Add feature id tracking for credentials

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Add feature id tracking for credentials.
+
 3.220.1 (2025-03-06)
 ------------------
 

gems/aws-sdk-core/lib/aws-sdk-core/assume_role_credentials.rb

@@ -59,9 +59,12 @@ def initialize(options = {})
     # @return [Hash]
     attr_reader :assume_role_params
 
+    attr_accessor :metrics
+
     private
 
     def refresh
+      puts "Refreshing credentials"
       resp = @client.assume_role(@assume_role_params)
       creds = resp.credentials
       @credentials = Credentials.new(

gems/aws-sdk-core/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -67,6 +67,8 @@ def initialize(options = {})
     # @return [STS::Client]
     attr_reader :client
 
+    attr_accessor :metrics
+
     private
 
     def refresh

gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb

@@ -9,9 +9,79 @@ def initialize(config = nil)
 
     # @return [CredentialProvider, nil]
     def resolve
+      puts "RESOLVING CREDENTIALS"
       providers.each do |method_name, options|
         provider = send(method_name, options.merge(config: @config))
-        return provider if provider && provider.set?
+        if provider && provider.set?
+          puts method_name
+          puts provider
+          case method_name.to_s
+          when "static_credentials"
+            puts "CREDENTIALS_PROFILE: n"
+          when "static_profile_assume_role_web_identity_credentials"
+            puts "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN and CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: qk"
+          when "static_profile_sso_credentials"
+            puts "CREDENTIALS_PROFILE_SSO and CREDENTIALS_SSO: rs (NEW)"
+            puts "OR"
+            puts "CREDENTIALS_PROFILE_SSO_LEGACY and CREDENTIALS_SSO_LEGACY: tu (LEGACY)"
+          when "static_profile_assume_role_credentials"
+            puts "CREDENTIALS_PROFILE_SOURCE_PROFILE: o and ( \
+                  CREDENTIALS_PROFILE: n or \
+                  CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN and CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: qk or \
+                  CREDENTIALS_PROFILE_PROCESS and CREDENTIALS_PROCESS: vw or \
+                  CREDENTIALS_PROFILE_SSO and CREDENTIALS_SSO: rs (NEW) or \
+                  CREDENTIALS_PROFILE_SSO_LEGACY and CREDENTIALS_SSO_LEGACY: tu (LEGACY) \
+                  ) \
+                  and CREDENTIALS_STS_ASSUME_ROLE: i"
+            puts "OR"
+            puts "CREDENTIALS_PROFILE_NAMED_PROVIDER: p and ( \
+                  CREDENTIALS_IMDS: 0 or \
+                  CREDENTIALS_HTTP: z \
+                  ) \
+                  and CREDENTIALS_STS_ASSUME_ROLE: i"
+          when "static_profile_credentials"
+            puts "CREDENTIALS_PROFILE: n"
+          when "static_profile_process_credentials"
+            puts "CREDENTIALS_PROFILE_PROCESS and CREDENTIALS_PROCESS: vw"
+          when "env_credentials"
+            puts "CREDENTIALS_ENV_VARS: g"
+          when "assume_role_web_identity_credentials"
+            puts "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN and CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: hk"
+            puts "OR"
+            puts "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN and CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: qk"
+          when "sso_credentials"
+            puts "CREDENTIALS_PROFILE_SSO and CREDENTIALS_SSO: rs (NEW)"
+            puts "OR"
+            puts "CREDENTIALS_PROFILE_SSO_LEGACY and CREDENTIALS_SSO_LEGACY: tu (LEGACY)"
+          when "assume_role_credentials"
+            puts "CREDENTIALS_PROFILE_SOURCE_PROFILE: o and ( \
+                  CREDENTIALS_PROFILE: n or \
+                  CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN and CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: qk or \
+                  CREDENTIALS_PROFILE_PROCESS and CREDENTIALS_PROCESS: vw or \
+                  CREDENTIALS_PROFILE_SSO and CREDENTIALS_SSO: rs (NEW) or \
+                  CREDENTIALS_PROFILE_SSO_LEGACY and CREDENTIALS_SSO_LEGACY: tu (LEGACY) \
+                  ) \
+                  and CREDENTIALS_STS_ASSUME_ROLE: i"
+            puts "OR"
+            puts "CREDENTIALS_PROFILE_NAMED_PROVIDER: p and ( \
+                  CREDENTIALS_IMDS: 0 or \
+                  CREDENTIALS_HTTP: z \
+                  ) \
+                  and CREDENTIALS_STS_ASSUME_ROLE: i"
+          when "shared_credentials"
+            puts "CREDENTIALS_PROFILE: n"
+          when "process_credentials"
+            puts "CREDENTIALS_PROFILE_PROCESS and CREDENTIALS_PROCESS: vw"
+          when "instance_profile_credentials"
+            puts "CREDENTIALS_HTTP (z)"
+            puts "OR"
+            puts "CREDENTIALS_IMDS (0)"
+          else
+            puts method_name
+            puts "!! UNKNOWN !!"
+          end
+          return provider
+        end
       end
       nil
     end
@@ -42,12 +112,14 @@ def providers
 
     def static_credentials(options)
       if options[:config]
-        Credentials.new(
+        credentials = Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
           options[:config].session_token,
           account_id: options[:config].account_id
         )
+        credentials.metrics = ['CREDENTIALS_PROFILE']
+        credentials
       end
     end
 
@@ -76,7 +148,9 @@ def static_profile_assume_role_credentials(options)
 
     def static_profile_credentials(options)
       if options[:config] && options[:config].profile
-        SharedCredentials.new(profile_name: options[:config].profile)
+        credentials = SharedCredentials.new(profile_name: options[:config].profile)
+        credentials.metrics = ['CREDENTIALS_PROFILE']
+        credentials
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -85,23 +159,30 @@ def static_profile_credentials(options)
     def static_profile_process_credentials(options)
       if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
         process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          credentials = ProcessCredentials.new([process_provider])
+          credentials.metrics = %w[CREDENTIALS_PROFILE_PROCESS CREDENTIALS_PROCESS]
+          credentials
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
     end
 
+
     def env_credentials(_options)
       key =    %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
       secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
       token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
       account_id = %w[AWS_ACCOUNT_ID]
-      Credentials.new(
+      credentials = Credentials.new(
         envar(key),
         envar(secret),
         envar(token),
         account_id: envar(account_id)
       )
+      credentials.metrics = ['CREDENTIALS_ENV_VARS']
+      credentials
     end
 
     def envar(keys)
@@ -117,7 +198,9 @@ def determine_profile_name(options)
 
     def shared_credentials(options)
       profile_name = determine_profile_name(options)
-      SharedCredentials.new(profile_name: profile_name)
+      credentials = SharedCredentials.new(profile_name: profile_name)
+      credentials.metrics = ['CREDENTIALS_PROFILE']
+      credentials
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -126,7 +209,11 @@ def process_credentials(options)
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?
         process_provider = Aws.shared_config.credential_process(profile: profile_name)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          credentials = ProcessCredentials.new([process_provider])
+          credentials.metrics = %w[CREDENTIALS_PROFILE_PROCESS CREDENTIALS_PROCESS]
+          credentials
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -156,7 +243,11 @@ def assume_role_web_identity_credentials(options)
           role_session_name: ENV['AWS_ROLE_SESSION_NAME']
         }
         cfg[:region] = region if region
-        AssumeRoleWebIdentityCredentials.new(cfg)
+        with_metrics('CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN') do
+          credentials = AssumeRoleWebIdentityCredentials.new(cfg)
+          credentials.metrics = %w[CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN CREDENTIALS_STS_ASSUME_ROLE_WEB_ID]
+          credentials
+        end
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(
@@ -170,9 +261,13 @@ def instance_profile_credentials(options)
       profile_name = determine_profile_name(options)
       if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
          ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
-        ECSCredentials.new(options)
+        credentials = ECSCredentials.new(options)
+        credentials.metrics = ['CREDENTIALS_HTTP']
+        credentials
       else
-        InstanceProfileCredentials.new(options.merge(profile: profile_name))
+        credentials = InstanceProfileCredentials.new(options.merge(profile: profile_name))
+        credentials.metrics = ['CREDENTIALS_IMDS']
+        credentials
       end
     end
 
@@ -186,5 +281,9 @@ def assume_role_with_profile(options, profile_name)
       end
       Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
+
+    def with_metrics(metric, &block)
+      Aws::Plugins::UserAgent.metric(metric, &block)
+    end
   end
 end

gems/aws-sdk-core/lib/aws-sdk-core/credentials.rb

@@ -28,6 +28,8 @@ def initialize(access_key_id, secret_access_key, session_token = nil,
     # @return [String, nil]
     attr_reader :account_id
 
+    attr_accessor :metrics
+
     # @return [Credentials]
     def credentials
       self

gems/aws-sdk-core/lib/aws-sdk-core/ecs_credentials.rb

@@ -84,6 +84,8 @@ def initialize(options = {})
     #   fetch credentials from the instance metadata service. Defaults to 0.
     attr_reader :retries
 
+    attr_accessor :metrics
+
     private
 
     def initialize_uri(options, credential_path, endpoint)

gems/aws-sdk-core/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -98,6 +98,8 @@ def initialize(options = {})
     #   the default credential chain ({Aws::CredentialProviderChain}).
     attr_reader :retries
 
+    attr_accessor :metrics
+
     private
 
     def resolve_endpoint_mode(options)

gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb

@@ -41,20 +41,43 @@ def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_cred
       class Handler < Seahorse::Client::Handler
         def call(context)
           # Skip signing if using sigv2 signing from s3_signer in S3
+          credentials = nil
           unless v2_signing?(context.config)
             signer = Sign.signer_for(
               context[:auth_scheme],
               context.config,
               context[:sigv4_region],
               context[:sigv4_credentials]
             )
+            # TODO: temp added this, double check
+            if signer.is_a?(SignatureV4)
+              credentials = signer.signer.credentials_provider
+            end
             signer.sign(context)
           end
-          @handler.call(context)
+          with_metrics(credentials) { @handler.call(context) }
         end
 
         private
 
+        def with_metrics(credentials, &block)
+          puts "in with metric"
+          unless credentials && credentials.respond_to?(:metrics)
+            puts "No metrics"
+            return block.call
+          end
+
+          metrics = []
+          if !credentials.metrics
+            metrics << 'CREDENTIALS_CODE'
+          else
+            puts credentials.class.name
+            puts credentials.metrics
+            (metrics << credentials.metrics).flatten!
+          end
+          Aws::Plugins::UserAgent.metric(*metrics, &block)
+        end
+
         def v2_signing?(config)
           # 's3' is legacy signing, 'v4' is default
           config.respond_to?(:signature_version) &&
@@ -92,6 +115,8 @@ def sign_event(*args)
 
       # @api private
       class SignatureV4
+        attr_reader :signer
+
         def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
 

gems/aws-sdk-core/lib/aws-sdk-core/plugins/user_agent.rb

@@ -34,7 +34,33 @@ class UserAgent < Seahorse::Client::Plugin
           "FLEXIBLE_CHECKSUMS_REQ_WHEN_SUPPORTED" : "Z",
           "FLEXIBLE_CHECKSUMS_REQ_WHEN_REQUIRED" : "a",
           "FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED" : "b",
-          "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c"
+          "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c",
+          "DDB_MAPPER": "d",
+          "CREDENTIALS_CODE" : "e",
+          "CREDENTIALS_JVM_SYSTEM_PROPERTIES" : "f",
+          "CREDENTIALS_ENV_VARS" : "g",
+          "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN" : "h",
+          "CREDENTIALS_STS_ASSUME_ROLE" : "i",
+          "CREDENTIALS_STS_ASSUME_ROLE_SAML" : "j",
+          "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID" : "k",
+          "CREDENTIALS_STS_FEDERATION_TOKEN" : "l",
+          "CREDENTIALS_STS_SESSION_TOKEN" : "m",
+          "CREDENTIALS_PROFILE" : "n",
+          "CREDENTIALS_PROFILE_SOURCE_PROFILE" : "o",
+          "CREDENTIALS_PROFILE_NAMED_PROVIDER" : "p",
+          "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN" : "q",
+          "CREDENTIALS_PROFILE_SSO" : "r",
+          "CREDENTIALS_SSO" : "s",
+          "CREDENTIALS_PROFILE_SSO_LEGACY" : "t",
+          "CREDENTIALS_SSO_LEGACY" : "u",
+          "CREDENTIALS_PROFILE_PROCESS" : "v",
+          "CREDENTIALS_PROCESS" : "w",
+          "CREDENTIALS_BOTO2_CONFIG_FILE" : "x",
+          "CREDENTIALS_AWS_SDK_STORE" : "y",
+          "CREDENTIALS_HTTP" : "z",
+          "CREDENTIALS_IMDS" : "0",
+          "SSO_LOGIN_DEVICE" : "1",
+          "SSO_LOGIN_AUTH" : "2"
         }
       METRICS
 
@@ -186,7 +212,11 @@ def metric_metadata
               return
             end
 
+            # Needed for AssumeRoleCredentials feature id tracking
+            Thread.current[:aws_sdk_core_user_agent_metric].uniq!
+
             metrics = Thread.current[:aws_sdk_core_user_agent_metric].join(',')
+
             # Metric metadata is limited to 1024 bytes
             return "m/#{metrics}" if metrics.bytesize <= 1024
 
@@ -196,7 +226,7 @@ def metric_metadata
         end
       end
 
-      handler(Handler, step: :sign, priority: 97)
+      handler(Handler, step: :sign, priority: 5)
     end
   end
 end

gems/aws-sdk-core/lib/aws-sdk-core/process_credentials.rb

@@ -40,6 +40,8 @@ def initialize(process)
       super
     end
 
+    attr_accessor :metrics
+
     private
 
     def credentials_from_process