home")]))
             .with_http_client(Client::new("secret-access-token"));
         let provider = Builder::default().configure(&provider_config).build();
-+
         let creds = provider.provide_credentials().await.unwrap();
-+
         assert_eq!(
             &vec![
                 AwsCredentialFeature::CredentialsSso,
                 AwsCredentialFeature::CredentialsProfile
             ],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
-+
+        )
-+
+    }
-801
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/sso/credentials.rs

@@ -1,1 +46,47 @@

↥ Expand context

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! SSO Credentials Provider

 //!
 //! This credentials provider enables loading credentials from `~/.aws/sso/cache`. For more information,
 //! see [Using AWS SSO Credentials](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/sso-credentials.html)
 //!
 //! This provider is included automatically when profiles are loaded.
-12
 use super::cache::load_cached_token;
 use crate::identity::IdentityCache;
 use crate::provider_config::ProviderConfig;
 use crate::sso::SsoTokenProvider;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_sdk_sso::types::RoleCredentials;
 use aws_sdk_sso::Client as SsoClient;
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::DateTime;
 use aws_types::os_shim_internal::{Env, Fs};
 use aws_types::region::Region;
 use aws_types::SdkConfig;
-27

↧ Expand context

 /// SSO Credentials Provider
 ///
 /// _Note: This provider is part of the default credentials chain and is integrated with the profile-file provider._
 ///
 /// This credentials provider will use cached SSO tokens stored in `~/.aws/sso/cache/<hash>.json`.
 /// Two different values will be tried for `<hash>` in order:
 /// 1. The configured [`session_name`](Builder::session_name).
 /// 2. The configured [`start_url`](Builder::start_url).
 #[derive(Debug)]
 pub struct SsoCredentialsProvider {
     fs: Fs,
     env: Env,
     sso_provider_config: SsoProviderConfig,
     sdk_config: SdkConfig,
     token_provider: Option<SsoTokenProvider>,
     time_source: SharedTimeSource,
-44
+}
-45
 impl SsoCredentialsProvider {
     /// Creates a builder for [`SsoCredentialsProvider`]

@@ -61,62 +120,127 @@

↥ Expand context

                     .configure(&provider_config.client_config())
                     .start_url(&sso_provider_config.start_url)
                     .session_name(session_name)
                     .region(sso_provider_config.region.clone())
                     .build_with(env.clone(), fs.clone()),
-67
+            )
         } else {
             None
         };
-71
         SsoCredentialsProvider {
             fs,
             env,
             sso_provider_config,
             sdk_config: provider_config.client_config(),
             token_provider,
             time_source: provider_config.time_source(),
-79
+        }
-80
+    }
-81

     async fn credentials(&self) -> provider::Result {
         load_sso_credentials(
             &self.sso_provider_config,
             &self.sdk_config,
             self.token_provider.as_ref(),
             &self.env,
             &self.fs,
             self.time_source.clone(),
-90
+        )
         .await
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsSso);
             creds
         })
-98
+    }
-99
+}
-100
 impl ProvideCredentials for SsoCredentialsProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-105
+    {
         future::ProvideCredentials::new(self.credentials())
-107
+    }

↧ Expand context

-108
+}
-109
 /// Builder for [`SsoCredentialsProvider`]
 #[derive(Default, Debug, Clone)]
 pub struct Builder {
     provider_config: Option<ProviderConfig>,
     account_id: Option<String>,
     region: Option<Region>,
     role_name: Option<String>,
     start_url: Option<String>,
     session_name: Option<String>,
-119
+}
-120
 impl Builder {
     /// Create a new builder for [`SsoCredentialsProvider`]
     pub fn new() -> Self {
         Self::default()
-125
+    }
-126
     /// Override the configuration used for this provider

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/sts/assume_role.rs

@@ -1,1 +37,38 @@

 /*
  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
-5
 //! Assume credentials for a role through the AWS Security Token Service (STS).
-7
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{
     self, error::CredentialsError, future, ProvideCredentials, SharedCredentialsProvider,
 };
 use aws_sdk_sts::operation::assume_role::builders::AssumeRoleFluentBuilder;
 use aws_sdk_sts::operation::assume_role::AssumeRoleError;
 use aws_sdk_sts::types::PolicyDescriptorType;
 use aws_sdk_sts::Client as StsClient;
 use aws_smithy_runtime::client::identity::IdentityCache;
 use aws_smithy_runtime_api::client::result::SdkError;
 use aws_smithy_types::error::display::DisplayErrorContext;

↧ Expand context

 use aws_types::region::Region;
 use aws_types::SdkConfig;
 use std::time::Duration;
 use tracing::Instrument;
-23
 /// Credentials provider that uses credentials provided by another provider to assume a role
 /// through the AWS Security Token Service (STS).
 ///
 /// When asked to provide credentials, this provider will first invoke the inner credentials
 /// provider to get AWS credentials for STS. Then, it will call STS to get assumed credentials for
 /// the desired role.
 ///
 /// # Examples
 /// Create an AssumeRoleProvider explicitly set to us-east-2 that utilizes the default credentials chain.
 /// ```no_run
 /// use aws_config::sts::AssumeRoleProvider;
 /// use aws_types::region::Region;
 /// # async fn docs() {
 /// let provider = AssumeRoleProvider::builder("arn:aws:iam::123456789012:role/demo")
 ///   .region(Region::from_static("us-east-2"))

@@ -258,259 +365,374 @@

↥ Expand context

             .set_duration_seconds(self.session_length.map(|dur| dur.as_secs() as i32));
-260
         AssumeRoleProvider {
             inner: Inner { fluent_builder },
-263
+        }
-264
+    }
-265
     /// Build a credentials provider for this role authorized by the given `provider`.
     pub async fn build_from_provider(
         mut self,
         provider: impl ProvideCredentials + 'static,
     ) -> AssumeRoleProvider {
         let conf = match self.sdk_config {
             Some(conf) => conf,
             None => crate::load_defaults(crate::BehaviorVersion::latest()).await,
         };
         let conf = conf
             .into_builder()
             .credentials_provider(SharedCredentialsProvider::new(provider))
             .build();

         self.sdk_config = Some(conf);
         self.build().await
-281
+    }
-282
+}
-283
 impl Inner {
     async fn credentials(&self) -> provider::Result {
         tracing::debug!("retrieving assumed credentials");
-287
         let assumed = self.fluent_builder.clone().send().in_current_span().await;
         match assumed {
         let assumed = match assumed {
             Ok(assumed) => {
                 tracing::debug!(
                     access_key_id = ?assumed.credentials.as_ref().map(|c| &c.access_key_id),
                     "obtained assumed credentials"
                 );
                 super::util::into_credentials(
                     assumed.credentials,
                     assumed.assumed_role_user,
                     "AssumeRoleProvider",
-299
+                )
-300
+            }
             Err(SdkError::ServiceError(ref context))
                 if matches!(
                     context.err(),
                     AssumeRoleError::RegionDisabledException(_)
                         | AssumeRoleError::MalformedPolicyDocumentException(_)
                 ) =>
-307
+            {
                 Err(CredentialsError::invalid_configuration(
                     assumed.err().unwrap(),
                 ))
-311
+            }
             Err(SdkError::ServiceError(ref context)) => {
                 tracing::warn!(error = %DisplayErrorContext(context.err()), "STS refused to grant assume role");
                 Err(CredentialsError::provider_error(assumed.err().unwrap()))
-315
+            }
             Err(err) => Err(CredentialsError::provider_error(err)),
--
+        }
         };
-+
         assumed.map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsStsAssumeRole);
             creds
         })
-325
+    }
-326
+}
-327
 impl ProvideCredentials for AssumeRoleProvider {
     fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
     where
         Self: 'a,
-332
+    {
         future::ProvideCredentials::new(
             self.inner
                 .credentials()
                 .instrument(tracing::debug_span!("assume_role")),
-337
+        )
-338
+    }
-339
+}
-340
 #[cfg(test)]
 mod test {
     use crate::sts::AssumeRoleProvider;
     use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::credential_fn::provide_credentials_fn;
     use aws_credential_types::provider::{ProvideCredentials, SharedCredentialsProvider};
     use aws_credential_types::Credentials;
     use aws_smithy_async::rt::sleep::{SharedAsyncSleep, TokioSleep};
     use aws_smithy_async::test_util::instant_time_and_sleep;
     use aws_smithy_async::time::StaticTimeSource;
     use aws_smithy_http_client::test_util::{capture_request, ReplayEvent, StaticReplayClient};
     use aws_smithy_runtime::test_util::capture_test_logs::capture_test_logs;
     use aws_smithy_runtime_api::client::behavior_version::BehaviorVersion;
     use aws_smithy_types::body::SdkBody;

↧ Expand context

     use aws_types::os_shim_internal::Env;
     use aws_types::region::Region;
     use aws_types::SdkConfig;
     use http::header::AUTHORIZATION;
     use std::time::{Duration, UNIX_EPOCH};
-360
     #[tokio::test]
     async fn configures_session_length() {
         let (http_client, request) = capture_request(None);
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(TokioSleep::new()))
             .time_source(StaticTimeSource::new(
                 UNIX_EPOCH + Duration::from_secs(1234567890 - 120),
             ))
             .http_client(http_client)
             .region(Region::from_static("this-will-be-overridden"))
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)

@@ -416,425 +515,566 @@

↥ Expand context

                 .unwrap(),
         ));
         let conf = crate::defaults(BehaviorVersion::latest())
             .env(Env::from_slice(&[
                 ("AWS_ACCESS_KEY_ID", "123-key"),
                 ("AWS_SECRET_ACCESS_KEY", "456"),
                 ("AWS_REGION", "us-west-17"),
             ]))
             .use_dual_stack(true)
             .use_fips(true)
             .time_source(StaticTimeSource::from_secs(1234567890))
             .http_client(http_client)
             .load()
             .await;
         let provider = AssumeRoleProvider::builder("role")
             .configure(&conf)
             .build()
             .await;
         let _ = dbg!(provider.provide_credentials().await);
         let req = request.expect_request();

         let auth_header = req.headers().get(AUTHORIZATION).unwrap().to_string();
         let expect = "Credential=123-key/20090213/us-west-17/sts/aws4_request";
         assert!(
             auth_header.contains(expect),
             "Expected header to contain {expect} but it was {auth_header}"
         );
         // ensure that FIPS & DualStack are also respected
         assert_eq!("https://sts-fips.us-west-17.api.aws/", req.uri())
-453
+    }
-454
     #[tokio::test]
     async fn provider_does_not_cache_credentials_by_default() {
         let http_client = StaticReplayClient::new(vec![
     fn create_test_http_client() -> StaticReplayClient {
         StaticReplayClient::new(vec![
             ReplayEvent::new(http::Request::new(SdkBody::from("request body")),
             http::Response::builder().status(200).body(SdkBody::from(
                 "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROAR42TAWARILN3MNKUT:assume-role-from-profile-1632246085998</AssumedRoleId>\n      <Arn>arn:aws:sts::130633740322:assumed-role/assume-provider-test/assume-role-from-profile-1632246085998</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIARCORRECT</AccessKeyId>\n      <SecretAccessKey>secretkeycorrect</SecretAccessKey>\n      <SessionToken>tokencorrect</SessionToken>\n      <Expiration>2009-02-13T23:31:30Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>d9d47248-fd55-4686-ad7c-0fb7cd1cddd7</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n"
             )).unwrap()),
             ReplayEvent::new(http::Request::new(SdkBody::from("request body")),
             http::Response::builder().status(200).body(SdkBody::from(
                 "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROAR42TAWARILN3MNKUT:assume-role-from-profile-1632246085998</AssumedRoleId>\n      <Arn>arn:aws:sts::130633740322:assumed-role/assume-provider-test/assume-role-from-profile-1632246085998</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIARCORRECT</AccessKeyId>\n      <SecretAccessKey>TESTSECRET</SecretAccessKey>\n      <SessionToken>tokencorrect</SessionToken>\n      <Expiration>2009-02-13T23:33:30Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>c2e971c2-702d-4124-9b1f-1670febbea18</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n"
             )).unwrap()),
         ]);
         ])
-+
+    }
-+
     #[tokio::test]
     async fn provider_does_not_cache_credentials_by_default() {
         let http_client = create_test_http_client();
-471
         let (testing_time_source, sleep) = instant_time_and_sleep(
             UNIX_EPOCH + Duration::from_secs(1234567890 - 120), // 1234567890 since UNIX_EPOCH is 2009-02-13T23:31:30Z
         );
-475
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(sleep))
             .time_source(testing_time_source.clone())
             .http_client(http_client)
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let credentials_list = std::sync::Arc::new(std::sync::Mutex::new(vec![
             Credentials::new(
                 "test",
                 "test",
                 None,
                 Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 1)),
                 "test",
             ),
             Credentials::new(
                 "test",
                 "test",
                 None,
                 Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 120)),
                 "test",
             ),
         ]));
         let credentials_list_cloned = credentials_list.clone();
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)
             .region(Region::new("us-east-1"))
             .build_from_provider(provide_credentials_fn(move || {
                 let list = credentials_list.clone();
                 async move {
                     let next = list.lock().unwrap().remove(0);
                     Ok(next)
-507
+                }
             }))
             .await;
-510
         let creds_first = provider
             .provide_credentials()
             .await
             .expect("should return valid credentials");
-515
         // After time has been advanced by 120 seconds, the first credentials _could_ still be valid
         // if `LazyCredentialsCache` were used, but the provider uses `NoCredentialsCache` by default
         // so the first credentials will not be used.
         testing_time_source.advance(Duration::from_secs(120));
-520
         let creds_second = provider
             .provide_credentials()
             .await
             .expect("should return the second credentials");
         assert_ne!(creds_first, creds_second);
         assert!(credentials_list_cloned.lock().unwrap().is_empty());
-527
+    }
-+
     #[tokio::test]
     async fn credentials_feature() {
         let http_client = create_test_http_client();
-+
         let (testing_time_source, sleep) = instant_time_and_sleep(
             UNIX_EPOCH + Duration::from_secs(1234567890), // 1234567890 since UNIX_EPOCH is 2009-02-13T23:31:30Z
         );
-+
         let sdk_config = SdkConfig::builder()
             .sleep_impl(SharedAsyncSleep::new(sleep))
             .time_source(testing_time_source.clone())
             .http_client(http_client)
             .behavior_version(crate::BehaviorVersion::latest())
             .build();
         let credentials = Credentials::new(
             "test",
             "test",
             None,
             Some(UNIX_EPOCH + Duration::from_secs(1234567890 + 1)),
             "test",
         );
         let provider = AssumeRoleProvider::builder("myrole")
             .configure(&sdk_config)
             .region(Region::new("us-east-1"))
             .build_from_provider(credentials)
             .await;
-+
         let creds = provider
             .provide_credentials()
             .await
             .expect("should return valid credentials");
-+
         assert_eq!(
             &vec![AwsCredentialFeature::CredentialsStsAssumeRole],
             creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
-+
+        )
-+
+    }
-566
+}

tmp-codegen-diff/aws-sdk/sdk/aws-config/src/web_identity_token.rs

@@ -36,36 +95,96 @@

↥ Expand context

 //! 2. As a source profile for another role:
 //!
 //!   ```ini
 //!   [profile default]
 //!   role_arn = arn:aws:iam::123456789:role/RoleA
 //!   source_profile = base
 //!
 //!   [profile base]
 //!   role_arn = arn:aws:iam::123456789012:role/s3-reader
 //!   web_identity_token_file = /token.jwt
 //!   ```
 //!
 //! # Examples
 //! Web Identity Token providers are part of the [default chain](crate::default_provider::credentials).
 //! However, they may be directly constructed if you don't want to use the default provider chain.
 //! Unless overridden with [`static_configuration`](Builder::static_configuration), the provider will
 //! load configuration from environment variables.
 //!
 //! ```no_run
 //! # async fn test() {

 //! use aws_config::web_identity_token::WebIdentityTokenCredentialsProvider;
 //! use aws_config::provider_config::ProviderConfig;
 //! let provider = WebIdentityTokenCredentialsProvider::builder()
 //!     .configure(&ProviderConfig::with_default_region().await)
 //!     .build();
 //! # }
 //! ```
-63
 use crate::provider_config::ProviderConfig;
 use crate::sts;
 use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_sdk_sts::{types::PolicyDescriptorType, Client as StsClient};
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use aws_types::os_shim_internal::{Env, Fs};
-72
 use std::borrow::Cow;
 use std::path::{Path, PathBuf};
-75
 const ENV_VAR_TOKEN_FILE: &str = "AWS_WEB_IDENTITY_TOKEN_FILE";

↧ Expand context

 const ENV_VAR_ROLE_ARN: &str = "AWS_ROLE_ARN";
 const ENV_VAR_SESSION_NAME: &str = "AWS_ROLE_SESSION_NAME";
-79
 /// Credential provider to load credentials from Web Identity Tokens
 ///
 /// See Module documentation for more details
 #[derive(Debug)]
 pub struct WebIdentityTokenCredentialsProvider {
     source: Source,
     time_source: SharedTimeSource,
     fs: Fs,
     sts_client: StsClient,
     policy: Option<String>,
     policy_arns: Option<Vec<PolicyDescriptorType>>,
-91
+}
-92
 impl WebIdentityTokenCredentialsProvider {
     /// Builder for this credentials provider
     pub fn builder() -> Builder {
         Builder::default()

@@ -133,134 +192,199 @@

↥ Expand context

                 })?;
                 let role_arn = env.get(ENV_VAR_ROLE_ARN).map_err(|_| {
                     CredentialsError::invalid_configuration(
                         "AWS_ROLE_ARN environment variable must be set",
-138
+                    )
                 })?;
                 let session_name = env.get(ENV_VAR_SESSION_NAME).unwrap_or_else(|_| {
                     sts::util::default_session_name("web-identity-token", self.time_source.now())
                 });
                 Ok(Cow::Owned(StaticConfiguration {
                     web_identity_token_file: token_file.into(),
                     role_arn,
                     session_name,
                 }))
-148
+            }
             Source::Static(conf) => Ok(Cow::Borrowed(conf)),
-150
+        }
-151
+    }
     async fn credentials(&self) -> provider::Result {
         let conf = self.source()?;

         load_credentials(
             &self.fs,
             &self.sts_client,
             self.policy.clone(),
             self.policy_arns.clone(),
             &conf.web_identity_token_file,
             &conf.role_arn,
             &conf.session_name,
-162
+        )
         .await
         .map(|mut creds| {
             creds
                 .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
                 .push(AwsCredentialFeature::CredentialsProfileStsWebIdToken);
             creds
         })
-170
+    }
-171
+}
-172
 /// Builder for [`WebIdentityTokenCredentialsProvider`].
 #[derive(Debug, Default)]
 pub struct Builder {
     source: Option<Source>,
     config: Option<ProviderConfig>,
     policy: Option<String>,
     policy_arns: Option<Vec<PolicyDescriptorType>>,

↧ Expand context

-180
+}
-181
 impl Builder {
     /// Configure generic options of the [WebIdentityTokenCredentialsProvider]
     ///
     /// # Examples
     /// ```no_run
     /// # async fn test() {
     /// use aws_config::web_identity_token::WebIdentityTokenCredentialsProvider;
     /// use aws_config::provider_config::ProviderConfig;
     /// let provider = WebIdentityTokenCredentialsProvider::builder()
     ///     .configure(&ProviderConfig::with_default_region().await)
     ///     .build();
     /// # }
     /// ```
     pub fn configure(mut self, provider_config: &ProviderConfig) -> Self {
         self.config = Some(provider_config.clone());
         self
-198
+    }
-199

tmp-codegen-diff/aws-sdk/sdk/aws-credential-types/Cargo.toml

@@ -7,7 +49,49 @@

↥ Expand context

 edition = "2021"
 license = "Apache-2.0"
 repository = "https://github.com/smithy-lang/smithy-rs"
 [package.metadata.docs.rs]
 all-features = true
 targets = ["x86_64-unknown-linux-gnu"]
 cargo-args = ["-Zunstable-options", "-Zrustdoc-scrape-examples"]
 rustdoc-args = ["--cfg", "docsrs"]
-15
 [package.metadata.smithy-rs-release-tooling]
 stable = true
-18
 [features]
 hardcoded-credentials = []
 test-util = ["aws-smithy-runtime-api/test-util"]
-22
 [dependencies]
 zeroize = "1.7.0"
-25
 [dependencies.aws-smithy-async]

 path = "../aws-smithy-async"
 version = "1.2.5"
-29
 [dependencies.aws-smithy-types]
 path = "../aws-smithy-types"
 version = "1.3.2"
-33
 [dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["client", "http-auth"]
 version = "1.8.5"
 version = "1.8.6"
-38
 [dev-dependencies]
 async-trait = "0.1.74"
-41
 [dev-dependencies.aws-smithy-runtime-api]
 path = "../aws-smithy-runtime-api"
 features = ["test-util"]
 version = "1.8.5"
 version = "1.8.6"
-46
 [dev-dependencies.tokio]
 version = "1.23.1"
 features = ["full", "test-util", "rt"]

tmp-codegen-diff/aws-sdk/sdk/aws-credential-types/src/credentials_impl.rs

@@ -69,69 +128,131 @@

↥ Expand context

     // Optional piece of data to support account-based endpoints.
     // https://docs.aws.amazon.com/sdkref/latest/guide/feature-account-endpoints.html
     account_id: Option<AccountId>,
-72
     provider_name: &'static str,
-74
+}
-75
 impl Debug for Credentials {
     fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
         let mut creds = f.debug_struct("Credentials");
         creds
             .field("provider_name", &self.0.provider_name)
             .field("access_key_id", &self.0.access_key_id.as_str())
             .field("secret_access_key", &"** redacted **");
         if let Some(expiry) = self.expiry() {
             if let Some(formatted) = expiry.duration_since(UNIX_EPOCH).ok().and_then(|dur| {
                 aws_smithy_types::DateTime::from_secs(dur.as_secs() as _)
                     .fmt(Format::DateTime)
                     .ok()
             }) {

                 creds.field("expires_after", &formatted);
             } else {
                 creds.field("expires_after", &expiry);
-92
+            }
         } else {
             creds.field("expires_after", &"never");
-95
+        }
         if let Some(account_id) = &self.0.account_id {
             creds.field("account_id", &account_id.as_str());
-98
+        }
         for (i, prop) in self.1.values().enumerate() {
             creds.field(&format!("property_{i}"), prop);
-+
+        }
         creds.finish()
-103
+    }
-104
+}
-105
 #[cfg(feature = "hardcoded-credentials")]
 const STATIC_CREDENTIALS: &str = "Static";
-108
 impl Credentials {
     /// Returns builder for `Credentials`.
     pub fn builder() -> CredentialsBuilder {

↧ Expand context

         CredentialsBuilder::default()
-113
+    }
-114
     /// Creates `Credentials`.
     ///
     /// This is intended to be used from a custom credentials provider implementation.
     /// It is __NOT__ secure to hardcode credentials into your application.
     pub fn new(
         access_key_id: impl Into<String>,
         secret_access_key: impl Into<String>,
         session_token: Option<String>,
         expires_after: Option<SystemTime>,
         provider_name: &'static str,
     ) -> Self {
         Credentials(
             Arc::new(Inner {
                 access_key_id: Zeroizing::new(access_key_id.into()),
                 secret_access_key: Zeroizing::new(secret_access_key.into()),
                 session_token: Zeroizing::new(session_token),
                 expires_after,

Pages: 1 2 3 4

1 1	`/*`
2 2	`* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.`

1 1	`/*`
2 2	`* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.`
3 3	`* SPDX-License-Identifier: Apache-2.0`