Skip to content

Add Business Metrics for Credential Providers #6443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 29, 2025
Merged

Add Business Metrics for Credential Providers #6443

merged 10 commits into from
Sep 29, 2025

Conversation

S-Saranya1
Copy link
Contributor

@S-Saranya1 S-Saranya1 commented Sep 24, 2025
edited
Loading

Adds business metric tracking for credentials.

Motivation and Context

Keeping track of how users are providing credentials to SDKs and which credentials providers are being used is useful. This implementation adds automatic tracking of all 21 credential provider types through User-Agent headers, replacing the legacy cfg/auth-source format with a standardized business metrics system that provides complete visibility into authentication patterns and credential provider chains across AWS applications.

Modifications

This PR adds business metrics support to all these credentials providers:

CREDENTIALS_HTTP(z) - ContainerCredentialsProvider
CREDENTIALS_ENV_VARS(g) - EnvironmentVariableCredentialsProvider
CREDENTIALS_IMDS (0) - InstanceProfileCredentialsProvider
CREDENTIALS_PROCESS(w) - ProcessCredentialsProvider
CREDENTIALS_CODE(e) - Base credentials identifier
CREDENTIALS_JVM_SYSTEM_PROPERTIES (f) - SystemPropertyCredentialsProvider
CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN(h) - WebIdentityTokenFileCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE("i") - StsAssumeRoleCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_SAML("j") - StsAssumeRoleWithSamlCredentialsProvider
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID("k") - StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_STS_FEDERATION_TOKEN("l") - StsGetFederationTokenCredentialsProvider
CREDENTIALS_STS_SESSION_TOKEN("m") - StsGetSessionTokenCredentialsProvider
CREDENTIALS_PROFILE("n")- ProfileCredentialsProvider
CREDENTIALS_PROFILE_SOURCE_PROFILE("o") - ProfileCredentialsProvider + other providers
CREDENTIALS_PROFILE_NAMED_PROVIDER("p") - ProfileCredentialsProvider + InstanceProfile or ContainerCredentialsProvider
CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN("q") - ProfileCredentialsProvider + StsAssumeRoleWithWebIdentityCredentialsProvider
CREDENTIALS_SSO("s") - SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO("r") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_SSO_LEGACY("t") - ProfileCredentialsProvider + SsoCredentialsProvider
CREDENTIALS_PROFILE_PROCESS("v") - ProfileCredentialsProvider + ProcessCredentialsProvider

Key Changes:

  • Added 20 feature IDs for credential provider tracking in BusinessMetricFeatureId.java
  • Implemented business metrics emission in all credential providers across the SDK
  • Introduces a new public API param source on some builders for credential providers to link more than one metrics value together
  • Replaced legacy cfg/auth-source#stat format with standardized business metrics (e.g., m/D,k,h)
  • Modified ApplyUserAgentStage.java to emit business metrics instead of cfg/auth-source, updated User-Agent headers to include credential provider chain information
  • Changed providerName() methods to return business metric codes instead of class names

Testing

  • Added functional tests for most credential providers to verify business metrics emission.
  • Couldn't perform unit tests for these credential provider combinations
    (CREDENTIALS_PROFILE_SOURCE_PROFILE, CREDENTIALS_PROFILE_NAMED_PROVIDER, CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN, CREDENTIALS_SSO, CREDENTIALS_PROFILE_SSO, CREDENTIALS_PROFILE_SSO_LEGACY) , so performed one-off integration tests for these scenarios instead.
  • Performed integration tests for source propagation scenarios including credential provider chains like o,n,i (Profile → Source Profile → Assume Role) and p,0,i (Profile → Instance Profile → Assume Role).

Screenshots (if appropriate)

Integ test wirelogs-
p,0,i (Profile → Instance Profile → Assume Role).
image
o,n,i (Profile → Source Profile → Assume Role)
image
r,s(Profile - SSO)
image
q,k (profile - WebIdentityToken)
image

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@S-Saranya1
Feature ID implementation for S3 Express Bucket (#6409)
f8000dd 
* Feature ID implementation for S3 Express Bucket

* Address PR feedback

* Fixing checkstyles
@S-Saranya1
Feature IDs implementation for credentials (#6415)
8141a30 
* Feature IDs implementation for credentials

* Fixing test failure

* Adding unit tests
@S-Saranya1
Add business metrics support for STS, SSO and Profile credential prov…
36324ae 
…iders (#6426)

* Feature IDs implementation for STS credentials

* Add business metric for SSO Creds

* Address PR feedback

* Adding missed test files

* Additional changes

* Fixing checkstyle

* Address PR feedback

* Additional Changes:
Address PR feedback
Adding Unit tests
Apply PR feedback to previous PR

* Fixing sonarqube issues and test failures

* Adding region dependency in auth-tests
@S-Saranya1 S-Saranya1 requested a review from a team as a code owner September 24, 2025 22:54
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
79.2% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@S-Saranya1 S-Saranya1 mentioned this pull request Sep 26, 2025
Open
@S-Saranya1 S-Saranya1 added the no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required label Sep 26, 2025
@S-Saranya1 S-Saranya1 added this pull request to the merge queue Sep 29, 2025
Merged via the queue into master with commit 19720d9 Sep 29, 2025
39 of 41 checks passed
@github-actions GitHub Actions
Copy link

This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 29, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@L-Applin L-Applin L-Applin approved these changes

Assignees
No one assigned
Labels
no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@S-Saranya1 @L-Applin