Merge branch 'main' into bind-ecs-env

.github/workflows/ci.yml

@@ -6,25 +6,27 @@ on:
       - 'main'
 
 env:
-  BUILDER_VERSION: v0.9.52
+  BUILDER_VERSION: v0.9.73
   BUILDER_SOURCE: releases
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   PACKAGE_NAME: aws-crt-swift
   RUN: ${{ github.run_id }}-${{ github.run_number }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: us-east-1
+  CRT_CI_ROLE: ${{ secrets.CRT_CI_ROLE_ARN }}
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the JWT
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - name: GitHub Action for SwiftLint
         uses: norio-nomura/[email protected]
 
   linux:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -34,10 +36,15 @@ jobs:
           # issue to fix centos opened against apple here: https://github.com/apple/swift-docker/issues/258
           # - centos-x64
     steps:
-      - name: Build ${{ env.PACKAGE_NAME }}
-        run: |
-          aws s3 cp --debug s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
-          ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-swift-5-${{ matrix.image }} build -p ${{ env.PACKAGE_NAME }}
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }} 
+    - name: Build ${{ env.PACKAGE_NAME }}
+      run: |
+        aws s3 cp --debug s3://aws-crt-test-stuff/ci/${{ env.BUILDER_VERSION }}/linux-container-ci.sh ./linux-container-ci.sh && chmod a+x ./linux-container-ci.sh
+        ./linux-container-ci.sh ${{ env.BUILDER_VERSION }} aws-crt-swift-5-${{ matrix.image }} build -p ${{ env.PACKAGE_NAME }}
+  
   macos:
     runs-on: ${{ matrix.runner }}
     env:
@@ -49,17 +56,20 @@ jobs:
       matrix:
         # This matrix runs tests on Mac, on oldest & newest supported Xcodes
         runner:
-          - macos-12 # x64
           - macos-13 # x64
           - macos-14
           - macos-13-xlarge
           - macos-14-large #x64
     steps:
-      - name: Build ${{ env.PACKAGE_NAME }} + consumers
-        run: |
-          python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
-          chmod a+x builder
-          ./builder build -p ${{ env.PACKAGE_NAME }}
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }} 
+    - name: Build ${{ env.PACKAGE_NAME }} + consumers
+      run: |
+        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+        chmod a+x builder
+        ./builder build -p ${{ env.PACKAGE_NAME }}
 
   devices:
     runs-on: ${{ matrix.runner }}
@@ -72,7 +82,6 @@ jobs:
       matrix:
         # This matrix runs tests on iOS, tvOS & watchOS, on oldest & newest supported Xcodes
         runner:
-          - macos-12 # x64
           - macos-13 # x64
           - macos-14
           - macos-13-xlarge
@@ -91,8 +100,6 @@ jobs:
           # Don't run old macOS with new Xcode
           - runner: macos-13-xlarge
             xcode: Xcode_15.2
-          - runner: macos-12
-            xcode: Xcode_15.2
           - runner: macos-13
             xcode: Xcode_15.2
           # Don't run new macOS with old Xcode
@@ -115,21 +122,29 @@ jobs:
           - target: { os: watchos, destination: 'watchOS Simulator,OS=9.1,name=Apple Watch Series 5 (40mm)'}
             xcode: Xcode_15.2
     steps:
-      - name: Build ${{ env.PACKAGE_NAME }} + consumers
-        run: |
-          python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
-          chmod a+x builder
-          ./builder build -p ${{ env.PACKAGE_NAME }} --target=${{ matrix.target.os }}-armv8
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }} 
+    - name: Build ${{ env.PACKAGE_NAME }} + consumers
+      run: |
+        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+        chmod a+x builder
+        ./builder build -p ${{ env.PACKAGE_NAME }} --target=${{ matrix.target.os }}-armv8
 
   check-submodules:
-    runs-on: ubuntu-22.04 # latest
+    runs-on: ubuntu-24.04 # latest
     steps:
-      - name: Checkout Source
-        uses: actions/checkout@v4
-        with:
-          submodules: true
-          fetch-depth: 0
-      - name: Check Submodules
-        # note: using "@main" because "@${{env.BUILDER_VERSION}}" doesn't work
-        # https://github.com/actions/runner/issues/480
-        uses: awslabs/aws-crt-builder/.github/actions/check-submodules@main
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }} 
+    - name: Checkout Source
+      uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+    - name: Check Submodules
+      # note: using "@main" because "@${{env.BUILDER_VERSION}}" doesn't work
+      # https://github.com/actions/runner/issues/480
+      uses: awslabs/aws-crt-builder/.github/actions/check-submodules@main

.github/workflows/s2n-prelude-changes.yml

@@ -0,0 +1,32 @@
+# Detect changes to s2n_prelude.h to update our `Package.swift` and stay in sync with it.
+# See: https://github.com/awslabs/aws-crt-swift/pull/299 for updating the Package.swift.
+
+name: s2n_prelude.h Change Detector
+
+on: [push]
+
+jobs:
+  check-for-changes:
+
+    runs-on: ubuntu-24.04 # latest
+
+    steps:
+    - name: Checkout Sources
+      uses: actions/checkout@v4
+      with:     
+        submodules: true 
+
+    - name: Check s2n_prelude.h
+      run: |
+        TMPFILE=$(mktemp)
+          echo "116f1525acbc94c91b0ee2ea2af9fdef aws-common-runtime/s2n/utils/s2n_prelude.h" > $TMPFILE
+        md5sum --check $TMPFILE
+
+    # No further steps if successful
+
+    - name: Echo fail
+      if: failure()
+      run: |
+          echo "The aws-crt-swift has a hack to manually define macros which are defined in s2n_prelude.h in Package.Swift.
+                This check will fail whenever s2n_prelude.h is updated by the S2N team. You should make sure that Package.Swift is updated accordingly
+                with the s2n_prelude.h changes and then run `md5sum aws-common-runtime/s2n/utils/s2n_prelude.h` and update the value above."

Package.swift

@@ -100,8 +100,17 @@ packageTargets.append(.target(
     publicHeadersPath: "api",
     cSettings: [
         .headerSearchPath("./"),
-        .define("POSIX_C_SOURCE=200809L"),
-        .define("S2N_NO_PQ")
+        .define("S2N_NO_PQ"),
+        // This is a hack to get around the fact that S2N uses the compiler option `-include`
+        // to include `s2n_prelude.h` in all .c files. Since SwiftPM doesn't support compiler flags,
+        // we manually define the macros from `s2n_prelude.h`. When SwiftPM supports compiler flags
+        // or building packages using CMake, this hack should be removed.
+        // We are not defining `S2N_API` because we don't need to expose any symbols from S2N in crt-swift.
+        .define("_S2N_PRELUDE_INCLUDED"),
+        .define("S2N_BUILD_RELEASE"),
+        .define("_FORTIFY_SOURCE", to: "2"),
+        .define("POSIX_C_SOURCE", to: "200809L"),
+
     ]
 ))
 #endif
@@ -146,9 +155,6 @@ var awsCChecksumsExcludes = [
     "cmake",
     "tests"]
 
-// swift never uses Microsoft Visual C++ compiler
-awsCChecksumsExcludes.append("source/intel/visualc")
-
 // Hardware accelerated checksums are disabled because SwiftPM doesn't like the necessary compiler flags.
 // We can add it once SwiftPM has the necessary support for CPU flags or builds C libraries
 // using CMake.

Source/AwsCommonRuntimeKit/auth/credentials/Credentials.swift

@@ -8,9 +8,13 @@ public final class Credentials {
 
     let rawValue: OpaquePointer
 
-    init(rawValue: OpaquePointer) {
+    // TODO: remove this property once aws-c-auth supports account_id
+    private let accountId: String?
+
+    init(rawValue: OpaquePointer, accountId: String? = nil) {
         self.rawValue = rawValue
         aws_credentials_acquire(rawValue)
+        self.accountId = accountId
     }
 
     /// Creates a new set of aws credentials
@@ -19,12 +23,14 @@ public final class Credentials {
     ///   - accessKey: value for the aws access key id field
     ///   - secret: value for the secret access key field
     ///   - sessionToken: (Optional) security token associated with the credentials
+    ///   - accountId: (Optional) the account ID for the resolved credentials, if known
     ///   - expiration: (Optional) Point in time after which credentials will no longer be valid.
     ///                 For credentials that do not expire, use nil.
     ///                 If expiration.timeIntervalSince1970 is greater than UInt64.max, it will be converted to nil.
     /// - Throws: CommonRuntimeError.crtError
     public init(accessKey: String,
                 secret: String,
+                accountId: String? = nil,
                 sessionToken: String? = nil,
                 expiration: Date? = nil) throws {
 
@@ -51,6 +57,7 @@ public final class Credentials {
             throw CommonRunTimeError.crtError(.makeFromLastError())
         }
         self.rawValue = rawValue
+        self.accountId = accountId
     }
 
     /// Gets the access key from the `aws_credentials` instance
@@ -69,6 +76,15 @@ public final class Credentials {
         return secret.toOptionalString()
     }
 
+    /// Gets the account ID from the `Credentials`, if any.
+    ///
+    /// Temporarily, `accountId` is backed by a Swift instance variable.
+    /// In the future, when the C implementation implements `account_id` the implementation will get account ID from the `aws_credentials` instance.
+    /// - Returns:`String?`: The AWS `accountId` or nil
+    public func getAccountId() -> String? {
+        accountId
+    }
+
     /// Gets the session token from the `aws_credentials` instance
     ///
     /// - Returns:`String?`: The AWS Session token or nil

Source/AwsCommonRuntimeKit/auth/credentials/CredentialsProvider.swift

@@ -14,8 +14,12 @@ public class CredentialsProvider: CredentialsProviding {
 
     let rawValue: UnsafeMutablePointer<aws_credentials_provider>
 
-    init(credentialsProvider: UnsafeMutablePointer<aws_credentials_provider>) {
+    // TODO: remove this property once aws-c-auth supports account_id
+    private let accountId: String?
+
+    init(credentialsProvider: UnsafeMutablePointer<aws_credentials_provider>, accountId: String? = nil) {
         self.rawValue = credentialsProvider
+        self.accountId = accountId
     }
 
     /// Retrieves credentials from a provider by calling its implementation of get credentials and returns them to
@@ -25,7 +29,10 @@ public class CredentialsProvider: CredentialsProviding {
     /// - Throws: CommonRuntimeError.crtError
     public func getCredentials() async throws -> Credentials {
         return try await withCheckedThrowingContinuation { (continuation: CheckedContinuation<Credentials, Error>) in
-            let continuationCore = ContinuationCore(continuation: continuation)
+            let continuationCore = ContinuationCore(
+                continuation: continuation,
+                userData: ["accountId": accountId as Any]
+            )
             if aws_credentials_provider_get_credentials(rawValue,
                                                         onGetCredentials,
                                                         continuationCore.passRetained()) != AWS_OP_SUCCESS {
@@ -52,6 +59,14 @@ extension CredentialsProvider {
         self.init(credentialsProvider: unsafeProvider)
     }
 
+    // TODO: Remove the following initializer when aws-c-auth provides account_id in credentials
+    /// Creates a credentials provider that sources the credentials from the provided source and `accountId`
+    @_spi(AccountIDTempSupport)
+    public convenience init(source: Source, accountId: String?) throws {
+        let unsafeProvider = try source.makeProvider()
+        self.init(credentialsProvider: unsafeProvider, accountId: accountId)
+    }
+
     /// Create a credentials provider that depends on provider to fetch the credentials.
     /// It will retain the provider until shutdown callback is triggered for AwsCredentialsProvider
     /// - Parameters:
@@ -483,6 +498,7 @@ extension CredentialsProvider.Source {
         Self {
             let shutdownCallbackCore = ShutdownCallbackCore(shutdownCallback)
             var stsOptions = aws_credentials_provider_sts_options()
+            stsOptions.bootstrap = bootstrap.rawValue
             stsOptions.tls_ctx = tlsContext.rawValue
             stsOptions.creds_provider = credentialsProvider.rawValue
             stsOptions.duration_seconds = UInt16(duration)
@@ -593,7 +609,8 @@ private func onGetCredentials(credentials: OpaquePointer?,
     }
 
     // Success
-    continuationCore.continuation.resume(returning: Credentials(rawValue: credentials!))
+    let accountId = continuationCore.userData?["accountId"] as? String
+    continuationCore.continuation.resume(returning: Credentials(rawValue: credentials!, accountId: accountId))
 }
 
 // We need to share this pointer to C in a task block but Swift compiler complains