awslabs · 0marperez · Nov 4, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024
@@ -0,0 +1,6 @@
+{
+    "id": "0b5b53ab-70c0-4c1b-a445-8663ae86d6d1",
+    "type": "misc",
+    "description": "The order of credentials resolution in config files has been updated to: static credentials, assume role with source profile OR assume role with named provider, web identity token, SSO session, legacy SSO, process",
+    "requiresMinorVersionBump": true
+}
@@ -0,0 +1,6 @@
+{
+    "id": "99a099e1-26c1-4ba1-b0d3-435609ea4e94",
+    "type": "misc",
+    "description": "The order of credentials resolution in the credentials provider chain has been updated to: system properties, environment variables, web identity tokens, profile, ECS, EC2",
+    "requiresMinorVersionBump": true
+}
@@ -0,0 +1,109 @@
+An upcoming release of the **AWS SDK for Kotlin** will change the order of 
+credentials resolution for the [default credentials provider chain](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html#default-credential-provider-chain)
+and the order of credentials resolution for AWS shared config files.
+
+# Release date
+
+This change will be included in the upcoming **v1.4.x** release, expected in the 
+upcoming months.
+
+# What's changing
+
+The order of credentials resolution for the default credentials provider chain,
+and the order of credentials resolution for AWS shared config files (profile chain). 
+
+## Default credentials provider chain
+
+The table below outlines the current and new order in which the SDK will
+resolve credentials from the default credentials provider chain.
+
+| # | Current Order                                                          | New Order                                                              |
+|---|------------------------------------------------------------------------|------------------------------------------------------------------------|
+| 1 | System properties                                                      | System properties                                                      |
+| 2 | Environment variables                                                  | Environment variables                                                  |
+| 3 | **Shared credentials and config files (profile credentials provider)** | **Assume role with web identity token**                                |
+| 4 | **Assume role with web identity token**                                | **Shared credentials and config files (profile credentials provider)** |
+| 5 | Amazon ECS container credentials                                       | Amazon ECS container credentials                                       |
+| 6 | Amazon EC2 Instance Metadata Service                                   | Amazon EC2 Instance Metadata Service                                   |
+
+The [default credentials provider chain documentation](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html#default-credential-provider-chain) 
+contains more details on each credential source.
+
+## Profile chain
+
+The table below outlines the current and new order in which the SDK will 
+resolve credentials from AWS shared config files.
+
+| # | Current Order                                                                                            | New Order                                                                                   |
+|---|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|
+| 1 | **Assume role with source profile OR assume role with named provider (mutually exclusive)**              | **Static credentials**                                                                      |
+| 2 | Web identity token                                                                                       | **Assume role with source profile OR assume role with named provider (mutually exclusive)** |
+| 3 | SSO session                                                                                              | Web identity token                                                                          |
+| 4 | Legacy SSO                                                                                               | SSO session                                                                                 |
+| 5 | Process                                                                                                  | Legacy SSO                                                                                  |
+| 6 | **Static credentials (moves up to #1 when in a source profile, shifting other credential sources down)** | Process                                                                                     |
+
+# How to migrate
+
+1. Upgrade all of your AWS SDK for Kotlin dependencies to **v.1.4.x**.
+2. Verify that the changes to the default credentials provider chain and profile chain do not introduce any issues in your program.
+3. If issues arise review the new credentials resolution order, the subsections below, and adjust your configuration as needed.
+
+## Default credentials provider chain
+
+You can preserve the current default credentials provider chain behavior by setting
+the credentials provider to a credentials provider chain with the current order, e.g.
+
+```kotlin
+S3Client{
+    credentialsProvider = CredentialsProviderChain(
+        SystemPropertyCredentialsProvider(),
+        EnvironmentCredentialsProvider(),
+        StsWebIdentityProvider(),
+        ProfileCredentialsProvider(),
+        EcsCredentialsProvider(),
+        ImdsCredentialsProvider(),
+    )
+}
+```
+
+## Profile credentials provider
+
+The order in which credentials are resolved for shared credentials and config 
+files cannot be customized. If your AWS config file(s) contain multiple valid 
+credential sources within a single profile, you may need to update them to align 
+with the new resolution order. For example, config file `A` should be updated to 
+match config file `B`. This is necessary because static credentials will now 
+take precedence and be selected before assume role credentials with a source profile. 
+Similar adjustments to your configuration may be necessary to maintain current
+behavior. Use the new order as a guide for any required changes.
+
+Config file `A`
+```ini
+[default]
+role_arn = arn:aws:iam::123456789:role/Role
+source_profile = A
+aws_access_key_id = 0
+aws_secret_access_key = 0
+
+[profile A]
+aws_access_key_id = 1
+aws_secret_access_key = 2
+```
+
+Config file `B`
+```ini
+[default]
+role_arn = arn:aws:iam::123456789:role/Role
+source_profile = A
+
+[profile A]
+aws_access_key_id = 1
+aws_secret_access_key = 2
+```
+
+# Feedback
+
+If you have any questions concerning this change, please feel free to engage 
+with us in this discussion. If you encounter a bug with these changes when 
+released, please [file an issue](https://github.com/awslabs/aws-sdk-kotlin/issues/new/choose).
@@ -199,6 +199,14 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredent
 	public static synthetic fun fromEnvironment-TUY-ock$default (Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider$Companion;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;JLaws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;ILjava/lang/Object;)Laws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider;
 }
 
+public final class aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CloseableCredentialsProvider {
+	public fun <init> ()V
+	public fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Ljava/lang/String;)V
+	public synthetic fun <init> (Laws/smithy/kotlin/runtime/util/PlatformProvider;Laws/smithy/kotlin/runtime/http/engine/HttpClientEngine;Ljava/lang/String;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun close ()V
+	public fun resolve (Laws/smithy/kotlin/runtime/collections/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+}
+
 public final class aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider {
 	public fun <init> ()V
 	public fun <init> (Lkotlin/jvm/functions/Function1;)V

@@ -23,11 +23,12 @@ import aws.smithy.kotlin.runtime.util.PlatformProvider
  *
  * Resolution order:
  *
- * 1. Environment variables ([EnvironmentCredentialsProvider])
- * 2. Profile ([ProfileCredentialsProvider])
+ * 1. System properties ([SystemPropertyCredentialsProvider])
+ * 2. Environment variables ([EnvironmentCredentialsProvider])
  * 3. Web Identity Tokens ([StsWebIdentityCredentialsProvider]]
- * 4. ECS (IAM roles for tasks) ([EcsCredentialsProvider])
- * 5. EC2 Instance Metadata (IMDSv2) ([ImdsCredentialsProvider])
+ * 4. Profile ([ProfileCredentialsProvider])
+ * 5. ECS (IAM roles for tasks) ([EcsCredentialsProvider])
+ * 6. EC2 Instance Metadata (IMDSv2) ([ImdsCredentialsProvider])
  *
  * The chain is decorated with a [CachedCredentialsProvider].
  *
@@ -54,9 +55,9 @@ public class DefaultChainCredentialsProvider constructor(
     private val chain = CredentialsProviderChain(
         SystemPropertyCredentialsProvider(platformProvider::getProperty),
         EnvironmentCredentialsProvider(platformProvider::getenv),
-        ProfileCredentialsProvider(profileName = profileName, platformProvider = platformProvider, httpClient = engine, region = region),
         // STS web identity provider can be constructed from either the profile OR 100% from the environment
         StsWebIdentityProvider(platformProvider = platformProvider, httpClient = engine, region = region),
+        ProfileCredentialsProvider(profileName = profileName, platformProvider = platformProvider, httpClient = engine, region = region),
         EcsCredentialsProvider(platformProvider, engine),
         ImdsCredentialsProvider(
             client = lazy {
@@ -85,10 +86,10 @@ public class DefaultChainCredentialsProvider constructor(
  * Wrapper around [StsWebIdentityCredentialsProvider] that delays any exceptions until [resolve] is invoked.
  * This allows it to be part of the default chain and any failures result in the chain to move onto the next provider.
  */
-private class StsWebIdentityProvider(
-    val platformProvider: PlatformProvider = PlatformProvider.System,
-    val httpClient: HttpClientEngine? = null,
-    val region: String? = null,
+public class StsWebIdentityProvider(
+    private val platformProvider: PlatformProvider = PlatformProvider.System,
+    private val httpClient: HttpClientEngine? = null,
+    private val region: String? = null,
 ) : CloseableCredentialsProvider {
     override suspend fun resolve(attributes: Attributes): Credentials {
         val wrapped = StsWebIdentityCredentialsProvider.fromEnvironment(platformProvider = platformProvider, httpClient = httpClient, region = region)

@@ -33,6 +33,16 @@ internal data class ProfileChain(
     val roles: List<RoleArn>,
 ) {
     companion object {
+        /**
+         * Resolves profile chain with the following precedence:
+         *
+         * 1. Static credentials
+         * 2. Assume role with source profile OR assume role with named provider (mutually exclusive)
+         * 3. Web ID token file & role arn
+         * 4. SSO session
+         * 5. Legacy SSO
+         * 6. Process
+         */
         internal fun resolve(config: AwsSharedConfig): ProfileChain {
             val visited = mutableSetOf<String>()
             val chain = mutableListOf<RoleArn>()
@@ -53,11 +63,9 @@ internal data class ProfileChain(
                     throw ProviderConfigurationException("profile formed an infinite loop: ${visited.joinToString(separator = " -> ")} -> $sourceProfileName")
                 }
 
-                // when chaining assume role profiles, SDKs MUST terminate the chain as soon as they hit a profile with static credentials
-                if (visited.size > 1) {
-                    leaf = profile.staticCredsOrNull()
-                    if (leaf != null) break@loop
-                }
+                // static credentials have the highest precedence
+                leaf = profile.staticCredsOrNull()
+                if (leaf != null) break@loop
 
                 // the existence of `role_arn` is the only signal that multiple profiles will be chained
                 val roleArn = profile.roleArnOrNull()
@@ -132,8 +140,11 @@ internal const val SSO_SESSION = "sso_session"
 internal const val CREDENTIAL_PROCESS = "credential_process"
 
 private fun AwsProfile.roleArnOrNull(): RoleArn? {
+    val validSource = contains(CREDENTIAL_SOURCE) || contains(SOURCE_PROFILE)
+
+    // chained roles have higher precedence than web id token file
     // web identity tokens are leaf providers, not chained roles
-    if (contains(WEB_IDENTITY_TOKEN_FILE)) return null
+    if (!validSource && contains(WEB_IDENTITY_TOKEN_FILE)) return null
 
     val roleArn = getOrNull(ROLE_ARN) ?: return null
 
@@ -237,11 +248,12 @@ private fun AwsProfile.ssoSessionCreds(config: AwsSharedConfig): LeafProviderRes
 }
 
 /**
- * Attempt to load [LeafProvider.Process] from the current profile or `null` if the current profile does not contain
+ * Attempt to load [LeafProvider.Process] from the current profile or exception if the current profile does not contain
  * a credentials process command to execute
  */
-private fun AwsProfile.processCreds(): LeafProviderResult? {
-    if (!contains(CREDENTIAL_PROCESS)) return null
+private fun AwsProfile.processCreds(): LeafProviderResult {
+    // Process is last in precedence - credentials not found means no credentials in profile
+    if (!contains(CREDENTIAL_PROCESS)) return LeafProviderResult.Err("profile ($name) did not contain credential information")
 
     val credentialProcess = getOrNull(CREDENTIAL_PROCESS) ?: return LeafProviderResult.Err("profile ($name) missing `$CREDENTIAL_PROCESS`")
 
@@ -257,7 +269,7 @@ private fun AwsProfile.staticCreds(): LeafProviderResult {
     val secretKey = getOrNull(AWS_SECRET_ACCESS_KEY)
     val accountId = getOrNull(AWS_ACCOUNT_ID)
     return when {
-        accessKeyId == null && secretKey == null -> LeafProviderResult.Err("profile ($name) did not contain credential information")
+        accessKeyId == null && secretKey == null -> LeafProviderResult.Err("profile ($name) missing `aws_access_key_id` & `aws_secret_access_key`")
         accessKeyId == null -> LeafProviderResult.Err("profile ($name) missing `aws_access_key_id`")
         secretKey == null -> LeafProviderResult.Err("profile ($name) missing `aws_secret_access_key`")
         else -> {
@@ -315,7 +327,6 @@ private fun AwsProfile.leafProvider(config: AwsSharedConfig): LeafProvider {
     return webIdentityTokenCreds()
         .orElse { ssoSessionCreds(config) }
         .orElse(::legacySsoCreds)
-        .orElse(::processCreds)
-        .unwrapOrElse(::staticCreds)
+        .unwrapOrElse(::processCreds)
         .unwrap()
 }