Merge remote-tracking branch 'origin/main' into hyper1

Author: aajtodd

.changelog/1728582276.md

@@ -0,0 +1,12 @@
+---
+applies_to:
+- aws-sdk-rust
+authors:
+- aajtodd
+references:
+- aws-sdk-rust#1193
+breaking: false
+new_feature: false
+bug_fix: true
+---
+Fix default credential provider chain not respecting endpoint URL overrides from environment

.changelog/1729271936.md

@@ -0,0 +1,12 @@
+---
+applies_to:
+- aws-sdk-rust
+authors:
+- ysaito1001
+references:
+- smithy-rs#3883
+breaking: false
+new_feature: false
+bug_fix: false
+---
+Client SDKs built with the `awsQueryCompatible` trait now include the `x-amzn-query-mode` header. This header signals the service that the clients are operating in compatible mode.

.github/workflows/ci.yml

@@ -65,6 +65,9 @@ jobs:
       with:
         path: smithy-rs
         ref: ${{ inputs.git_ref }}
+        # `generate-smithy-rs-release` requires access to previous tags to determine if a numerical suffix is needed
+        # to make the release tag unique
+        fetch-depth: 0
     # The models from aws-sdk-rust are needed to generate the full SDK for CI
     - uses: actions/checkout@v4
       with:

.github/workflows/release-scripts/create-release.js

@@ -10,7 +10,7 @@ const assert = require("assert");
 const fs = require("fs");
 
 const smithy_rs_repo = {
-    owner: "awslabs",
+    owner: "smithy-lang",
     repo: "smithy-rs",
 };
 

.github/workflows/release.yml

@@ -181,12 +181,18 @@ jobs:
         ref: ${{ inputs.commit_sha }}
         path: smithy-rs
         token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+        fetch-depth: 0
     - name: Generate release artifacts
       uses: ./smithy-rs/.github/actions/docker-build
       with:
         action: generate-smithy-rs-release
     - name: Download all artifacts
       uses: ./smithy-rs/.github/actions/download-all-artifacts
+    # This step is not idempotent, as it pushes release artifacts to the `smithy-rs-release-1.x.y` branch. However,
+    # if this step succeeds but a subsequent step fails, retrying the release workflow is "safe" in that it does not
+    # create any inconsistent states; this step would simply fail because the release branch would be ahead of `main`
+    # due to previously pushed artifacts.
+    # To successfully retry a release, revert the commits in the release branch that pushed the artifacts.
     - name: Push smithy-rs changes
       shell: bash
       working-directory: smithy-rs-release/smithy-rs
@@ -202,7 +208,7 @@ jobs:
           # to retry a release action execution that failed due to a transient issue.
           # In that case, we expect the commit to be releasable as-is, i.e. the changelog should have already
           # been processed.
-          git fetch --unshallow
+          git fetch
           if [[ "${DRY_RUN}" == "true" ]]; then
             # During dry-runs, "git push" without "--force" can fail if smithy-rs-release-x.y.z-preview is behind
             # smithy-rs-release-x.y.z, but that does not matter much during dry-runs.
@@ -214,18 +220,7 @@ jobs:
           fi
         fi
         echo "commit_sha=$(git rev-parse HEAD)" > $GITHUB_OUTPUT
-    - name: Tag release
-      uses: actions/github-script@v7
-      with:
-        github-token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
-        script: |
-          const createReleaseScript = require("./smithy-rs/.github/workflows/release-scripts/create-release.js");
-          await createReleaseScript({
-            github,
-            isDryRun: ${{ inputs.dry_run }},
-            releaseManifestPath: "smithy-rs-release/smithy-rs-release-manifest.json",
-            releaseCommitish: "${{ steps.push-changelog.outputs.commit_sha }}"
-          });
+    # This step is idempotent; the `publisher` will not publish a crate if the version is already published on crates.io.
     - name: Publish to crates.io
       shell: bash
       working-directory: smithy-rs-release/crates-to-publish
@@ -247,7 +242,23 @@ jobs:
         else
           publisher publish -y --location .
         fi
+    # This step is not idempotent and MUST be performed last, as it will generate a new release in the `smithy-rs`
+    # repository with the release tag that is always unique and has an increasing numerical suffix.
+    - name: Tag release
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+        script: |
+          const createReleaseScript = require("./smithy-rs/.github/workflows/release-scripts/create-release.js");
+          await createReleaseScript({
+            github,
+            isDryRun: ${{ inputs.dry_run }},
+            releaseManifestPath: "smithy-rs-release/smithy-rs-release-manifest.json",
+            releaseCommitish: "${{ steps.push-changelog.outputs.commit_sha }}"
+          });
 
+  # If this step fails for any reason, there's no need to retry the release workflow, as this step is auxiliary
+  # and the release itself was successful. Instead, manually trigger `backport-pull-request.yml`.
   open-backport-pull-request:
     name: Open backport pull request to merge the release branch back to main
     needs:

aws/rust-runtime/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "aws-config"
-version = "1.5.8"
+version = "1.5.9"
 authors = [
     "AWS Rust SDK Team <[email protected]>",
     "Russell Cohen <[email protected]>",

aws/rust-runtime/aws-config/Cargo.lock

@@ -33,7 +33,6 @@ use aws_credential_types::{
     Credentials,
 };
 use aws_smithy_types::error::display::DisplayErrorContext;
-use aws_types::SdkConfig;
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::error::Error;
@@ -142,7 +141,6 @@ pub struct ProfileFileCredentialsProvider {
 #[derive(Debug)]
 struct Config {
     factory: exec::named::NamedProviderFactory,
-    sdk_config: SdkConfig,
     provider_config: ProviderConfig,
 }
 
@@ -493,7 +491,6 @@ impl Builder {
         ProfileFileCredentialsProvider {
             config: Arc::new(Config {
                 factory,
-                sdk_config: conf.client_config(),
                 provider_config: conf,
             }),
             inner_provider: ErrorTakingOnceCell::new(),
@@ -542,9 +539,13 @@ impl ChainProvider {
                     return Err(CredentialsError::provider_error(e));
                 }
             };
+
+            // we want to create `SdkConfig` _after_ we have resolved the profile or else
+            // we won't get things like `service_config()` set appropriately.
+            let sdk_config = config.provider_config.client_config();
             for provider in chain.chain().iter() {
                 let next_creds = provider
-                    .credentials(creds, &config.sdk_config)
+                    .credentials(creds, &sdk_config)
                     .instrument(tracing::debug_span!("load_assume_role", provider = ?provider))
                     .await;
                 match next_creds {
@@ -609,7 +610,14 @@ mod test {
     #[cfg(feature = "sso")]
     make_test!(sso_credentials);
     #[cfg(feature = "sso")]
+    make_test!(sso_override_global_env_url);
+    #[cfg(feature = "sso")]
     make_test!(sso_token);
+
+    make_test!(assume_role_override_global_env_url);
+    make_test!(assume_role_override_service_env_url);
+    make_test!(assume_role_override_global_profile_url);
+    make_test!(assume_role_override_service_profile_url);
 }
 
 #[cfg(all(test, feature = "sso"))]

aws/rust-runtime/aws-config/Cargo.toml

@@ -5,6 +5,7 @@
 
 //! Configuration Options for Credential Providers
 
+use crate::env_service_config::EnvServiceConfig;
 use crate::profile;
 #[allow(deprecated)]
 use crate::profile::profile_file::ProfileFiles;
@@ -196,13 +197,26 @@ impl ProviderConfig {
         Self::without_region().load_default_region().await
     }
 
+    /// Attempt to get a representation of `SdkConfig` from this `ProviderConfig`.
+    ///
+    ///
+    /// **WARN**: Some options (e.g. `service_config`) can only be set if the profile has been
+    /// parsed already (e.g. by calling [`ProviderConfig::profile()`]). This is an
+    /// imperfect mapping and should be used sparingly.
     pub(crate) fn client_config(&self) -> SdkConfig {
+        let profiles = self.parsed_profile.get().and_then(|v| v.as_ref().ok());
+        let service_config = EnvServiceConfig {
+            env: self.env(),
+            env_config_sections: profiles.cloned().unwrap_or_default(),
+        };
+
         let mut builder = SdkConfig::builder()
             .retry_config(RetryConfig::standard())
             .region(self.region())
             .time_source(self.time_source())
             .use_fips(self.use_fips().unwrap_or_default())
             .use_dual_stack(self.use_dual_stack().unwrap_or_default())
+            .service_config(service_config)
             .behavior_version(crate::BehaviorVersion::latest());
         builder.set_http_client(self.http_client.clone());
         builder.set_sleep_impl(self.sleep_impl.clone());

aws/rust-runtime/aws-config/src/profile/credentials.rs

@@ -0,0 +1,4 @@
+{
+  "HOME": "/home",
+  "AWS_ENDPOINT_URL": "http://aws.global-env-override"
+}

aws/rust-runtime/aws-config/src/provider_config.rs

@@ -0,0 +1,7 @@
+[default]
+region = us-east-1
+role_arn = arn:aws:iam::123456789:role/integration-test
+source_profile = base
+
+[profile base]
+region = us-east-1

aws/rust-runtime/aws-config/test-data/profile-provider/assume_role_override_global_env_url/env.json

@@ -0,0 +1,3 @@
+[base]
+aws_access_key_id = AKIAFAKE
+aws_secret_access_key = FAKE

aws/rust-runtime/aws-config/test-data/profile-provider/assume_role_override_global_env_url/fs/home/.aws/config

@@ -0,0 +1,107 @@
+{
+  "events": [
+    {
+      "connection_id": 0,
+      "action": {
+        "Request": {
+          "request": {
+            "uri": "http://aws.global-env-override",
+            "headers": {
+              "content-type": [
+                "application/x-www-form-urlencoded"
+              ],
+              "authorization": [
+                "AWS4-HMAC-SHA256 Credential=AKIAFAKE/20210810/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-user-agent, Signature=cd5cb2aa1d20717ca17692bcbda711797ae9eb8bb1130690b021b3952b7ae56e"
+              ],
+              "user-agent": [
+                "aws-sdk-rust/0.1.0 os/macos lang/rust/1.55.0-nightly"
+              ],
+              "content-length": [
+                "146"
+              ],
+              "x-amz-date": [
+                "20210810T003833Z"
+              ],
+              "host": [
+                "aws.global-env-override"
+              ],
+              "x-amz-user-agent": [
+                "aws-sdk-rust/0.1.0 api/sts/0.0.14-alpha os/macos lang/rust/1.55.0-nightly"
+              ]
+            },
+            "method": "POST"
+          }
+        }
+      }
+    },
+    {
+      "connection_id": 0,
+      "action": {
+        "Data": {
+          "data": {
+            "Utf8": "Action=AssumeRole&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A123456789%3Arole%2Fintegration-test&RoleSessionName=assume-role-provider-session"
+          },
+          "direction": "Request"
+        }
+      }
+    },
+    {
+      "connection_id": 0,
+      "action": {
+        "Eof": {
+          "ok": true,
+          "direction": "Request"
+        }
+      }
+    },
+    {
+      "connection_id": 0,
+      "action": {
+        "Response": {
+          "response": {
+            "Ok": {
+              "status": 200,
+              "version": "HTTP/1.1",
+              "headers": {
+                "date": [
+                  "Thu, 05 Aug 2021 18:58:02 GMT"
+                ],
+                "content-length": [
+                  "1491"
+                ],
+                "content-type": [
+                  "text/xml"
+                ],
+                "x-amzn-requestid": [
+                  "c2e971c2-702d-4124-9b1f-1670febbea18"
+                ]
+              }
+            }
+          }
+        }
+      }
+    },
+    {
+      "connection_id": 0,
+      "action": {
+        "Data": {
+          "data": {
+            "Utf8": "<AssumeRoleResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROARABCDEFGHIJKLMNOP:assume-role-provider-session</AssumedRoleId>\n      <Arn>arn:aws:sts::123456789012:assumed-role/integration-test/assume-role-provider-session</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIARTESTID</AccessKeyId>\n      <SecretAccessKey>TESTSECRETKEY</SecretAccessKey>\n      <SessionToken>TESTSESSIONTOKEN</SessionToken>\n      <Expiration>2021-08-05T19:58:02Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>c2e971c2-702d-4124-9b1f-1670febbea18</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n"
+          },
+          "direction": "Response"
+        }
+      }
+    },
+    {
+      "connection_id": 0,
+      "action": {
+        "Eof": {
+          "ok": true,
+          "direction": "Response"
+        }
+      }
+    }
+  ],
+  "docs": "standard request / response with STS",
+  "version": "V0"
+}