smithy-lang · jdisanti · Oct 17, 2023 · Aug 11, 2023 · Aug 11, 2023 · Aug 14, 2023
@@ -20,62 +20,62 @@ jobs:
     name: Verify TLS configuration
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages
-        shell: bash
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
-          pip3 install certbuilder crlbuilder
-      - name: Stop nginx
-        run: sudo systemctl stop nginx
-      - name: Checkout smithy-rs
-        uses: actions/checkout@v3
-        with:
-          path: ./smithy-rs
-      - name: Checkout trytls
-        uses: actions/checkout@v3
-        with:
-          repository: ouspg/trytls
-          path: ./trytls
-      - name: Checkout badtls
-        uses: actions/checkout@v3
-        with:
-          repository: wbond/badtls.io
-          path: ./badtls.io
-      - name: Checkout badssl
-        uses: actions/checkout@v3
-        with:
-          repository: chromium/badssl.com
-          path: ./badssl.com
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: ${{ env.rust_version }}
-      - name: Build badssl.com
-        shell: bash
-        working-directory: badssl.com
-        env:
-          DOCKER_BUILDKIT: 1
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badssl
-      - name: Build SDK
-        working-directory: smithy-rs
-        run: ./gradlew :aws:sdk:assemble -Paws.services=+sts,+sso
-      - name: Build trytls
-        shell: bash
-        working-directory: trytls
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-trytls
-      - name: Build badtls.io
-        working-directory: badtls.io
-        shell: bash
-        run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badtls
-      - name: Update TLS configuration
-        shell: bash
-        run: smithy-rs/tools/ci-scripts/configure-tls/update-certs
-      - name: Build TLS stub
-        working-directory: smithy-rs/tools/ci-resources/tls-stub
-        shell: bash
-        run: cargo build
-      - name: Test TLS configuration
-        working-directory: smithy-rs/tools
-        shell: bash
-        run: trytls https target/debug/stub
+    - name: Install packages
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
+        pip3 install certbuilder crlbuilder
+    - name: Stop nginx
+      run: sudo systemctl stop nginx
+    - name: Checkout smithy-rs
+      uses: actions/checkout@v3
+      with:
+        path: ./smithy-rs
+    - name: Checkout trytls
+      uses: actions/checkout@v3
+      with:
+        repository: ouspg/trytls
+        path: ./trytls
+    - name: Checkout badtls
+      uses: actions/checkout@v3
+      with:
+        repository: wbond/badtls.io
+        path: ./badtls.io
+    - name: Checkout badssl
+      uses: actions/checkout@v3
+      with:
+        repository: chromium/badssl.com
+        path: ./badssl.com
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: ${{ env.rust_version }}
+    - name: Build badssl.com
+      shell: bash
+      working-directory: badssl.com
+      env:
+        DOCKER_BUILDKIT: 1
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badssl
+    - name: Build SDK
+      working-directory: smithy-rs
+      run: ./gradlew :aws:sdk:assemble -Paws.services=+sts,+sso,+ssooidc
+    - name: Build trytls
+      shell: bash
+      working-directory: trytls
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-trytls
+    - name: Build badtls.io
+      working-directory: badtls.io
+      shell: bash
+      run: ../smithy-rs/tools/ci-scripts/configure-tls/configure-badtls
+    - name: Update TLS configuration
+      shell: bash
+      run: smithy-rs/tools/ci-scripts/configure-tls/update-certs
+    - name: Build TLS stub
+      working-directory: smithy-rs/tools/ci-resources/tls-stub
+      shell: bash
+      run: cargo build
+    - name: Test TLS configuration
+      working-directory: smithy-rs/tools
+      shell: bash
+      run: trytls https target/debug/stub
@@ -11,6 +11,18 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+[[aws-sdk-rust]]
+message = "(Behavior Break!) The SSO credentials provider is no longer enabled by default in `aws-config`, and so SSO profile config will no longer work out of box. The `credentials-sso` feature in `aws-config` was removed from the default features, and renamed to `sso`. If you need credentials from SSO, then enable the `sso` feature in `aws-config`."
+references = ["smithy-rs#2917"]
+meta = { "breaking" = true, "tada" = false, "bug" = false }
+author = "jdisanti"
+
+[[aws-sdk-rust]]
+message = "The `SsoCredentialsProvider` now supports token refresh and is compatible with the token cache file paths the latest AWS CLI uses."
+references = ["smithy-rs#2917", "aws-sdk-rust#703", "aws-sdk-rust#699"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "jdisanti"
+
 [[aws-sdk-rust]]
 message = "`RuntimeComponents` are now re-exported so that implementing a custom interceptor doens't require directly depending on `aws-smithy-runtime-api`."
 references = ["smithy-rs#2904", "aws-sdk-rust#862"]
@@ -34,3 +46,9 @@ message = "Fix requests to S3 with `no_credentials` set."
 references = ["smithy-rs#2907", "aws-sdk-rust#864"]
 meta = { "breaking" = false, "tada" = false, "bug" = true }
 author = "jdisanti"
+
+[[smithy-rs]]
+message = "`RuntimeComponents` have been added as an argument to the `IdentityResolver::resolve_identity` trait function."
+references = ["smithy-rs#2917"]
+meta = { "breaking" = true, "tada" = false, "bug" = false, "target" = "client"}
+author = "jdisanti"
@@ -14,19 +14,21 @@ rustls = ["aws-smithy-client/rustls", "client-hyper"]
 native-tls = []
 allow-compilation = [] # our tests use `cargo test --all-features` and native-tls breaks CI
 rt-tokio = ["aws-smithy-async/rt-tokio", "tokio/rt"]
-credentials-sso = ["dep:aws-sdk-sso", "dep:ring", "dep:hex", "dep:zeroize"]
+sts = ["dep:aws-sdk-sts"]
+sso = ["dep:aws-sdk-sso", "dep:aws-sdk-ssooidc", "dep:ring", "dep:hex", "dep:zeroize", "aws-smithy-runtime-api/http-auth"]
 
-default = ["client-hyper", "rustls", "rt-tokio", "credentials-sso"]
+default = ["client-hyper", "rustls", "rt-tokio", "sts"]
 
 [dependencies]
 aws-credential-types = { path = "../../sdk/build/aws-sdk/sdk/aws-credential-types" }
 aws-http = { path = "../../sdk/build/aws-sdk/sdk/aws-http" }
-aws-sdk-sts = { path = "../../sdk/build/aws-sdk/sdk/sts", default-features = false }
+aws-sdk-sts = { path = "../../sdk/build/aws-sdk/sdk/sts", default-features = false, optional = true }
 aws-smithy-async = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-async" }
 aws-smithy-client = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-client", default-features = false }
 aws-smithy-http = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-http" }
 aws-smithy-http-tower = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-http-tower" }
 aws-smithy-json = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-json" }
+aws-smithy-runtime-api = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime-api" }
 aws-smithy-types = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-types" }
 aws-types = { path = "../../sdk/build/aws-sdk/sdk/aws-types" }
 hyper = { version = "0.14.26", default-features = false }
@@ -47,6 +49,9 @@ ring = { version = "0.16", optional = true }
 hex = { version = "0.4.3", optional = true }
 zeroize = { version = "1", optional = true }
 
+# implementation detail of SSO OIDC `CreateToken` for SSO token providers
+aws-sdk-ssooidc = { path = "../../sdk/build/aws-sdk/sdk/ssooidc", default-features = false, optional = true }
+
 [dev-dependencies]
 futures-util = { version = "0.3.16", default-features = false }
 tracing-test = "0.2.1"
@@ -63,6 +68,8 @@ serde_json = "1"
 
 aws-credential-types = { path = "../../sdk/build/aws-sdk/sdk/aws-credential-types", features = ["test-util"] }
 aws-smithy-client = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-client", features = ["test-util", "rt-tokio", "client-hyper"] }
+aws-smithy-runtime-api = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime-api", features = ["test-util"] }
+aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["test-util"] }
 
 # used for a usage example
 hyper-rustls = { version = "0.24", features = ["webpki-tokio", "http2", "http1"] }

@@ -20,6 +20,7 @@ allowed_external_types = [
    "aws_smithy_http::endpoint",
    "aws_smithy_http::endpoint::error::InvalidEndpointError",
    "aws_smithy_http::result::SdkError",
+   "aws_smithy_runtime_api::*",
    "aws_smithy_types::retry",
    "aws_smithy_types::retry::*",
    "aws_smithy_types::timeout",

@@ -94,6 +94,7 @@ impl ProvideCredentials for DefaultCredentialsChain {
 #[derive(Debug, Default)]
 pub struct Builder {
     profile_file_builder: crate::profile::credentials::Builder,
+    #[cfg(feature = "sts")]
     web_identity_builder: crate::web_identity_token::Builder,
     imds_builder: crate::imds::credentials::Builder,
     ecs_builder: crate::ecs::Builder,
@@ -182,13 +183,19 @@ impl Builder {
 
         let env_provider = EnvironmentVariableCredentialsProvider::new_with_env(conf.env());
         let profile_provider = self.profile_file_builder.configure(&conf).build();
+        #[cfg(feature = "sts")]
         let web_identity_token_provider = self.web_identity_builder.configure(&conf).build();
         let imds_provider = self.imds_builder.configure(&conf).build();
         let ecs_provider = self.ecs_builder.configure(&conf).build();
 
-        let provider_chain = CredentialsProviderChain::first_try("Environment", env_provider)
-            .or_else("Profile", profile_provider)
-            .or_else("WebIdentityToken", web_identity_token_provider)
+        let mut provider_chain = CredentialsProviderChain::first_try("Environment", env_provider)
+            .or_else("Profile", profile_provider);
+        #[cfg(feature = "sts")]
+        {
+            provider_chain =
+                provider_chain.or_else("WebIdentityToken", web_identity_token_provider);
+        }
+        provider_chain = provider_chain
             .or_else("EcsContainer", ecs_provider)
             .or_else("Ec2InstanceMetadata", imds_provider);
 
@@ -268,21 +275,30 @@ mod test {
 
     make_test!(prefer_environment);
     make_test!(profile_static_keys);
+    #[cfg(feature = "sts")]
     make_test!(web_identity_token_env);
+    #[cfg(feature = "sts")]
     make_test!(web_identity_source_profile_no_env);
+    #[cfg(feature = "sts")]
     make_test!(web_identity_token_invalid_jwt);
+    #[cfg(feature = "sts")]
     make_test!(web_identity_token_source_profile);
+    #[cfg(feature = "sts")]
     make_test!(web_identity_token_profile);
     make_test!(profile_name);
+    #[cfg(feature = "sts")]
     make_test!(profile_overrides_web_identity);
     make_test!(environment_variables_blank);
+    #[cfg(feature = "sts")]
     make_test!(imds_token_fail);
 
+    #[cfg(feature = "sts")]
     make_test!(imds_no_iam_role);
     make_test!(imds_default_chain_error);
     make_test!(imds_default_chain_success, builder: |config| {
         config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
     });
+    #[cfg(feature = "sts")]
     make_test!(imds_assume_role);
     make_test!(imds_config_with_no_creds, builder: |config| {
         config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
@@ -291,19 +307,20 @@ mod test {
     make_test!(imds_default_chain_retries, builder: |config| {
         config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
     });
+    #[cfg(feature = "sts")]
     make_test!(ecs_assume_role);
     make_test!(ecs_credentials);
     make_test!(ecs_credentials_invalid_profile);
 
-    #[cfg(not(feature = "credentials-sso"))]
-    make_test!(sso_assume_role #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: credentials-sso")]);
-    #[cfg(not(feature = "credentials-sso"))]
-    make_test!(sso_no_token_file #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: credentials-sso")]);
+    #[cfg(not(feature = "sso"))]
+    make_test!(sso_assume_role #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
+    #[cfg(not(feature = "sso"))]
+    make_test!(sso_no_token_file #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
 
-    #[cfg(feature = "credentials-sso")]
+    #[cfg(feature = "sso")]
     make_test!(sso_assume_role);
 
-    #[cfg(feature = "credentials-sso")]
+    #[cfg(feature = "sso")]
     make_test!(sso_no_token_file);
 
     #[tokio::test]

diff --git a/aws/rust-runtime/aws-config/src/imds/region.rs b/aws/rust-runtime/aws-config/src/imds/region.rs
@@ -117,11 +117,11 @@ mod test {
     use crate::imds::client::test::{imds_request, imds_response, token_request, token_response};
     use crate::imds::region::ImdsRegionProvider;
     use crate::provider_config::ProviderConfig;
-    use aws_sdk_sts::config::Region;
     use aws_smithy_async::rt::sleep::TokioSleep;
     use aws_smithy_client::erase::DynConnector;
     use aws_smithy_client::test_connection::TestConnection;
     use aws_smithy_http::body::SdkBody;
+    use aws_types::region::Region;
     use tracing_test::traced_test;
 
     #[tokio::test]

@@ -122,11 +122,13 @@ pub mod meta;
 pub mod profile;
 pub mod provider_config;
 pub mod retry;
-#[cfg(feature = "credentials-sso")]
+#[cfg(feature = "sso")]
 pub mod sso;
 pub(crate) mod standard_property;
+#[cfg(feature = "sts")]
 pub mod sts;
 pub mod timeout;
+#[cfg(feature = "sts")]
 pub mod web_identity_token;
 
 /// Create an environment loader for AWS Configuration