Accept and use the new AWS Credentials interfaces (#3829)

* Accept and use the new AWS Credentials interfaces

In AwsClientBuilder and other places where customers used to be able to provide
AwsCredentialsProvider.

* Update client codegen for endpoint discovery

* Address some of Matt's feedback

* Switch one usage of overrideConfiguration.credentialsProvider

To use the new credentialsIdentityProvider() instead.

* Update tests to mock new IdentityProvider

* Handle null for CredentialUtils conversion methods

* Add IdentityProvider overload to S3CrtAsyncClientBuilder

* Add a TODO for removing a join() later

* Add TODO for AwsCredentialsProviderChain

* Add unit tests and few other minor changes

* Remove unnecessary fallback from AuthorizationStrategyFactory

* Fix test in S3

* Address PR feedback

Author: gosar

codegen/src/main/java/software/amazon/awssdk/codegen/poet/client/AsyncClientClass.java

@@ -363,9 +363,11 @@ protected MethodSpec.Builder operationBody(MethodSpec.Builder builder, Operation
             builder.beginControlFlow("if (endpointDiscoveryEnabled)");
 
             builder.addCode("$T key = $N.overrideConfiguration()", String.class, opModel.getInput().getVariableName())
-                   .addCode("    .flatMap($T::credentialsProvider)", AwsRequestOverrideConfiguration.class)
-                   .addCode("    .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_PROVIDER))", AwsClientOption.class)
-                   .addCode("    .resolveCredentials().accessKeyId();");
+                   .addCode("    .flatMap($T::credentialsIdentityProvider)", AwsRequestOverrideConfiguration.class)
+                   .addCode("    .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_IDENTITY_PROVIDER))",
+                            AwsClientOption.class)
+                   // TODO: avoid join inside async
+                   .addCode("    .resolveIdentity().join().accessKeyId();");
 
             builder.addCode("$1T endpointDiscoveryRequest = $1T.builder()", EndpointDiscoveryRequest.class)
                    .addCode("    .required($L)", opModel.getInputShape().getEndpointDiscovery().isRequired())

codegen/src/main/java/software/amazon/awssdk/codegen/poet/client/SyncClientClass.java

@@ -244,9 +244,10 @@ private List<MethodSpec> operationMethodSpecs(OperationModel opModel) {
             method.beginControlFlow("if (endpointDiscoveryEnabled)");
 
             method.addCode("$T key = $N.overrideConfiguration()", String.class, opModel.getInput().getVariableName())
-                  .addCode("    .flatMap($T::credentialsProvider)", AwsRequestOverrideConfiguration.class)
-                  .addCode("    .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_PROVIDER))", AwsClientOption.class)
-                  .addCode("    .resolveCredentials().accessKeyId();");
+                  .addCode("    .flatMap($T::credentialsIdentityProvider)", AwsRequestOverrideConfiguration.class)
+                  .addCode("    .orElseGet(() -> clientConfiguration.option($T.CREDENTIALS_IDENTITY_PROVIDER))",
+                           AwsClientOption.class)
+                  .addCode("    .resolveIdentity().join().accessKeyId();");
 
             method.addCode("$1T endpointDiscoveryRequest = $1T.builder()", EndpointDiscoveryRequest.class)
                   .addCode("    .required($L)", opModel.getInputShape().getEndpointDiscovery().isRequired())

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/client/test-endpoint-discovery-async.java

@@ -174,9 +174,9 @@ public CompletableFuture<TestDiscoveryIdentifiersRequiredResponse> testDiscovery
             URI cachedEndpoint = null;
             if (endpointDiscoveryEnabled) {
                 String key = testDiscoveryIdentifiersRequiredRequest.overrideConfiguration()
-                                                                    .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                                    .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                                    .accessKeyId();
+                                                                    .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                                    .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                                    .resolveIdentity().join().accessKeyId();
                 EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
                                                                                             .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                             .overrideConfiguration(testDiscoveryIdentifiersRequiredRequest.overrideConfiguration().orElse(null))
@@ -242,9 +242,9 @@ public CompletableFuture<TestDiscoveryOptionalResponse> testDiscoveryOptional(
             URI cachedEndpoint = null;
             if (endpointDiscoveryEnabled) {
                 String key = testDiscoveryOptionalRequest.overrideConfiguration()
-                                                         .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                         .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                         .accessKeyId();
+                                                         .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                         .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                         .resolveIdentity().join().accessKeyId();
                 EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(false)
                                                                                             .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                             .overrideConfiguration(testDiscoveryOptionalRequest.overrideConfiguration().orElse(null)).build();
@@ -317,9 +317,9 @@ public CompletableFuture<TestDiscoveryRequiredResponse> testDiscoveryRequired(
             URI cachedEndpoint = null;
             if (endpointDiscoveryEnabled) {
                 String key = testDiscoveryRequiredRequest.overrideConfiguration()
-                                                         .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                         .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                         .accessKeyId();
+                                                         .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                         .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                         .resolveIdentity().join().accessKeyId();
                 EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
                                                                                             .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                             .overrideConfiguration(testDiscoveryRequiredRequest.overrideConfiguration().orElse(null)).build();

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/client/test-endpoint-discovery-sync.java

@@ -151,9 +151,9 @@ public TestDiscoveryIdentifiersRequiredResponse testDiscoveryIdentifiersRequired
         URI cachedEndpoint = null;
         if (endpointDiscoveryEnabled) {
             String key = testDiscoveryIdentifiersRequiredRequest.overrideConfiguration()
-                                                                .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                                .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                                .accessKeyId();
+                                                                .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                                .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                                .resolveIdentity().join().accessKeyId();
             EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
                                                                                         .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                         .overrideConfiguration(testDiscoveryIdentifiersRequiredRequest.overrideConfiguration().orElse(null)).build();
@@ -208,9 +208,9 @@ public TestDiscoveryOptionalResponse testDiscoveryOptional(TestDiscoveryOptional
         URI cachedEndpoint = null;
         if (endpointDiscoveryEnabled) {
             String key = testDiscoveryOptionalRequest.overrideConfiguration()
-                                                     .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                     .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                     .accessKeyId();
+                                                     .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                     .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                     .resolveIdentity().join().accessKeyId();
             EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(false)
                                                                                         .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                         .overrideConfiguration(testDiscoveryOptionalRequest.overrideConfiguration().orElse(null)).build();
@@ -272,9 +272,9 @@ public TestDiscoveryRequiredResponse testDiscoveryRequired(TestDiscoveryRequired
         URI cachedEndpoint = null;
         if (endpointDiscoveryEnabled) {
             String key = testDiscoveryRequiredRequest.overrideConfiguration()
-                                                     .flatMap(AwsRequestOverrideConfiguration::credentialsProvider)
-                                                     .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_PROVIDER)).resolveCredentials()
-                                                     .accessKeyId();
+                                                     .flatMap(AwsRequestOverrideConfiguration::credentialsIdentityProvider)
+                                                     .orElseGet(() -> clientConfiguration.option(AwsClientOption.CREDENTIALS_IDENTITY_PROVIDER))
+                                                     .resolveIdentity().join().accessKeyId();
             EndpointDiscoveryRequest endpointDiscoveryRequest = EndpointDiscoveryRequest.builder().required(true)
                                                                                         .defaultEndpoint(clientConfiguration.option(SdkClientOption.ENDPOINT))
                                                                                         .overrideConfiguration(testDiscoveryRequiredRequest.overrideConfiguration().orElse(null)).build();

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/CredentialUtils.java

@@ -16,6 +16,9 @@
 package software.amazon.awssdk.auth.credentials;
 
 import software.amazon.awssdk.annotations.SdkProtectedApi;
+import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
+import software.amazon.awssdk.identity.spi.AwsSessionCredentialsIdentity;
+import software.amazon.awssdk.identity.spi.IdentityProvider;
 
 @SdkProtectedApi
 public final class CredentialUtils {
@@ -28,6 +31,76 @@ private CredentialUtils() {
      * authenticate themselves.
      */
     public static boolean isAnonymous(AwsCredentials credentials) {
+        return isAnonymous((AwsCredentialsIdentity) credentials);
+    }
+
+    /**
+     * Determine whether the provided credentials are anonymous credentials, indicating that the customer is not attempting to
+     * authenticate themselves.
+     */
+    public static boolean isAnonymous(AwsCredentialsIdentity credentials) {
         return credentials.secretAccessKey() == null && credentials.accessKeyId() == null;
     }
+
+    /**
+     * Converts an {@link AwsCredentialsIdentity} to {@link AwsCredentials}.
+     *
+     * <p>Usage of the new AwsCredentialsIdentity type is preferred over AwsCredentials. But some places may need to still
+     * convert to the older AwsCredentials type to work with existing code.</p>
+     *
+     * <p>The conversion is only aware of {@link AwsCredentialsIdentity} and {@link AwsSessionCredentialsIdentity} types. If the
+     * input is another sub-type that has other properties, they are not carried over. i.e.,
+     * <ul>
+     *     <li>AwsSessionCredentialsIdentity -> AwsSessionCredentials</li>
+     *     <li>AwsCredentialsIdentity -> AwsBasicCredentials</li>
+     * </ul>
+     * </p>
+     *
+     * @param awsCredentialsIdentity The {@link AwsCredentialsIdentity} to convert
+     * @return The corresponding {@link AwsCredentials}
+     */
+    public static AwsCredentials toCredentials(AwsCredentialsIdentity awsCredentialsIdentity) {
+        if (awsCredentialsIdentity == null) {
+            return null;
+        }
+        if (awsCredentialsIdentity instanceof AwsCredentials) {
+            return (AwsCredentials) awsCredentialsIdentity;
+        }
+
+        // identity-spi defines 2 known types - AwsCredentialsIdentity and a sub-type AwsSessionCredentialsIdentity
+        if (awsCredentialsIdentity instanceof AwsSessionCredentialsIdentity) {
+            AwsSessionCredentialsIdentity awsSessionCredentialsIdentity = (AwsSessionCredentialsIdentity) awsCredentialsIdentity;
+            return AwsSessionCredentials.create(awsSessionCredentialsIdentity.accessKeyId(),
+                                                awsSessionCredentialsIdentity.secretAccessKey(),
+                                                awsSessionCredentialsIdentity.sessionToken());
+        }
+        if (isAnonymous(awsCredentialsIdentity)) {
+            return AwsBasicCredentials.ANONYMOUS_CREDENTIALS;
+        }
+        return AwsBasicCredentials.create(awsCredentialsIdentity.accessKeyId(),
+                                          awsCredentialsIdentity.secretAccessKey());
+    }
+
+    /**
+     * Converts an {@link IdentityProvider<? extends AwsCredentialsIdentity>} to {@link AwsCredentialsProvider} based on
+     * {@link #toCredentials(AwsCredentialsIdentity)}.
+     *
+     * <p>Usage of the new IdentityProvider type is preferred over AwsCredentialsProvider. But some places may need to still
+     * convert to the older AwsCredentialsProvider type to work with existing code.
+     * </p>
+     *
+     * @param identityProvider The {@link IdentityProvider<? extends AwsCredentialsIdentity>} to convert
+     * @return The corresponding {@link AwsCredentialsProvider}
+     */
+    public static AwsCredentialsProvider toCredentialsProvider(
+            IdentityProvider<? extends AwsCredentialsIdentity> identityProvider) {
+        if (identityProvider == null) {
+            return null;
+        }
+        return () -> {
+            // TODO: Exception handling for CompletionException thrown from join?
+            AwsCredentialsIdentity awsCredentialsIdentity = identityProvider.resolveIdentity().join();
+            return toCredentials(awsCredentialsIdentity);
+        };
+    }
 }