Skip to content

Add business metrics support for STS, SSO and Profile credential providers #6426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 24, 2025
Merged

Add business metrics support for STS, SSO and Profile credential providers #6426

merged 10 commits into from
Sep 24, 2025
+793 −226

Conversation

S-Saranya1
Copy link
Contributor

@S-Saranya1 S-Saranya1 commented Sep 16, 2025
edited
Loading

Adds business metric tracking for credentials

Motivation and Context

Keeping track of how users are providing credentials to SDKs and which credentials providers are being used.

Modifications

This PR adds business metrics support for these credential providers:

CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider
CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_PROCESS("v") - ProfileCredentialsProvider + ProcessCredentialsProvider

Key Technical Changes

  1. Source Propagation: Introduces source parameter on credential provider builders to track credential provider chains

    • Example: Profile AssumeRole with environment variables → User-Agent contains m/n,g,i (profile + env vars + assume role)

  2. Provider Name Updates: Changes existing providerName() methods to return business metric codes instead of full class names

  3. Chain Tracking: Supports credential scenarios like (In ProfileCredentialsUtils)

    • Profile with credential_source , source_profile, web identity token , SSO session, credentials_process
    • Fallback chains when primary providers fail

Example User-Agent Outputs

  • Simple environment variables: m/g
  • Profile AssumeRole chain: m/n,o,i
  • Failed AssumeRole fallback: m/g (only successful provider shown)

Deviations from specs:

Not using SSO legacy("u") because it doesn't make sense - It's already tracked as legacy via the CREDENTIALS_PROFILE_SSO_LEGACY ("t") value. Once in the SSO provider legacy doesn't really matter. The regular CREDENTIALS_PROFILE_SSO value of ("s") can be used for both cases. You can't really set a legacy client without coming from the profile

Testing

  • Added unit tests for these

    CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
    CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
    CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
    CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
    CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
    CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider

Performed integ test for these cases

CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider

Scenarios like: "p,0,i" and "o,n,i" for assume role with credential source and source profile, "r,s" for modern SSO session configuration, and "q,k" for profile-based web identity token flows. Legacy SSO testing with "t,s" business metrics is pending completion.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@S-Saranya1 S-Saranya1 force-pushed the somepal/Credentials-featureID-implementation branch from 077e209 to 685e7ac Compare September 16, 2025 18:26
@S-Saranya1 S-Saranya1 marked this pull request as ready for review September 16, 2025 18:28
@S-Saranya1 S-Saranya1 requested a review from a team as a code owner September 16, 2025 18:28
@S-Saranya1 S-Saranya1 changed the title Somepal/credentials feature id implementation Feature IDs implementation for STS credentials Sep 16, 2025
@S-Saranya1 S-Saranya1 changed the title Feature IDs implementation for STS credentials Add business metrics support for STS and Profile credential providers Sep 16, 2025
zoewangg
zoewangg reviewed Sep 18, 2025
View reviewed changes
@S-Saranya1 S-Saranya1 changed the title Add business metrics support for STS and Profile credential providers Add business metrics support for STS, SSO and Profile credential providers Sep 23, 2025
alextwoods
alextwoods reviewed Sep 23, 2025
View reviewed changes
.../src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java Outdated
return stsCredentialsProviderFactory().create(sourceCredentialsProvider, profile);
String sourceMetrics = extractBusinessMetricsFromProvider(sourceCredentialsProvider);

String source = BusinessMetricFeatureId.CREDENTIALS_PROFILE_SOURCE_PROFILE.value();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A nit on "source" naming - at a quick glance, I might read that as being the source credentials rather than just a feature ID - I know its longer, but maybe sourceFeatureId?

Additionally - it looks like the logic here from 264-273 is duplicated below on line 284, does it make sense to refactor to a method?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Handled the duplicate logic, Agree with sourceFeatureId naming. Need to make the changes to all the files, will make the changes at last after team review, incase if anyone have anything different.

@S-Saranya1
Address PR feedback
8d614ff
@S-Saranya1
Additional Changes:
39cb908 
Address PR feedback
Adding Unit tests
Apply PR feedback to previous PR
S-Saranya1
S-Saranya1 commented Sep 24, 2025
View reviewed changes
...software/amazon/awssdk/auth/source/WebIdentityTokenFileCredentialsProviderUserAgentTest.java
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this standalone test and consolidated it into StsCredentialsProviderUserAgentTest.java as a parameterized test.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
60.4% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@S-Saranya1 S-Saranya1 merged commit 36324ae into feature/master/feature-ids-implementation Sep 24, 2025
29 of 30 checks passed
@github-actions GitHub Actions
Copy link

This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zoewangg zoewangg zoewangg left review comments

@alextwoods alextwoods alextwoods approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@S-Saranya1 @zoewangg @alextwoods