Adds account ID support for profile credentials provider sources (#4340)

Author: cenedhryn

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/ProcessCredentialsProvider.java

@@ -72,6 +72,7 @@ public final class ProcessCredentialsProvider
     private final List<String> executableCommand;
     private final Duration credentialRefreshThreshold;
     private final long processOutputLimit;
+    private final String staticAccountId;
 
     private final CachedSupplier<AwsCredentials> processCredentialCache;
 
@@ -91,6 +92,7 @@ private ProcessCredentialsProvider(Builder builder) {
         this.commandFromBuilder = builder.command;
         this.commandAsListOfStringsFromBuilder = builder.commandAsListOfStrings;
         this.asyncCredentialUpdateEnabled = builder.asyncCredentialUpdateEnabled;
+        this.staticAccountId = builder.staticAccountId;
 
         CachedSupplier.Builder<AwsCredentials> cacheBuilder = CachedSupplier.builder(this::refreshCredentials)
                                                                             .cachedValueName(toString());
@@ -181,19 +183,21 @@ private AwsCredentials credentials(JsonNode credentialsJson) {
         Validate.notEmpty(accessKeyId, "AccessKeyId cannot be empty.");
         Validate.notEmpty(secretAccessKey, "SecretAccessKey cannot be empty.");
 
+        String resolvedAccountId = accountId == null ? this.staticAccountId : accountId;
+
         return sessionToken != null ?
                AwsSessionCredentials.builder()
                                     .accessKeyId(accessKeyId)
                                     .secretAccessKey(secretAccessKey)
                                     .sessionToken(sessionToken)
                                     .expirationTime(credentialExpirationTime(credentialsJson))
-                                    .accountId(accountId)
+                                    .accountId(resolvedAccountId)
                                     .providerName(PROVIDER_NAME)
                                     .build() :
                AwsBasicCredentials.builder()
                                   .accessKeyId(accessKeyId)
                                   .secretAccessKey(secretAccessKey)
-                                  .accountId(accountId)
+                                  .accountId(resolvedAccountId)
                                   .providerName(PROVIDER_NAME)
                                   .build();
     }
@@ -265,6 +269,7 @@ public static class Builder implements CopyableBuilder<Builder, ProcessCredentia
         private List<String> commandAsListOfStrings;
         private Duration credentialRefreshThreshold = Duration.ofSeconds(15);
         private long processOutputLimit = 64000;
+        private String staticAccountId;
 
         /**
          * @see #builder()
@@ -278,6 +283,7 @@ private Builder(ProcessCredentialsProvider provider) {
             this.commandAsListOfStrings = provider.commandAsListOfStringsFromBuilder;
             this.credentialRefreshThreshold = provider.credentialRefreshThreshold;
             this.processOutputLimit = provider.processOutputLimit;
+            this.staticAccountId = provider.staticAccountId;
         }
 
         /**
@@ -338,6 +344,19 @@ public Builder processOutputLimit(long outputByteLimit) {
             return this;
         }
 
+        /**
+         * Configure a static account id for this credentials provider. Account id for ProcessCredentialsProvider is only
+         * relevant in a context where a service constructs endpoint URL containing an account id.
+         * This option should ONLY be used if the provider should return credentials with account id, and the process does not
+         * output account id. If a static account ID is configured, and the process also returns an account
+         * id, the process output value overrides the static value. If used, the static account id MUST match the credentials
+         * returned by the process.
+         */
+        public Builder staticAccountId(String staticAccountId) {
+            this.staticAccountId = staticAccountId;
+            return this;
+        }
+
         public ProcessCredentialsProvider build() {
             return new ProcessCredentialsProvider(this);
         }

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java

@@ -157,8 +157,11 @@ private Optional<AwsCredentialsProvider> credentialsProvider(Set<String> childre
     private AwsCredentialsProvider basicProfileCredentialsProvider() {
         requireProperties(ProfileProperty.AWS_ACCESS_KEY_ID,
                           ProfileProperty.AWS_SECRET_ACCESS_KEY);
-        AwsCredentials credentials = AwsBasicCredentials.create(properties.get(ProfileProperty.AWS_ACCESS_KEY_ID),
-                                                                     properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY));
+        AwsCredentials credentials = AwsBasicCredentials.builder()
+                                                        .accessKeyId(properties.get(ProfileProperty.AWS_ACCESS_KEY_ID))
+                                                        .secretAccessKey(properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY))
+                                                        .accountId(properties.get(ProfileProperty.AWS_ACCOUNT_ID))
+                                                        .build();
         return StaticCredentialsProvider.create(credentials);
     }
 
@@ -169,9 +172,12 @@ private AwsCredentialsProvider sessionProfileCredentialsProvider() {
         requireProperties(ProfileProperty.AWS_ACCESS_KEY_ID,
                           ProfileProperty.AWS_SECRET_ACCESS_KEY,
                           ProfileProperty.AWS_SESSION_TOKEN);
-        AwsCredentials credentials = AwsSessionCredentials.create(properties.get(ProfileProperty.AWS_ACCESS_KEY_ID),
-                                                                  properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY),
-                                                                  properties.get(ProfileProperty.AWS_SESSION_TOKEN));
+        AwsCredentials credentials = AwsSessionCredentials.builder()
+                                                          .accessKeyId(properties.get(ProfileProperty.AWS_ACCESS_KEY_ID))
+                                                          .secretAccessKey(properties.get(ProfileProperty.AWS_SECRET_ACCESS_KEY))
+                                                          .sessionToken(properties.get(ProfileProperty.AWS_SESSION_TOKEN))
+                                                          .accountId(properties.get(ProfileProperty.AWS_ACCOUNT_ID))
+                                                          .build();
         return StaticCredentialsProvider.create(credentials);
     }
 
@@ -180,6 +186,7 @@ private AwsCredentialsProvider credentialProcessCredentialsProvider() {
 
         return ProcessCredentialsProvider.builder()
                                          .command(properties.get(ProfileProperty.CREDENTIAL_PROCESS))
+                                         .staticAccountId(properties.get(ProfileProperty.AWS_ACCOUNT_ID))
                                          .build();
     }
 

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ProcessCredentialsProviderTest.java

@@ -17,8 +17,6 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.within;
-import static software.amazon.awssdk.auth.credentials.internal.ProcessCredentialsTestUtils.copyErrorCaseProcessCredentialsScript;
-import static software.amazon.awssdk.auth.credentials.internal.ProcessCredentialsTestUtils.copyHappyCaseProcessCredentialsScript;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -30,15 +28,19 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Optional;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import software.amazon.awssdk.utils.DateUtils;
 import software.amazon.awssdk.utils.IoUtils;
 import software.amazon.awssdk.utils.Platform;
 
-class ProcessCredentialsProviderTest {
+public class ProcessCredentialsProviderTest {
 
     private static final String PROCESS_RESOURCE_PATH = "/resources/process/";
     private static final String RANDOM_SESSION_TOKEN = "RANDOM_TOKEN";
@@ -52,13 +54,13 @@ class ProcessCredentialsProviderTest {
     private static String errorScriptLocation;
 
     @BeforeAll
-    public static void setup()  {
+    static void setup()  {
         scriptLocation = copyHappyCaseProcessCredentialsScript();
         errorScriptLocation = copyErrorCaseProcessCredentialsScript();
     }
 
     @AfterAll
-    public static void teardown() {
+    static void teardown() {
         if (scriptLocation != null && !new File(scriptLocation).delete()) {
             throw new IllegalStateException("Failed to delete file: " + scriptLocation);
         }
@@ -68,14 +70,47 @@ public static void teardown() {
         }
     }
 
+    @ParameterizedTest(name = "{index} - {0}")
+    @MethodSource("staticCredentialsValues")
+    void staticCredentialsCanBeLoaded(String description, String staticAccountId, Optional<String> expectedValue,
+                                      String cmd) {
+        ProcessCredentialsProvider.Builder providerBuilder = ProcessCredentialsProvider.builder().command(cmd);
+        if (staticAccountId != null) {
+            providerBuilder.staticAccountId(staticAccountId);
+        }
+        AwsCredentials credentials = providerBuilder.build().resolveCredentials();
+
+        verifyCredentials(credentials);
+        assertThat(credentials).isNotInstanceOf(AwsSessionCredentials.class);
+
+        if (expectedValue.isPresent()) {
+            assertThat(credentials.accountId()).isPresent().hasValue(expectedValue.get());
+        } else {
+            assertThat(credentials.accountId()).isNotPresent();
+        }
+    }
+
+    private static List<Arguments> staticCredentialsValues() {
+        return Arrays.asList(
+            Arguments.of("when only containing access key id, secret", null, Optional.empty(),
+                         String.format("%s accessKeyId secretAccessKey", scriptLocation)),
+            Arguments.of("when output has account id", null, Optional.of(ACCOUNT_ID),
+                         String.format("%s %s %s acctid=%s", scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY, ACCOUNT_ID)),
+            Arguments.of("when output has account id, static account id configured", "staticAccountId", Optional.of(ACCOUNT_ID),
+                         String.format("%s %s %s acctid=%s", scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY, ACCOUNT_ID)),
+            Arguments.of("when only static account id is configured", "staticAccountId", Optional.of("staticAccountId"),
+                         String.format("%s %s %s", scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY))
+        );
+    }
+ 
     @Test
     void staticCredentialsCanBeLoaded() {
         AwsCredentials credentials =
-            ProcessCredentialsProvider.builder()
-                                      .command(String.format("%s accessKeyId secretAccessKey", scriptLocation))
-                                      .build()
-                                      .resolveCredentials();
-
+                ProcessCredentialsProvider.builder()
+                                          .command(String.format("%s accessKeyId secretAccessKey", scriptLocation))
+                                          .build()
+                                          .resolveCredentials();
+ 
         assertThat(credentials).isNotInstanceOf(AwsSessionCredentials.class);
         assertThat(credentials.accessKeyId()).isEqualTo(ACCESS_KEY_ID);
         assertThat(credentials.secretAccessKey()).isEqualTo(SECRET_ACCESS_KEY);
@@ -110,17 +145,17 @@ public void staticCredentials_commandAsListOfStrings_CanBeLoaded() {
         assertThat(credentials.secretAccessKey()).isEqualTo("secretAccessKey");
         assertThat(credentials.providerName()).isPresent().contains("ProcessCredentialsProvider");
     }
-
+ 
     @Test
     void sessionCredentialsCanBeLoaded() {
         String expiration = DateUtils.formatIso8601Date(Instant.now());
         ProcessCredentialsProvider credentialsProvider =
-            ProcessCredentialsProvider.builder()
-                                      .command(String.format("%s %s %s token=%s exp=%s",
-                                                             scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY,
-                                                             SESSION_TOKEN, expiration))
-                                      .credentialRefreshThreshold(Duration.ofSeconds(1))
-                                      .build();
+                ProcessCredentialsProvider.builder()
+                                          .command(String.format("%s %s %s token=%s exp=%s",
+                                                                 scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY,
+                                                                 SESSION_TOKEN, expiration))
+                                          .credentialRefreshThreshold(Duration.ofSeconds(1))
+                                          .build();
 
         AwsCredentials credentials = credentialsProvider.resolveCredentials();
         verifySessionCredentials(credentials, expiration);
@@ -142,18 +177,39 @@ void sessionCredentialsWithAccountIdCanBeLoaded() {
         assertThat(credentials.accountId()).isPresent().isEqualTo(Optional.of(ACCOUNT_ID));
     }
 
+    @Test
+    void sessionCredentialsWithStaticAccountIdCanBeLoaded() {
+        String expiration = DateUtils.formatIso8601Date(Instant.now());
+        ProcessCredentialsProvider credentialsProvider =
+            ProcessCredentialsProvider.builder()
+                                      .command(String.format("%s %s %s token=sessionToken exp=%s",
+                                                             scriptLocation, ACCESS_KEY_ID, SECRET_ACCESS_KEY, expiration))
+                                      .credentialRefreshThreshold(Duration.ofSeconds(1))
+                                      .staticAccountId("staticAccountId")
+                                      .build();
+
+        AwsCredentials credentials = credentialsProvider.resolveCredentials();
+        verifySessionCredentials(credentials, expiration);
+        assertThat(credentials.accountId()).isPresent().hasValue("staticAccountId");
+    }
+
     private void verifySessionCredentials(AwsCredentials credentials, String expiration) {
+        verifyCredentials(credentials);
+
         assertThat(credentials).isInstanceOf(AwsSessionCredentials.class);
         AwsSessionCredentials sessionCredentials = (AwsSessionCredentials) credentials;
-
-        assertThat(sessionCredentials.accessKeyId()).isEqualTo(ACCESS_KEY_ID);
-        assertThat(sessionCredentials.secretAccessKey()).isEqualTo(SECRET_ACCESS_KEY);
         assertThat(sessionCredentials.sessionToken()).isEqualTo(SESSION_TOKEN);
+
         assertThat(sessionCredentials.expirationTime()).isPresent();
         Instant exp = sessionCredentials.expirationTime().get();
         assertThat(exp).isCloseTo(expiration, within(1, ChronoUnit.MICROS));
     }
 
+    private void verifyCredentials(AwsCredentials credentials) {
+        assertThat(credentials.accessKeyId()).isEqualTo(ACCESS_KEY_ID);
+        assertThat(credentials.secretAccessKey()).isEqualTo(SECRET_ACCESS_KEY);
+    }
+
     @Test
     void resultsAreCached() {
         ProcessCredentialsProvider credentialsProvider =
@@ -212,7 +268,7 @@ void lackOfExpirationIsCachedForever() {
 
         assertThat(request1).isEqualTo(request2);
     }
-
+ 
     @Test
     public void processOutputLimitIsEnforced() {
         ProcessCredentialsProvider credentialsProvider =
@@ -228,7 +284,6 @@ public void processOutputLimitIsEnforced() {
 
     @Test
     void processOutputLimitDefaultPassesLargeInput() {
-
         String longSessionToken = "lYzvmByqdS1E69QQVEavDDHabQ2GuYKYABKRA4xLbAXpdnFtV030UH4" +
                 "bQoZWCDcfADFvBwBm3ixEFTYMjn5XQozpFV2QAsWHirCVcEJ5DC60KPCNBcDi4KLNJfbsp3r6kKTOmYOeqhEyiC4emDX33X2ppZsa5" +
                 "1iwr6ShIZPOUPmuR4WDglmWubgO2q5tZv48xA5idkcHEmtGdoL343sY24q4gMh21eeBnF6ikjZdfvZ0Mn86UQ8r05AD346rSwM5bFs" +

core/auth/src/test/java/software/amazon/awssdk/auth/credentials/ProfileCredentialsProviderTest.java

@@ -24,6 +24,7 @@
 import java.nio.file.FileSystem;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.Optional;
 import java.util.function.Supplier;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
@@ -114,6 +115,24 @@ void presentProfileReturnsCredentials() {
         assertThat(provider.resolveCredentials()).satisfies(credentials -> {
             assertThat(credentials.accessKeyId()).isEqualTo("defaultAccessKey");
             assertThat(credentials.secretAccessKey()).isEqualTo("defaultSecretAccessKey");
+            assertThat(credentials.accountId()).isNotPresent();
+        });
+    }
+
+    @Test
+    void presentProfileWithAccountIdReturnsCredentialsWithAccountId() {
+        ProfileFile file = profileFile("[default]\n"
+                                       + "aws_access_key_id = defaultAccessKey\n"
+                                       + "aws_secret_access_key = defaultSecretAccessKey\n"
+                                       + "aws_account_id = defaultAccountId");
+
+        ProfileCredentialsProvider provider =
+            ProfileCredentialsProvider.builder().profileFile(file).profileName("default").build();
+
+        assertThat(provider.resolveCredentials()).satisfies(credentials -> {
+            assertThat(credentials.accessKeyId()).isEqualTo("defaultAccessKey");
+            assertThat(credentials.secretAccessKey()).isEqualTo("defaultSecretAccessKey");
+            assertThat(credentials.accountId()).isPresent().isEqualTo(Optional.of("defaultAccountId"));
         });
     }
 
@@ -201,13 +220,15 @@ void resolveCredentials_presentProfileFileSupplier_returnsCredentials() {
         assertThat(provider.resolveCredentials()).satisfies(credentials -> {
             assertThat(credentials.accessKeyId()).isEqualTo("defaultAccessKey");
             assertThat(credentials.secretAccessKey()).isEqualTo("defaultSecretAccessKey");
+            assertThat(credentials.accountId()).isNotPresent();
         });
     }
 
     @Test
     void resolveCredentials_presentSupplierProfileFile_returnsCredentials() {
         Supplier<ProfileFile> supplier = () -> profileFile("[default]\naws_access_key_id = defaultAccessKey\n"
-                                                           + "aws_secret_access_key = defaultSecretAccessKey\n");
+                                                           + "aws_secret_access_key = defaultSecretAccessKey\n"
+                                                           + "aws_account_id = defaultAccountId");
 
         ProfileCredentialsProvider provider =
             ProfileCredentialsProvider.builder()
@@ -218,6 +239,7 @@ void resolveCredentials_presentSupplierProfileFile_returnsCredentials() {
         assertThat(provider.resolveCredentials()).satisfies(credentials -> {
             assertThat(credentials.accessKeyId()).isEqualTo("defaultAccessKey");
             assertThat(credentials.secretAccessKey()).isEqualTo("defaultSecretAccessKey");
+            assertThat(credentials.accountId()).isPresent();
         });
     }