Update SDK to respect Profile property set in the client config when resolving credentials (#3753)

Author: dscpinheiro

generator/.DevConfigs/1d61d247-5e88-4613-a97f-ee94ef9ff8fd.json

@@ -0,0 +1,9 @@
+{
+    "core": {
+        "updateMinimum": true,
+        "type": "Patch",
+        "changeLogMessages": [
+            "Update SDK to respect `Profile` property set in the client config when resolving credentials."
+        ]
+    }
+}

sdk/src/Core/Amazon.Runtime/Credentials/AnonymousIdentityResolver.cs

@@ -26,20 +26,22 @@ public class AnonymousIdentityResolver : IIdentityResolver<AnonymousAWSCredentia
     {
         private readonly AnonymousAWSCredentials _credentials = new();
 
-        BaseIdentity IIdentityResolver.ResolveIdentity() => _credentials;
+        BaseIdentity IIdentityResolver.ResolveIdentity(IClientConfig clientConfig) 
+            => _credentials;
 
         /// <summary>
         /// Resolves the identity by returning an instance of <see cref="AnonymousAWSCredentials"/>.
         /// </summary>
-        public AnonymousAWSCredentials ResolveIdentity() => _credentials;
+        public AnonymousAWSCredentials ResolveIdentity(IClientConfig clientConfig) 
+            => _credentials;
 
-        Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(CancellationToken cancellationToken)
+        Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken)
             => Task.FromResult<BaseIdentity>(_credentials);
 
         /// <summary>
         /// Resolves the identity by returning an instance of <see cref="AnonymousAWSCredentials"/>.
         /// </summary>
-        public Task<AnonymousAWSCredentials> ResolveIdentityAsync(CancellationToken cancellationToken = default)
+        public Task<AnonymousAWSCredentials> ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken = default)
             => Task.FromResult(_credentials);
     }
 }

sdk/src/Core/Amazon.Runtime/Credentials/DefaultAWSCredentialsIdentityResolver.cs

@@ -53,38 +53,69 @@ public DefaultAWSCredentialsIdentityResolver()
 #endif
                 () => new EnvironmentVariablesAWSCredentials(), // Look for credentials set in environment vars.
                 () => AssumeRoleWithWebIdentityCredentials.FromEnvironmentVariables(),
-                () => GetAWSCredentials(_credentialProfileChain),
+                () => GetProfileCredentials(_credentialProfileChain),
                 () => ContainerEC2CredentialsWrapper(), // either get ECS / EKS credentials or instance profile credentials
             };
         }
 
+        #region Helper methods for migration from FallbackCredentialsFactory
+
         /// <summary>
         /// Search the environment for configured AWS credentials. The search includes
         /// environment variables, "default" AWS credentials profiles and EC2 instance metadata.
         /// </summary>
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
         /// <returns>AWSCredentials that can be used when creating AWS service clients.</returns>
-        public static AWSCredentials GetCredentials()
+        public static AWSCredentials GetCredentials(IClientConfig clientConfig = null)
         {
-            return _defaultInstance.Value.ResolveIdentity();
+            return _defaultInstance.Value.ResolveIdentity(clientConfig);
         }
 
         /// <summary>
         /// Search the environment for configured AWS credentials. The search includes
         /// environment variables, "default" AWS credentials profiles and EC2 instance metadata.
         /// </summary>
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
         /// <returns>AWSCredentials that can be used when creating AWS service clients.</returns>
-        public static Task<AWSCredentials> GetCredentialsAsync()
+        public static Task<AWSCredentials> GetCredentialsAsync(IClientConfig clientConfig = null)
         {
-            return _defaultInstance.Value.ResolveIdentityAsync();
+            return _defaultInstance.Value.ResolveIdentityAsync(clientConfig);
         }
 
-        BaseIdentity IIdentityResolver.ResolveIdentity()
+        #endregion
+
+        BaseIdentity IIdentityResolver.ResolveIdentity(IClientConfig clientConfig) 
+            => ResolveIdentity(clientConfig);
+
+        public AWSCredentials ResolveIdentity(IClientConfig clientConfig)
         {
-            return ResolveIdentity();
+            var profile = clientConfig?.Profile;
+            if (profile != null)
+            {
+                var source = new CredentialProfileStoreChain(profile.Location);
+                if (source.TryGetProfile(profile.Name, out CredentialProfile storedProfile))
+                {
+                    return storedProfile.GetAWSCredentials(source, true);
+                }
+
+                throw new AmazonClientException($"Unable to find the \"{profile.Name}\" profile specified in the client configuration.");
+            }
+
+            return InternalGetCredentials();
         }
 
+        Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken) =>
+            Task.FromResult<BaseIdentity>(ResolveIdentity(clientConfig));
+
+        public Task<AWSCredentials> ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken = default) =>
+            Task.FromResult(ResolveIdentity(clientConfig));
+
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Design", "CA1031:Do not catch general exception types", Justification = "We need to catch all exceptions to be able to move the the next generator.")]
-        public AWSCredentials ResolveIdentity()
+        private AWSCredentials InternalGetCredentials()
         {
             var hasEnvironmentChanged = false;
 
@@ -95,7 +126,7 @@ public AWSCredentials ResolveIdentity()
                 {
                     hasEnvironmentChanged = _lastKnownEnvironmentState.HasEnvironmentChanged();
                     if (!hasEnvironmentChanged)
-                    { 
+                    {
                         return _cachedCredentials;
                     }
                 }
@@ -155,37 +186,24 @@ public AWSCredentials ResolveIdentity()
                     return _cachedCredentials;
                 }
 
-                using (StringWriter writer = new StringWriter(CultureInfo.InvariantCulture))
+                using var writer = new StringWriter(CultureInfo.InvariantCulture);
+                writer.WriteLine("Failed to resolve AWS credentials. The credential providers used to search for credentials returned the following errors:");
+                writer.WriteLine();
+                for (int i = 0; i < errors.Count; i++)
                 {
-                    writer.WriteLine("Failed to resolve AWS credentials. The credential providers used to search for credentials returned the following errors:");
-                    writer.WriteLine();
-                    for (int i = 0; i < errors.Count; i++)
-                    {
-                        Exception e = errors[i];
-                        writer.WriteLine("Exception {0} of {1}: {2}", i + 1, errors.Count, e.Message);
-                    }
-
-                    throw new AmazonClientException(writer.ToString());
+                    Exception e = errors[i];
+                    writer.WriteLine("Exception {0} of {1}: {2}", i + 1, errors.Count, e.Message);
                 }
+
+                throw new AmazonClientException(writer.ToString());
             }
             finally
             {
                 _cachedCredentialsLock.ExitWriteLock();
             }
         }
 
-        async Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(CancellationToken cancellationToken)
-        {
-            var identity = await ResolveIdentityAsync(cancellationToken).ConfigureAwait(false);
-            return identity;
-        }
-
-        public async Task<AWSCredentials> ResolveIdentityAsync(CancellationToken cancellationToken = default)
-        {
-            return await Task.Run(() => ResolveIdentity(), cancellationToken).ConfigureAwait(false);
-        }
-
-        private static AWSCredentials GetAWSCredentials(ICredentialProfileSource source)
+        private static AWSCredentials GetProfileCredentials(ICredentialProfileSource source)
         {
             var profileName = GetProfileName();
             if (source.TryGetProfile(profileName, out CredentialProfile profile))

sdk/src/Core/Amazon.Runtime/Credentials/DefaultAWSTokenIdentityResolver.cs

@@ -29,13 +29,11 @@ public class DefaultAWSTokenIdentityResolver : IIdentityResolver<AWSToken>
         public DefaultAWSTokenIdentityResolver() 
             => _tokenProvider = new AWSTokenProviderChain(new ProfileTokenProvider());
 
-        BaseIdentity IIdentityResolver.ResolveIdentity()
-        {
-            return ResolveIdentity();
-        }
+        BaseIdentity IIdentityResolver.ResolveIdentity(IClientConfig clientConfig) 
+            => ResolveIdentity(clientConfig: null);
 
         /// <inheritdoc/>
-        public AWSToken ResolveIdentity()
+        public AWSToken ResolveIdentity(IClientConfig clientConfig)
         {
 #if NETFRAMEWORK
             if (_tokenProvider.TryResolveToken(out var token))
@@ -56,14 +54,14 @@ public AWSToken ResolveIdentity()
 #endif
         }
 
-        async Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(CancellationToken cancellationToken)
+        async Task<BaseIdentity> IIdentityResolver.ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken)
         {
-            var identity = await ResolveIdentityAsync(cancellationToken).ConfigureAwait(false);
+            var identity = await ResolveIdentityAsync(clientConfig, cancellationToken).ConfigureAwait(false);
             return identity;
         }
 
         /// <inheritdoc/>
-        public async Task<AWSToken> ResolveIdentityAsync(CancellationToken cancellationToken = default)
+        public async Task<AWSToken> ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken = default)
         {
             var tokenResponse = await _tokenProvider.TryResolveTokenAsync(cancellationToken).ConfigureAwait(false);
             if (tokenResponse.Success)

sdk/src/Core/Amazon.Runtime/Credentials/Internal/DefaultIdentityResolverConfiguration.cs

@@ -44,7 +44,7 @@ public IIdentityResolver GetIdentityResolver<T>() where T : BaseIdentity
         public static T ResolveDefaultIdentity<T>() where T : BaseIdentity
         {
             var identityResolver = Instance.GetIdentityResolver<T>();
-            return identityResolver.ResolveIdentity() as T;
+            return identityResolver.ResolveIdentity(clientConfig: null) as T;
         }
     }
 }

sdk/src/Core/Amazon.Runtime/IClientConfig.cs

@@ -53,9 +53,12 @@ public partial interface IClientConfig
         string ServiceId { get; }
 
         /// <summary>
-        /// Specifies the profile to be used. When this is set on the ClientConfig and that config is passed to 
-        /// the service client constructor the sdk will try to find the credentials associated with the Profile.Name property
-        /// If set, this will override AWS_PROFILE and AWSConfigs.ProfileName.
+        /// Specifies the profile to be used. 
+        /// When this is set on the config passed to the service client constructor the SDK will try to find the 
+        /// credentials associated with the <see cref="Profile.Name"/> property.
+        /// 
+        /// <para />
+        /// If set, this will override <c>AWS_PROFILE</c> and <c>AWSConfigs.ProfileName</c>.
         /// </summary>
         Profile Profile { get; }
 

sdk/src/Core/Amazon.Runtime/Identity/IIdentityResolver.cs

@@ -34,13 +34,22 @@ public interface IIdentityResolver
         /// Loads the customer's identity for this resolver. 
         /// If the identity cannot be resolved an <c>AmazonClientException</c> will be thrown.
         /// </summary>
-        BaseIdentity ResolveIdentity();
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
+        BaseIdentity ResolveIdentity(IClientConfig clientConfig);
 
         /// <summary>
         /// Loads the customer's identity for this resolver. 
         /// If the identity cannot be resolved an <c>AmazonClientException</c> will be thrown.
         /// </summary>
-        Task<BaseIdentity> ResolveIdentityAsync(CancellationToken cancellationToken = default);
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
+        /// <param name="cancellationToken">
+        /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+        /// </param>
+        Task<BaseIdentity> ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken = default);
     }
 
     /// <summary>
@@ -59,12 +68,21 @@ public interface IIdentityResolver<T> : IIdentityResolver where T : BaseIdentity
         /// Loads the customer's identity for this resolver. 
         /// If the identity cannot be resolved an <c>AmazonClientException</c> will be thrown.
         /// </summary>
-        new T ResolveIdentity();
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
+        new T ResolveIdentity(IClientConfig clientConfig);
 
         /// <summary>
         /// Loads the customer's identity for this resolver. 
         /// If the identity cannot be resolved an <c>AmazonClientException</c> will be thrown.
         /// </summary>
-        new Task<T> ResolveIdentityAsync(CancellationToken cancellationToken = default);
+        /// <param name="clientConfig">
+        /// Optional config object that can be used to specify a different profile programatically (via the <see cref="Profile"/> property).
+        /// </param>
+        /// <param name="cancellationToken">
+        /// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
+        /// </param>
+        new Task<T> ResolveIdentityAsync(IClientConfig clientConfig, CancellationToken cancellationToken = default);
     }
 }

sdk/src/Core/Amazon.Runtime/Pipeline/Handlers/BaseAuthResolverHandler.cs

@@ -103,7 +103,7 @@ protected void PreInvoke(IExecutionContext executionContext)
                     }
 
                     var identityResolver = scheme.GetIdentityResolver(clientConfig.IdentityResolverConfiguration);
-                    executionContext.RequestContext.Identity = identityResolver.ResolveIdentity();
+                    executionContext.RequestContext.Identity = identityResolver.ResolveIdentity(clientConfig);
 
                     if (executionContext.RequestContext.Identity != null)
                     {
@@ -183,7 +183,7 @@ protected async Task PreInvokeAsync(IExecutionContext executionContext)
 
                     var identityResolver = scheme.GetIdentityResolver(clientConfig.IdentityResolverConfiguration);
                     executionContext.RequestContext.Identity = await identityResolver
-                        .ResolveIdentityAsync(cancellationToken)
+                        .ResolveIdentityAsync(clientConfig, cancellationToken)
                         .ConfigureAwait(false);
 
                     if (executionContext.RequestContext.Identity != null)

sdk/src/Core/Profile.cs

@@ -1,18 +1,38 @@
-using System;
-using System.Collections.Generic;
-using System.IO;
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+* 
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+* 
+*  http://aws.amazon.com/apache2.0
+* 
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+using Amazon.Runtime;
 using System.Text;
 
 namespace Amazon
 {
     /// <summary>
-    /// Represents a profile in the configuration file. For example in ~/.aws/config
+    /// Represents a profile in the configuration file. For example in ~/.aws/config:
+    /// <code>
     /// [profile foo]
     /// name = value
+    /// 
     /// Profile profile = new Profile("foo");
-    /// When this is set on the ClientConfig and that config is passed to 
-    /// the service client constructor the sdk will try to find the credentials associated with the Profile.Name property
-    /// If set, this will override AWS_PROFILE and AWSConfigs.ProfileName.
+    /// </code>
+    /// 
+    /// When this is set on the <see cref="IClientConfig"/> and that config is passed to 
+    /// the service client constructor the SDK will try to find the credentials associated with the <see cref="Name"/> property.
+    /// 
+    /// <para />
+    /// 
+    /// If set, this will override <c>AWS_PROFILE</c> and <c>AWSConfigs.ProfileName</c>.
     /// </summary>
     public class Profile
     {

sdk/test/Services/DSQL/UnitTests/Custom/DSQLAuthTokenGeneratorTest.cs

@@ -58,7 +58,7 @@ public void Initialize()
             originalIdentityResolvers = field.GetValue(null) as Dictionary<Type, IIdentityResolver>;
 
             var mockIdentityResolver = new Mock<IIdentityResolver>();
-            mockIdentityResolver.Setup(i => i.ResolveIdentity()).Returns(BasicCredentials);
+            mockIdentityResolver.Setup(i => i.ResolveIdentity(null)).Returns(BasicCredentials);
 
             field.SetValue(null, new Dictionary<Type, IIdentityResolver>()
             {

sdk/test/Services/RDS/UnitTests/Custom/RDSAuthTokenGeneratorTest.cs

@@ -58,7 +58,7 @@ public void Initialize()
             originalIdentityResolvers = field.GetValue(null) as Dictionary<Type, IIdentityResolver>;
 
             var mockIdentityResolver = new Mock<IIdentityResolver>();
-            mockIdentityResolver.Setup(i => i.ResolveIdentity()).Returns(BasicCredentials);
+            mockIdentityResolver.Setup(i => i.ResolveIdentity(null)).Returns(BasicCredentials);
 
             field.SetValue(null, new Dictionary<Type, IIdentityResolver>()
             {

sdk/test/UnitTests/AWSSDK.UnitTests.Custom.NetFramework.csproj

@@ -104,10 +104,4 @@ This project file should not be used as part of a release pipeline.
         <None Remove="Custom\obj\**" />
         <Compile Remove="Custom\obj\**" />
     </ItemGroup>
-
-    <ItemGroup>
-      <None Update="Custom\Runtime\Credentials\AccountIdEndpointTests\accountid-source-testcases.json">
-        <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-      </None>
-    </ItemGroup>
 </Project>