aws-sdk-core 3.222.1 → 3.222.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60d14e86ef70bbaf2d67ef1e0b4eae11af4deb68b18bdab4137666397fb21baa
-  data.tar.gz: 7a03b144af8e9ce4ebc7c91b4be1f6a582e5b5905b6a2b57a3574e85430268a2
+  metadata.gz: f3ac3e91203df90508403c590586d006a456980b925d1f3b45ac39f5ab807ad3
+  data.tar.gz: 5ac691c82cc34033495e1acb648e5fb98362b9f8b814c05ceb154e9533313a4b
 SHA512:
-  metadata.gz: 34361a1c8fb1e2b92b19f50ef29c9ffd5ab4cd067032a0412ff352c660ea24f97fe92a635038e91dc16eacf05647af6884120154ab0ead29442f8bc5f52b2c9c
-  data.tar.gz: 65a11e4900fda955ec95162dbbba0dc0ef29f4007d2067f5351f6da992ef8e7636735e696d175fb6187352a681713390bd4f37ea7182f4ceda61da7f785240b9
+  metadata.gz: a3cf479d00b658644362745e1534b022e8bcc572c672addea625af06c8e30222dfc8c22def2cf506920386592bc96c323ede30f6daba28c04635021dd54fe304
+  data.tar.gz: cf05a4850b23d5a8b713f3cd20a17b1c984f6f094bb6cabcb2006721f8718fe8c3260074e06760b63e1e21f4a1124ee74fd921add8d19acaa5c558abb84dd955

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+3.222.2 (2025-04-16)
+------------------
+
+* Issue - Additional metrics collection for credentials in the User-Agent plugin.
+
 3.222.1 (2025-03-28)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.222.1
+3.222.2

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -50,6 +50,7 @@ module Aws
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
       @async_refresh = true
+      @metrics = ['CREDENTIALS_STS_ASSUME_ROLE']
       super
     end
 

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -61,6 +61,7 @@ module Aws
         @assume_role_web_identity_params[:role_session_name] = _session_name
       end
       @client = client_opts[:client] || STS::Client.new(client_opts.merge(credentials: nil))
+      @metrics = ['CREDENTIALS_STS_ASSUME_ROLE_WEB_ID']
       super
     end
 

data/lib/aws-sdk-core/credential_provider.rb

@@ -9,6 +9,10 @@ module Aws
     # @return [Time]
     attr_reader :expiration
 
+    # @api private
+    # Returns UserAgent metrics for credentials.
+    attr_accessor :metrics
+
     # @return [Boolean]
     def set?
       !!@credentials && @credentials.set?

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -42,12 +42,14 @@ module Aws
 
     def static_credentials(options)
       if options[:config]
-        Credentials.new(
+        creds = Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
           options[:config].session_token,
           account_id: options[:config].account_id
         )
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     end
 
@@ -76,7 +78,9 @@ module Aws
 
     def static_profile_credentials(options)
       if options[:config] && options[:config].profile
-        SharedCredentials.new(profile_name: options[:config].profile)
+        creds = SharedCredentials.new(profile_name: options[:config].profile)
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -85,7 +89,11 @@ module Aws
     def static_profile_process_credentials(options)
       if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
         process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -96,12 +104,14 @@ module Aws
       secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
       token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
       account_id = %w[AWS_ACCOUNT_ID]
-      Credentials.new(
+      creds = Credentials.new(
         envar(key),
         envar(secret),
         envar(token),
         account_id: envar(account_id)
       )
+      creds.metrics = ['CREDENTIALS_ENV_VARS']
+      creds
     end
 
     def envar(keys)
@@ -117,7 +127,9 @@ module Aws
 
     def shared_credentials(options)
       profile_name = determine_profile_name(options)
-      SharedCredentials.new(profile_name: profile_name)
+      creds = SharedCredentials.new(profile_name: profile_name)
+      creds.metrics = ['CREDENTIALS_PROFILE']
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -126,7 +138,11 @@ module Aws
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?
         process_provider = Aws.shared_config.credential_process(profile: profile_name)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -156,7 +172,11 @@ module Aws
           role_session_name: ENV['AWS_ROLE_SESSION_NAME']
         }
         cfg[:region] = region if region
-        AssumeRoleWebIdentityCredentials.new(cfg)
+        Aws::Plugins::UserAgent.metric('CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN') do
+          creds = AssumeRoleWebIdentityCredentials.new(cfg)
+          creds.metrics << 'CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN'
+          creds
+        end
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(

data/lib/aws-sdk-core/credentials.rb

@@ -14,6 +14,7 @@ module Aws
       @secret_access_key = secret_access_key
       @session_token = session_token
       @account_id = kwargs[:account_id]
+      @metrics = ['CREDENTIALS_CODE']
     end
 
     # @return [String]
@@ -28,6 +29,11 @@ module Aws
     # @return [String, nil]
     attr_reader :account_id
 
+    # @api private
+    # Returns the credentials source. Used for tracking credentials
+    # related UserAgent metrics.
+    attr_accessor :metrics
+
     # @return [Credentials]
     def credentials
       self

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -77,6 +77,7 @@ module Aws
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
       @async_refresh = false
+      @metrics = ['CREDENTIALS_HTTP']
       super
     end
 

data/lib/aws-sdk-core/errors.rb

@@ -68,7 +68,7 @@ module Aws
       end
     end
 
-    # Rasied when endpoint discovery failed for operations
+    # Raised when endpoint discovery failed for operations
     # that requires endpoints from endpoint discovery
     class EndpointDiscoveryError < RuntimeError
       def initialize(*args)
@@ -78,7 +78,7 @@ module Aws
       end
     end
 
-    # raised when hostLabel member is not provided
+    # Raised when hostLabel member is not provided
     # at operation input when endpoint trait is available
     # with 'hostPrefix' requirement
     class MissingEndpointHostLabelValue < RuntimeError

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -90,6 +90,7 @@ module Aws
       @token = nil
       @no_refresh_until = nil
       @async_refresh = false
+      @metrics = ['CREDENTIALS_IMDS']
       super
     end
 

data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb

@@ -180,7 +180,6 @@ all generated client side metrics. Defaults to an empty string.
             complete_opts = {
               latency: end_time - start_time,
               attempt_count: context.retries + 1,
-              user_agent: context.http_request.headers["user-agent"],
               final_error_retryable: final_error_retryable,
               final_http_status_code: context.http_response.status_code,
               final_aws_exception: final_aws_exception,

data/lib/aws-sdk-core/plugins/sign.rb

@@ -41,6 +41,7 @@ module Aws
       class Handler < Seahorse::Client::Handler
         def call(context)
           # Skip signing if using sigv2 signing from s3_signer in S3
+          credentials = nil
           unless v2_signing?(context.config)
             signer = Sign.signer_for(
               context[:auth_scheme],
@@ -48,13 +49,20 @@ module Aws
               context[:sigv4_region],
               context[:sigv4_credentials]
             )
+            credentials = signer.credentials if signer.is_a?(SignatureV4)
             signer.sign(context)
           end
-          @handler.call(context)
+          with_metrics(credentials) { @handler.call(context) }
         end
 
         private
 
+        def with_metrics(credentials, &block)
+          return block.call unless credentials&.respond_to?(:metrics)
+
+          Aws::Plugins::UserAgent.metric(*credentials.metrics, &block)
+        end
+
         def v2_signing?(config)
           # 's3' is legacy signing, 'v4' is default
           config.respond_to?(:signature_version) &&
@@ -92,6 +100,8 @@ module Aws
 
       # @api private
       class SignatureV4
+        attr_reader :signer
+
         def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
 
@@ -155,6 +165,10 @@ module Aws
           @signer.sign_event(*args)
         end
 
+        def credentials
+          @signer.credentials_provider
+        end
+
         private
 
         def apply_authtype(context, req)

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -34,7 +34,27 @@ module Aws
           "FLEXIBLE_CHECKSUMS_REQ_WHEN_SUPPORTED" : "Z",
           "FLEXIBLE_CHECKSUMS_REQ_WHEN_REQUIRED" : "a",
           "FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED" : "b",
-          "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c"
+          "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c",
+          "DDB_MAPPER": "d",
+          "CREDENTIALS_CODE" : "e",
+          "CREDENTIALS_ENV_VARS" : "g",
+          "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN" : "h",
+          "CREDENTIALS_STS_ASSUME_ROLE" : "i",
+          "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID" : "k",
+          "CREDENTIALS_PROFILE" : "n",
+          "CREDENTIALS_PROFILE_SOURCE_PROFILE" : "o",
+          "CREDENTIALS_PROFILE_NAMED_PROVIDER" : "p",
+          "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN" : "q",
+          "CREDENTIALS_PROFILE_SSO" : "r",
+          "CREDENTIALS_SSO" : "s",
+          "CREDENTIALS_PROFILE_SSO_LEGACY" : "t",
+          "CREDENTIALS_SSO_LEGACY" : "u",
+          "CREDENTIALS_PROFILE_PROCESS" : "v",
+          "CREDENTIALS_PROCESS" : "w",
+          "CREDENTIALS_HTTP" : "z",
+          "CREDENTIALS_IMDS" : "0",
+          "SSO_LOGIN_DEVICE" : "1",
+          "SSO_LOGIN_AUTH" : "2"
         }
       METRICS
 
@@ -196,7 +216,8 @@ variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
         end
       end
 
-      handler(Handler, step: :sign, priority: 97)
+      # Priority set to 5 in order to add user agent as late as possible after signing
+      handler(Handler, step: :sign, priority: 5)
     end
   end
 end

data/lib/aws-sdk-core/process_credentials.rb

@@ -36,7 +36,7 @@ module Aws
       @process = process
       @credentials = credentials_from_process
       @async_refresh = false
-
+      @metrics = ['CREDENTIALS_PROCESS']
       super
     end
 

data/lib/aws-sdk-core/shared_config.rb

@@ -138,7 +138,11 @@ module Aws
             role_session_name: entry['role_session_name']
           }
           cfg[:region] = opts[:region] if opts[:region]
-          AssumeRoleWebIdentityCredentials.new(cfg)
+          with_metrics('CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN') do
+            creds = AssumeRoleWebIdentityCredentials.new(cfg)
+            creds.metrics << 'CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN'
+            creds
+          end
         end
       end
     end
@@ -255,8 +259,8 @@ module Aws
             'provide only source_profile or credential_source, not both.'
         elsif opts[:source_profile]
           opts[:visited_profiles] ||= Set.new
-          opts[:credentials] = resolve_source_profile(opts[:source_profile], opts)
-          if opts[:credentials]
+          provider = resolve_source_profile(opts[:source_profile], opts)
+          if provider && (opts[:credentials] = provider.credentials)
             opts[:role_session_name] ||= prof_cfg['role_session_name']
             opts[:role_session_name] ||= 'default_session'
             opts[:role_arn] ||= prof_cfg['role_arn']
@@ -265,17 +269,28 @@ module Aws
             opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts[:profile] = opts.delete(:source_profile)
             opts.delete(:visited_profiles)
-            AssumeRoleCredentials.new(opts)
+
+            metrics = provider.metrics
+            if provider.is_a?(AssumeRoleCredentials)
+              opts[:credentials] = provider
+              metrics.delete('CREDENTIALS_STS_ASSUME_ROLE')
+            else
+              metrics << 'CREDENTIALS_PROFILE_SOURCE_PROFILE'
+            end
+            # Set the original credentials metrics to [] to prevent duplicate metrics during sign plugin
+            opts[:credentials].metrics = []
+            with_metrics(metrics) do
+              creds = AssumeRoleCredentials.new(opts)
+              creds.metrics.push(*metrics)
+              creds
+            end
           else
             raise Errors::NoSourceProfileError,
               "Profile #{profile} has a role_arn, and source_profile, but the"\
               ' source_profile does not have credentials.'
           end
         elsif credential_source
-          opts[:credentials] = credentials_from_source(
-            credential_source,
-            chain_config
-          )
+          opts[:credentials] = credentials_from_source(credential_source, chain_config)
           if opts[:credentials]
             opts[:role_session_name] ||= prof_cfg['role_session_name']
             opts[:role_session_name] ||= 'default_session'
@@ -284,7 +299,16 @@ module Aws
             opts[:external_id] ||= prof_cfg['external_id']
             opts[:serial_number] ||= prof_cfg['mfa_serial']
             opts.delete(:source_profile) # Cleanup
-            AssumeRoleCredentials.new(opts)
+
+            metrics = opts[:credentials].metrics
+            metrics << 'CREDENTIALS_PROFILE_NAMED_PROVIDER'
+            # Set the original credentials metrics to [] to prevent duplicate metrics during sign plugin
+            opts[:credentials].metrics = []
+            with_metrics(metrics) do
+              creds = AssumeRoleCredentials.new(opts)
+              creds.metrics.push(*metrics)
+              creds
+            end
           else
             raise Errors::NoSourceCredentials,
               "Profile #{profile} could not get source credentials from"\
@@ -312,12 +336,24 @@ module Aws
       elsif profile_config && profile_config['source_profile']
         opts.delete(:source_profile)
         assume_role_credentials_from_config(opts.merge(profile: profile))
-      elsif (provider = assume_role_web_identity_credentials_from_config(opts.merge(profile: profile)))
-        provider.credentials if provider.credentials.set?
+      elsif (provider = assume_role_web_identity_credentials_from_config_with_metrics(opts.merge(profile: profile)))
+        provider if provider.credentials.set?
       elsif (provider = assume_role_process_credentials_from_config(profile))
-        provider.credentials if provider.credentials.set?
-      elsif (provider = sso_credentials_from_config(profile: profile))
-        provider.credentials if provider.credentials.set?
+        provider if provider.credentials.set?
+      elsif (provider = sso_credentials_from_config_with_metrics(profile))
+        provider if provider.credentials.set?
+      end
+    end
+
+    def assume_role_web_identity_credentials_from_config_with_metrics(opts)
+      with_metrics('CREDENTIALS_PROFILE_SOURCE_PROFILE') do
+        assume_role_web_identity_credentials_from_config(opts)
+      end
+    end
+
+    def sso_credentials_from_config_with_metrics(profile)
+      with_metrics('CREDENTIALS_PROFILE_SOURCE_PROFILE') do
+        sso_credentials_from_config(profile: profile)
       end
     end
 
@@ -342,7 +378,11 @@ module Aws
       if @parsed_config
         credential_process ||= @parsed_config.fetch(profile, {})['credential_process']
       end
-      ProcessCredentials.new([credential_process]) if credential_process
+      if credential_process
+        creds = ProcessCredentials.new([credential_process])
+        creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+        creds
+      end
     end
 
     def credentials_from_shared(profile, _opts)
@@ -386,13 +426,18 @@ module Aws
           sso_start_url = prof_config['sso_start_url']
         end
 
-        SSOCredentials.new(
-          sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name'],
-          sso_session: prof_config['sso_session'],
-          sso_region: sso_region,
-          sso_start_url: sso_start_url
+        metric = prof_config['sso_session'] ? 'CREDENTIALS_PROFILE_SSO' : 'CREDENTIALS_PROFILE_SSO_LEGACY'
+        with_metrics(metric) do
+          creds = SSOCredentials.new(
+            sso_account_id: prof_config['sso_account_id'],
+            sso_role_name: prof_config['sso_role_name'],
+            sso_session: prof_config['sso_session'],
+            sso_region: sso_region,
+            sso_start_url: sso_start_url
           )
+          creds.metrics << metric
+          creds
+        end
       end
     end
 
@@ -420,6 +465,7 @@ module Aws
         prof_config['aws_session_token'],
         account_id: prof_config['aws_account_id']
       )
+      creds.metrics = ['CREDENTIALS_PROFILE']
       creds if creds.set?
     end
 
@@ -480,5 +526,9 @@ module Aws
 
       sso_session
     end
+
+    def with_metrics(metrics, &block)
+      Aws::Plugins::UserAgent.metric(*metrics, &block)
+    end
   end
 end

data/lib/aws-sdk-core/shared_credentials.rb

@@ -40,6 +40,7 @@ module Aws
         )
         @credentials = config.credentials(profile: @profile_name)
       end
+      @metrics = ['CREDENTIALS_CODE']
     end
 
     # @return [String]

data/lib/aws-sdk-core/sso_credentials.rb

@@ -91,6 +91,7 @@ module Aws
           client_opts[:credentials] = nil
           @client = Aws::SSO::Client.new(client_opts)
         end
+        @metrics = ['CREDENTIALS_SSO']
       else # legacy behavior
         missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
         unless missing_keys.empty?
@@ -111,6 +112,7 @@ module Aws
         client_opts[:credentials] = nil
 
         @client = options[:client] || Aws::SSO::Client.new(client_opts)
+        @metrics = ['CREDENTIALS_SSO_LEGACY']
       end
 
       @async_refresh = true

data/lib/aws-sdk-sso/client.rb

@@ -692,7 +692,7 @@ module Aws::SSO
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.222.1'
+      context[:gem_version] = '3.222.2'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -56,7 +56,7 @@ module Aws::SSO
   autoload :EndpointProvider, 'aws-sdk-sso/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sso/endpoints'
 
-  GEM_VERSION = '3.222.1'
+  GEM_VERSION = '3.222.2'
 
 end
 

data/lib/aws-sdk-ssooidc/client.rb

@@ -1062,7 +1062,7 @@ module Aws::SSOOIDC
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.222.1'
+      context[:gem_version] = '3.222.2'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc.rb

@@ -56,7 +56,7 @@ module Aws::SSOOIDC
   autoload :EndpointProvider, 'aws-sdk-ssooidc/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-ssooidc/endpoints'
 
-  GEM_VERSION = '3.222.1'
+  GEM_VERSION = '3.222.2'
 
 end
 

data/lib/aws-sdk-sts/client.rb

@@ -2595,7 +2595,7 @@ module Aws::STS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.222.1'
+      context[:gem_version] = '3.222.2'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts.rb

@@ -56,7 +56,7 @@ module Aws::STS
   autoload :EndpointProvider, 'aws-sdk-sts/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sts/endpoints'
 
-  GEM_VERSION = '3.222.1'
+  GEM_VERSION = '3.222.2'
 
 end
 

data/lib/seahorse/client/networking_error.rb

@@ -39,7 +39,7 @@ module Seahorse
 
     end
 
-    # Rasied when trying to use an closed connection
+    # Raised when trying to use an closed connection
     class Http2ConnectionClosedError < StandardError; end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.222.1
+  version: 3.222.2
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-28 00:00:00.000000000 Z
+date: 2025-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream