aws-sdk-core 3.209.1 → 3.228.0

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -17,61 +17,66 @@ module Aws
       option(:profile,
         doc_default: 'default',
         doc_type: String,
-        docstring: <<-DOCS)
-Used when loading credentials from the shared credentials file
-at HOME/.aws/credentials.  When not specified, 'default' is used.
+        docstring: <<~DOCS)
+          Used when loading credentials from the shared credentials file at `HOME/.aws/credentials`.
+          When not specified, 'default' is used.
         DOCS
 
       option(:credentials,
         required: true,
         doc_type: 'Aws::CredentialProvider',
         rbs_type: 'untyped',
-        docstring: <<-DOCS
-Your AWS credentials. This can be an instance of any one of the
-following classes:
-
-* `Aws::Credentials` - Used for configuring static, non-refreshing
-  credentials.
-
-* `Aws::SharedCredentials` - Used for loading static credentials from a
-  shared file, such as `~/.aws/config`.
-
-* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
-
-* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
-  assume a role after providing credentials via the web.
-
-* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
-  access token generated from `aws login`.
-
-* `Aws::ProcessCredentials` - Used for loading credentials from a
-  process that outputs to stdout.
-
-* `Aws::InstanceProfileCredentials` - Used for loading credentials
-  from an EC2 IMDS on an EC2 instance.
-
-* `Aws::ECSCredentials` - Used for loading credentials from
-  instances running in ECS.
-
-* `Aws::CognitoIdentityCredentials` - Used for loading credentials
-  from the Cognito Identity service.
-
-When `:credentials` are not configured directly, the following
-locations will be searched for credentials:
-
-* `Aws.config[:credentials]`
-* The `:access_key_id`, `:secret_access_key`, `:session_token`, and
-  `:account_id` options.
-* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
-  ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
-* `~/.aws/credentials`
-* `~/.aws/config`
-* EC2/ECS IMDS instance profile - When used by default, the timeouts
-  are very aggressive. Construct and pass an instance of
-  `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
-  enable retries and extended timeouts. Instance profile credential
-  fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
-  to true.
+        docstring: <<~DOCS
+          Your AWS credentials used for authentication. This can be an instance of any one of the
+          following classes:
+
+          * `Aws::Credentials` - Used for configuring static, non-refreshing
+            credentials.
+
+          * `Aws::SharedCredentials` - Used for loading static credentials from a
+            shared file, such as `~/.aws/config`.
+
+          * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+
+          * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+            assume a role after providing credentials via the web.
+
+          * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+            access token generated from `aws login`.
+
+          * `Aws::ProcessCredentials` - Used for loading credentials from a
+            process that outputs to stdout.
+
+          * `Aws::InstanceProfileCredentials` - Used for loading credentials
+            from an EC2 IMDS on an EC2 instance.
+
+          * `Aws::ECSCredentials` - Used for loading credentials from
+            instances running in ECS.
+
+          * `Aws::CognitoIdentityCredentials` - Used for loading credentials
+            from the Cognito Identity service.
+
+          When `:credentials` are not configured directly, the following
+          locations will be searched for credentials:
+
+          * `Aws.config[:credentials]`
+          
+          * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
+            `:account_id` options.
+            
+          * `ENV['AWS_ACCESS_KEY_ID']`, `ENV['AWS_SECRET_ACCESS_KEY']`,
+            `ENV['AWS_SESSION_TOKEN']`, and `ENV['AWS_ACCOUNT_ID']`.
+            
+          * `~/.aws/credentials`
+          
+          * `~/.aws/config`
+          
+          * EC2/ECS IMDS instance profile - When used by default, the timeouts
+            are very aggressive. Construct and pass an instance of
+            `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
+            enable retries and extended timeouts. Instance profile credential
+            fetching can be disabled by setting `ENV['AWS_EC2_METADATA_DISABLED']`
+            to `true`.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve
@@ -82,30 +87,40 @@ locations will be searched for credentials:
       option(:instance_profile_credentials_timeout, 1)
 
       option(:token_provider,
-             required: false,
-             doc_type: 'Aws::TokenProvider',
-             rbs_type: 'untyped',
-             docstring: <<-DOCS
-A Bearer Token Provider. This can be an instance of any one of the
-following classes:
-
-* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
-  tokens.
-
-* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
-  access token generated from `aws login`.
-
-When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
-will be used to search for tokens configured for your profile in shared configuration files.
-      DOCS
+        doc_type: 'Aws::TokenProvider',
+        rbs_type: 'untyped',
+        docstring: <<~DOCS
+          Your Bearer token used for authentication. This can be an instance of any one of the
+          following classes:
+
+          * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+            tokens.
+
+          * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+            access token generated from `aws login`.
+
+          When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+          will be used to search for tokens configured for your profile in shared configuration files.
+        DOCS
       ) do |config|
-        if config.stub_responses
-          StaticTokenProvider.new('token')
-        else
-          TokenProviderChain.new(config).resolve
-        end
+        TokenProviderChain.new(config).resolve
       end
 
+      option(:auth_scheme_preference,
+        doc_type: 'Array<String>',
+        rbs_type: 'Array[String]',
+        docstring: <<~DOCS
+          A list of preferred authentication schemes to use when making a request. Supported values are:
+          `sigv4`, `sigv4a`, `httpBearerAuth`, and `noAuth`. When set using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or in
+          shared config as `auth_scheme_preference`, the value should be a comma-separated list.
+        DOCS
+      ) do |config|
+        value =
+          ENV['AWS_AUTH_SCHEME_PREFERENCE'] ||
+          Aws.shared_config.auth_scheme_preference(profile: config.profile) ||
+          ''
+        value.gsub(' ', '').gsub("\t", '').split(',')
+      end
     end
   end
 end

data/lib/aws-sdk-core/plugins/endpoint_pattern.rb

@@ -4,62 +4,70 @@ module Aws
   module Plugins
     # @api private
     class EndpointPattern < Seahorse::Client::Plugin
-
-      option(:disable_host_prefix_injection,
+      option(
+        :disable_host_prefix_injection,
         default: false,
         doc_type: 'Boolean',
-        docstring: <<-DOCS
-Set to true to disable SDK automatically adding host prefix
-to default service endpoint when available.
-        DOCS
-      )
+        docstring: 'When `true`, the SDK will not prepend the modeled host prefix to the endpoint.'
+      ) do |cfg|
+        resolve_disable_host_prefix_injection(cfg)
+      end
 
-      def add_handlers(handlers, config)
+      def add_handlers(handlers, _config)
         handlers.add(Handler, priority: 10)
       end
 
-      class Handler < Seahorse::Client::Handler
+      class << self
+        private
+
+        def resolve_disable_host_prefix_injection(cfg)
+          value = ENV['AWS_DISABLE_HOST_PREFIX_INJECTION'] ||
+                  Aws.shared_config.disable_host_prefix_injection(profile: cfg.profile) ||
+                  'false'
+          value = Aws::Util.str_2_bool(value)
+          unless [true, false].include?(value)
+            raise ArgumentError,
+                  'Must provide either `true` or `false` for '\
+                    'disable_host_prefix_injection profile option or for '\
+                    'ENV[\'AWS_DISABLE_HOST_PREFIX_INJECTION\']'
+          end
+          value
+        end
+      end
 
+      # @api private
+      class Handler < Seahorse::Client::Handler
         def call(context)
-          if !context.config.disable_host_prefix_injection
+          unless context.config.disable_host_prefix_injection
             endpoint_trait = context.operation.endpoint_pattern
-            if endpoint_trait && !endpoint_trait.empty?
-              _apply_endpoint_trait(context, endpoint_trait)
-            end
+            apply_endpoint_trait(context, endpoint_trait) if endpoint_trait && !endpoint_trait.empty?
           end
           @handler.call(context)
         end
 
         private
 
-        def _apply_endpoint_trait(context, trait)
-          # currently only support host pattern
-          ori_host = context.http_request.endpoint.host
-          if pattern = trait['hostPrefix']
-            host_prefix = pattern.gsub(/\{.+?\}/) do |label|
-              label = label.delete("{}")
-              _replace_label_value(
-                ori_host, label, context.operation.input, context.params)
-            end
-            context.http_request.endpoint.host = host_prefix + context.http_request.endpoint.host
+        def apply_endpoint_trait(context, trait)
+          pattern = trait['hostPrefix']
+          return unless pattern
+
+          host_prefix = pattern.gsub(/\{.+?}/) do |label|
+            label = label.delete('{}')
+            replace_label_value(label, context.operation.input, context.params)
           end
+          context.http_request.endpoint.host = host_prefix + context.http_request.endpoint.host
         end
 
-        def _replace_label_value(ori, label, input_ref, params)
+        def replace_label_value(label, input_ref, params)
           name = nil
           input_ref.shape.members.each do |m_name, ref|
-            if ref['hostLabel'] && ref['hostLabelName'] == label
-              name = m_name
-            end
-          end
-          if name.nil? || params[name].nil?
-            raise Errors::MissingEndpointHostLabelValue.new(name)
+            name = m_name if ref['hostLabel'] && ref['hostLabelName'] == label
           end
+          raise Errors::MissingEndpointHostLabelValue, name if name.nil? || params[name].nil?
+
           params[name]
         end
-
       end
-
     end
   end
 end

data/lib/aws-sdk-core/plugins/http_checksum.rb

@@ -11,8 +11,8 @@ module Aws
         CHUNK_SIZE = 1 * 1024 * 1024 # one MB
 
         def call(context)
-          if checksum_required?(context) &&
-             !context[:checksum_algorithms] && # skip in favor of flexible checksum
+          if context.operation.http_checksum_required &&
+             !context[:http_checksum][:request_algorithm] && # skip in favor of flexible checksum
              !context[:s3_express_endpoint] # s3 express endpoints do not support md5
             body = context.http_request.body
             context.http_request.headers['Content-Md5'] ||= md5(body)
@@ -22,12 +22,6 @@ module Aws
 
         private
 
-        def checksum_required?(context)
-          context.operation.http_checksum_required ||
-            (context.operation.http_checksum &&
-              context.operation.http_checksum['requestChecksumRequired'])
-        end
-
         # @param [File, Tempfile, IO#read, String] value
         # @return [String<MD5>]
         def md5(value)

data/lib/aws-sdk-core/plugins/regional_endpoint.rb

@@ -20,7 +20,7 @@ a default `:region` is searched for in the following locations:
 * `ENV['AWS_DEFAULT_REGION']`
 * `~/.aws/credentials`
 * `~/.aws/config`
-        DOCS
+             DOCS
         resolve_region(cfg)
       end
 
@@ -35,7 +35,7 @@ in the following locations:
 * `Aws.config[:sigv4a_signing_region_set]`
 * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
 * `~/.aws/config`
-        DOCS
+             DOCS
         resolve_sigv4a_signing_region_set(cfg)
       end
 
@@ -44,7 +44,7 @@ in the following locations:
         docstring: <<-DOCS) do |cfg|
 When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
 will be used if available.
-        DOCS
+             DOCS
         resolve_use_dualstack_endpoint(cfg)
       end
 
@@ -54,7 +54,7 @@ will be used if available.
 When set to `true`, fips compatible endpoints will be used if available.
 When a `fips` region is used, the region is normalized and this config
 is set to `true`.
-        DOCS
+             DOCS
         resolve_use_fips_endpoint(cfg)
       end
 
@@ -67,7 +67,7 @@ is set to `true`.
         docstring: <<-DOCS) do |cfg|
 Setting to true disables use of endpoint URLs provided via environment 
 variables and the shared configuration file.
-        DOCS
+             DOCS
         resolve_ignore_configured_endpoint_urls(cfg)
       end
 
@@ -75,7 +75,7 @@ variables and the shared configuration file.
 The client endpoint is normally constructed from the `:region`
 option. You should only configure an `:endpoint` when connecting
 to test or custom endpoints. This should be a valid HTTP(S) URI.
-        DOCS
+      DOCS
         resolve_endpoint(cfg)
       end
 
@@ -83,6 +83,9 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
         region = client.config.region
         raise Errors::MissingRegionError if region.nil? || region == ''
 
+        # resolve a default endpoint to preserve legacy behavior
+        initialize_default_endpoint(client) if client.config.endpoint.nil?
+
         region_set = client.config.sigv4a_signing_region_set
         return if region_set.nil?
         raise Errors::InvalidRegionSetError unless region_set.is_a?(Array)
@@ -93,6 +96,39 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
         client.config.sigv4a_signing_region_set = region_set
       end
 
+      private
+
+      def initialize_default_endpoint(client)
+        client_module = Object.const_get(client.class.name.rpartition('::').first)
+        param_class = client_module.const_get(:EndpointParameters)
+        endpoint_provider = client.config.endpoint_provider
+        params = param_class.create(client.config)
+        endpoint = endpoint_provider.resolve_endpoint(params)
+        client.config.endpoint = endpoint.url
+      rescue ArgumentError, NameError
+        # fallback to legacy
+        client.config.endpoint = resolve_legacy_endpoint(client.config)
+      end
+
+      # set a default endpoint in config using legacy (endpoints.json) resolver
+      def resolve_legacy_endpoint(cfg)
+        endpoint_prefix = cfg.api.metadata['endpointPrefix']
+        if cfg.respond_to?(:sts_regional_endpoints)
+          sts_regional = cfg.sts_regional_endpoints
+        end
+
+        endpoint = Aws::Partitions::EndpointProvider.resolve(
+          cfg.region,
+          endpoint_prefix,
+          sts_regional,
+          {
+            dualstack: cfg.use_dualstack_endpoint,
+            fips: cfg.use_fips_endpoint
+          }
+        )
+        URI(endpoint)
+      end
+
       class << self
         private
 
@@ -150,7 +186,8 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
           # that a custom endpoint has NOT been configured by the user
           cfg.override_config(:regional_endpoint, true)
 
-          resolve_legacy_endpoint(cfg)
+          # a default endpoint is resolved in after_initialize
+          nil
         end
 
         # get a custom configured endpoint from ENV or configuration
@@ -205,24 +242,6 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
             cfg.override_config(:region, new_region)
           end
         end
-
-        # set a default endpoint in config using legacy (endpoints.json) resolver
-        def resolve_legacy_endpoint(cfg)
-          endpoint_prefix = cfg.api.metadata['endpointPrefix']
-          if cfg.respond_to?(:sts_regional_endpoints)
-            sts_regional = cfg.sts_regional_endpoints
-          end
-
-          Aws::Partitions::EndpointProvider.resolve(
-            cfg.region,
-            endpoint_prefix,
-            sts_regional,
-            {
-              dualstack: cfg.use_dualstack_endpoint,
-              fips: cfg.use_fips_endpoint
-            }
-          )
-        end
       end
     end
   end

data/lib/aws-sdk-core/plugins/sign.rb

@@ -13,9 +13,6 @@ module Aws
       option(:sigv4_region)
       option(:unsigned_operations, default: [])
 
-      supported_auth_types = %w[sigv4 bearer sigv4-s3express sigv4a none]
-      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
-
       def add_handlers(handlers, cfg)
         operations = cfg.api.operation_names - cfg.unsigned_operations
         handlers.add(Handler, step: :sign, operations: operations)
@@ -32,7 +29,7 @@ module Aws
           }
           SignatureV4.new(auth_scheme, config, sigv4_overrides)
         when 'bearer'
-          Bearer.new
+          Bearer.new(config)
         else
           NullSigner.new
         end
@@ -50,11 +47,22 @@ module Aws
             )
             signer.sign(context)
           end
-          @handler.call(context)
+          with_metrics(signer) { @handler.call(context) }
         end
 
         private
 
+        def with_metrics(signer, &block)
+          case signer
+          when SignatureV4
+            Aws::Plugins::UserAgent.metric(*signer.credentials.metrics, &block)
+          when Bearer
+            Aws::Plugins::UserAgent.metric(*signer.token_provider.metrics, &block)
+          else
+            block.call
+          end
+        end
+
         def v2_signing?(config)
           # 's3' is legacy signing, 'v4' is default
           config.respond_to?(:signature_version) &&
@@ -64,21 +72,19 @@ module Aws
 
       # @api private
       class Bearer
-        def initialize
+        def initialize(config)
+          @token_provider = config.token_provider
         end
 
+        attr_reader :token_provider
+
         def sign(context)
           if context.http_request.endpoint.scheme != 'https'
-            raise ArgumentError,
-                  'Unable to use bearer authorization on non https endpoint.'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
           end
+          raise Errors::MissingBearerTokenError unless @token_provider && @token_provider.set?
 
-          token_provider = context.config.token_provider
-
-          raise Errors::MissingBearerTokenError unless token_provider&.set?
-
-          context.http_request.headers['Authorization'] =
-            "Bearer #{token_provider.token.token}"
+          context.http_request.headers['Authorization'] = "Bearer #{@token_provider.token.token}"
         end
 
         def presign_url(*args)
@@ -94,12 +100,9 @@ module Aws
       class SignatureV4
         def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
-
           unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
-            raise ArgumentError,
-                  "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
+            raise ArgumentError, "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
           end
-
           region = if scheme_name == 'sigv4a'
                      auth_scheme['signingRegionSet'].join(',')
                    else
@@ -111,15 +114,17 @@ module Aws
               region: sigv4_overrides[:region] || config.sigv4_region || region,
               credentials_provider: sigv4_overrides[:credentials] || config.credentials,
               signing_algorithm: scheme_name.to_sym,
-              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
-              normalize_path: !!!auth_scheme['disableNormalizePath'],
-              unsigned_headers: %w[content-length user-agent x-amzn-trace-id]
+              uri_escape_path: !auth_scheme['disableDoubleEncoding'],
+              normalize_path: !auth_scheme['disableNormalizePath'],
+              unsigned_headers: %w[content-length user-agent x-amzn-trace-id expect transfer-encoding connection]
             )
           rescue Aws::Sigv4::Errors::MissingCredentialsError
             raise Aws::Errors::MissingCredentialsError
           end
         end
 
+        attr_reader :signer
+
         def sign(context)
           req = context.http_request
 
@@ -155,6 +160,10 @@ module Aws
           @signer.sign_event(*args)
         end
 
+        def credentials
+          @signer.credentials_provider
+        end
+
         private
 
         def apply_authtype(context, req)

data/lib/aws-sdk-core/plugins/stub_responses.rb

@@ -29,8 +29,22 @@ requests are made, and retries are disabled.
         end
       end
 
+      option(:token_provider) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('stubbed-token')
+        end
+      end
+
+      option(:stubs) { {} }
+      option(:stubs_mutex) { Mutex.new }
+      option(:api_requests) { [] }
+      option(:api_requests_mutex) { Mutex.new }
+
       def add_handlers(handlers, config)
-        handlers.add(Handler, step: :send) if config.stub_responses
+        return unless config.stub_responses
+
+        handlers.add(ApiRequestsHandler)
+        handlers.add(StubbingHandler, step: :send)
       end
 
       def after_initialize(client)
@@ -46,8 +60,20 @@ requests are made, and retries are disabled.
         end
       end
 
-      class Handler < Seahorse::Client::Handler
+      class ApiRequestsHandler < Seahorse::Client::Handler
+        def call(context)
+          context.config.api_requests_mutex.synchronize do
+            context.config.api_requests << {
+              operation_name: context.operation_name,
+              params: context.params,
+              context: context
+            }
+          end
+          @handler.call(context)
+        end
+      end
 
+      class StubbingHandler < Seahorse::Client::Handler
         def call(context)
           span_wrapper(context) do
             stub_responses(context)
@@ -57,14 +83,10 @@ requests are made, and retries are disabled.
         private
 
         def stub_responses(context)
-          stub = context.client.next_stub(context)
           resp = Seahorse::Client::Response.new(context: context)
           async_mode = context.client.is_a? Seahorse::Client::AsyncBase
-          if Hash === stub && stub[:mutex]
-            stub[:mutex].synchronize { apply_stub(stub, resp, async_mode) }
-          else
-            apply_stub(stub, resp, async_mode)
-          end
+          stub = context.client.next_stub(context)
+          stub[:mutex].synchronize { apply_stub(stub, resp, async_mode) }
 
           if async_mode
             Seahorse::Client::AsyncResponse.new(

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -25,7 +25,37 @@ module Aws
           "ACCOUNT_ID_MODE_DISABLED": "Q",
           "ACCOUNT_ID_MODE_REQUIRED": "R",
           "SIGV4A_SIGNING": "S",
-          "RESOLVED_ACCOUNT_ID": "T"
+          "RESOLVED_ACCOUNT_ID": "T",
+          "FLEXIBLE_CHECKSUMS_REQ_CRC32" : "U",
+          "FLEXIBLE_CHECKSUMS_REQ_CRC32C" : "V",
+          "FLEXIBLE_CHECKSUMS_REQ_CRC64" : "W",
+          "FLEXIBLE_CHECKSUMS_REQ_SHA1" : "X",
+          "FLEXIBLE_CHECKSUMS_REQ_SHA256" : "Y",
+          "FLEXIBLE_CHECKSUMS_REQ_WHEN_SUPPORTED" : "Z",
+          "FLEXIBLE_CHECKSUMS_REQ_WHEN_REQUIRED" : "a",
+          "FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED" : "b",
+          "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c",
+          "DDB_MAPPER": "d",
+          "CREDENTIALS_CODE" : "e",
+          "CREDENTIALS_ENV_VARS" : "g",
+          "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN" : "h",
+          "CREDENTIALS_STS_ASSUME_ROLE" : "i",
+          "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID" : "k",
+          "CREDENTIALS_PROFILE" : "n",
+          "CREDENTIALS_PROFILE_SOURCE_PROFILE" : "o",
+          "CREDENTIALS_PROFILE_NAMED_PROVIDER" : "p",
+          "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN" : "q",
+          "CREDENTIALS_PROFILE_SSO" : "r",
+          "CREDENTIALS_SSO" : "s",
+          "CREDENTIALS_PROFILE_SSO_LEGACY" : "t",
+          "CREDENTIALS_SSO_LEGACY" : "u",
+          "CREDENTIALS_PROFILE_PROCESS" : "v",
+          "CREDENTIALS_PROCESS" : "w",
+          "CREDENTIALS_HTTP" : "z",
+          "CREDENTIALS_IMDS" : "0",
+          "SSO_LOGIN_DEVICE" : "1",
+          "SSO_LOGIN_AUTH" : "2",
+          "BEARER_SERVICE_ENV_VARS": "3"
         }
       METRICS
 
@@ -187,7 +217,8 @@ variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
         end
       end
 
-      handler(Handler, step: :sign, priority: 97)
+      # Priority set to 5 in order to add user agent as late as possible after signing
+      handler(Handler, step: :sign, priority: 5)
     end
   end
 end