Conversation
Adds support for loading AWS credentials from shared config/credentials files and assembling them into a pluggable credential provider chain. New modules: - aws-config: SEP-conformant INI parser, profile data model, AwsConfigCredentialSource sealed types, handler SPI with ServiceLoader discovery, and built-in handlers for static keys, session keys, and credential_process. - aws-credential-chain: Credential provider chain with builtin slots, Before/After relative ordering, SPI-based provider discovery, cheap environment detection, and actionable error messages when implementation modules are missing. Changes to existing modules: - auth-api: Add CachingIdentityResolver with async background refresh, static stability support, injectable Clock and ScheduledExecutorService. Add invalidate() default method to IdentityResolver interface. Will be used by STS, SSO, etc. - aws-client-core: Add AwsCredentialChainPlugin ClientPlugin, register EnvironmentCredentialProvider and SystemPropertiesCredentialProvider as chain sources via SPI. Both now read AWS_ACCOUNT_ID / aws.accountId per the account ID SEP. - settings.gradle.kts: Include new modules. Architecture overview: - Data model (aws-config) is separated from resolution policy (chain). - Credential sources are detected cheaply from profile properties without needing implementation modules (STS, SSO, IMDS). - Handlers are discovered via ServiceLoader; missing handlers produce errors naming the dependency to add. - Chain ordering uses a fixed enum for builtins and simple Before/After insertion for third-party providers. - CachingIdentityResolver provides background refresh with a shared ScheduledExecutorService passed via ProviderContext. - invalidate() propagates through the chain to force credential refresh on auth failures. TODO items: add SSO, STS, IMDS, ECS, etc.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for loading AWS credentials from shared config/credentials files and assembling them into a pluggable credential provider chain.
New modules:
Changes to existing modules:
Architecture overview:
TODO items: add SSO, STS, ECS, etc.
Here's an example of how to use shared credentials and IMDS:
Then you just apply the AwsCredentialChainPlugin.
With the above configuration, credentials are resolved automatically by checking the following in order:
Let's say only need environment variables because you're running on Lambda. Then you just need to configure aws-client-core, which automatically resolves environment variables (you'd still apply
AwsCredentialChainPlugin).dependencies { implementation("software.amazon.smithy.java:aws-client-core:1.1.0") }