Merge feature/credential-features branch to main (#4240)

## Motivation and Context
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here -->
Merging the feature branch containing work from the below two PRs:
* #4238
* #4224


## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [x] For changes to the AWS SDK, generated SDK code, or SDK runtime
crates, I have created a changelog entry Markdown file in the
`.changelog` directory, specifying "aws-sdk-rust" in the `applies_to`
key.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

---------

Co-authored-by: AWS SDK Rust Bot <[email protected]>

Author: landonxjames

.changelog/credential-features.md

@@ -0,0 +1,12 @@
+---
+applies_to:
+  - aws-sdk-rust
+authors:
+  - landonxjames
+references:
+  - smithy-rs#4238
+breaking: false
+new_feature: true
+bug_fix: false
+---
+Add user-agent feature tracking for credential providers in `aws-config`.

aws/rust-runtime/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "aws-config"
-version = "1.8.3"
+version = "1.8.4"
 authors = [
     "AWS Rust SDK Team <[email protected]>",
     "Russell Cohen <[email protected]>",
@@ -61,8 +61,8 @@ aws-sdk-ssooidc = { path = "../../sdk/build/aws-sdk/sdk/ssooidc", default-featur
 
 [dev-dependencies]
 aws-smithy-async = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-async", features = ["rt-tokio", "test-util"] }
-aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["client", "test-util"] }
 aws-smithy-http-client = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-http-client", features = ["default-client", "test-util"] }
+aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["client", "test-util"] }
 aws-smithy-runtime-api = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime-api", features = ["test-util"] }
 futures-util = { version = "0.3.29", default-features = false }
 tracing-test = "0.2.4"

aws/rust-runtime/aws-config/Cargo.lock

@@ -10,6 +10,7 @@
 use crate::json_credentials::{json_parse_loop, InvalidJsonCredentials};
 use crate::sensitive_command::CommandWithSensitiveArgs;
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_json::deserialize::Token;
@@ -122,14 +123,19 @@ impl CredentialProcessProvider {
             ))
         })?;
 
-        parse_credential_process_json_credentials(output, self.profile_account_id.as_ref()).map_err(
-            |invalid| {
+        parse_credential_process_json_credentials(output, self.profile_account_id.as_ref())
+            .map(|mut creds| {
+                creds
+                    .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+                    .push(AwsCredentialFeature::CredentialsProcess);
+                creds
+            })
+            .map_err(|invalid| {
                 CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process, could not parse response: {}",
                 invalid
             ))
-            },
-        )
+            })
     }
 }
 
@@ -264,6 +270,7 @@ fn parse_expiration(expiration: impl AsRef<str>) -> Result<SystemTime, InvalidJs
 mod test {
     use crate::credential_process::CredentialProcessProvider;
     use crate::sensitive_command::CommandWithSensitiveArgs;
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use std::time::{Duration, SystemTime};
     use time::format_description::well_known::Rfc3339;
@@ -339,4 +346,19 @@ mod test {
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("111122223333", creds.account_id().unwrap().as_str());
     }
+
+    #[tokio::test]
+    async fn credential_feature() {
+        let provider = CredentialProcessProvider::builder()
+            .command(CommandWithSensitiveArgs::new(String::from(
+                r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
+            )))
+            .account_id("012345678901")
+            .build();
+        let creds = provider.provide_credentials().await.unwrap();
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsProcess],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
 }

aws/rust-runtime/aws-config/Cargo.toml

@@ -6,6 +6,7 @@
 use std::env::VarError;
 
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_types::os_shim_internal::Env;
@@ -58,7 +59,11 @@ impl EnvironmentVariableCredentialsProvider {
             .provider_name(ENV_PROVIDER);
         builder.set_session_token(session_token);
         builder.set_account_id(account_id);
-        Ok(builder.build())
+        let mut creds = builder.build();
+        creds
+            .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+            .push(AwsCredentialFeature::CredentialsEnvVars);
+        Ok(creds)
     }
 }
 
@@ -110,6 +115,7 @@ fn err_if_blank(value: String) -> Result<String, VarError> {
 
 #[cfg(test)]
 mod test {
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::{error::CredentialsError, ProvideCredentials};
     use aws_types::os_shim_internal::Env;
     use futures_util::FutureExt;
@@ -250,6 +256,26 @@ mod test {
         }
     }
 
+    #[test]
+    fn credentials_feature() {
+        let provider = make_provider(&[
+            ("AWS_ACCESS_KEY_ID", "access"),
+            ("AWS_SECRET_ACCESS_KEY", "secret"),
+            ("SECRET_ACCESS_KEY", "secret"),
+            ("AWS_SESSION_TOKEN", "token"),
+        ]);
+
+        let creds = provider
+            .provide_credentials()
+            .now_or_never()
+            .unwrap()
+            .expect("valid credentials");
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsEnvVars],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
+
     #[test]
     fn real_environment() {
         let provider = EnvironmentVariableCredentialsProvider::new();

aws/rust-runtime/aws-config/src/credential_process.rs

@@ -11,6 +11,7 @@
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError};
 use aws_credential_types::Credentials;
 use aws_smithy_runtime::client::metrics::MetricsRuntimePlugin;
@@ -54,7 +55,16 @@ impl HttpCredentialProvider {
     }
 
     pub(crate) async fn credentials(&self, auth: Option<HeaderValue>) -> provider::Result {
-        let credentials = self.operation.invoke(HttpProviderAuth { auth }).await;
+        let credentials =
+            self.operation
+                .invoke(HttpProviderAuth { auth })
+                .await
+                .map(|mut creds| {
+                    creds
+                        .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+                        .push(AwsCredentialFeature::CredentialsHttp);
+                    creds
+                });
         match credentials {
             Ok(creds) => Ok(creds),
             Err(SdkError::ServiceError(context)) => Err(context.into_err()),
@@ -233,6 +243,7 @@ impl ClassifyRetry for HttpCredentialRetryClassifier {
 #[cfg(test)]
 mod test {
     use super::*;
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::error::CredentialsError;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
@@ -346,4 +357,14 @@ mod test {
         );
         http_client.assert_requests_match(&[]);
     }
+
+    #[tokio::test]
+    async fn credentials_feature() {
+        let http_client = StaticReplayClient::new(vec![successful_req_resp()]);
+        let creds = provide_creds(http_client.clone()).await.expect("success");
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsHttp],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
 }

aws/rust-runtime/aws-config/src/environment/credentials.rs

@@ -652,9 +652,8 @@ pub(crate) mod test {
     use aws_smithy_runtime_api::client::interceptors::context::{
         Input, InterceptorContext, Output,
     };
-    use aws_smithy_runtime_api::client::orchestrator::{
-        HttpRequest, HttpResponse, OrchestratorError,
-    };
+    use aws_smithy_runtime_api::client::orchestrator::OrchestratorError;
+    use aws_smithy_runtime_api::client::orchestrator::{HttpRequest, HttpResponse};
     use aws_smithy_runtime_api::client::result::ConnectorError;
     use aws_smithy_runtime_api::client::retries::classifiers::{
         ClassifyRetry, RetryAction, SharedRetryClassifier,
@@ -690,6 +689,7 @@ pub(crate) mod test {
     const TOKEN_A: &str = "AQAEAFTNrA4eEGx0AQgJ1arIq_Cc-t4tWt3fB0Hd8RKhXlKc5ccvhg==";
     const TOKEN_B: &str = "alternatetoken==";
 
+    /// Create a simple token request
     pub(crate) fn token_request(base: &str, ttl: u32) -> HttpRequest {
         http::Request::builder()
             .uri(format!("{}/latest/api/token", base))
@@ -701,6 +701,7 @@ pub(crate) mod test {
             .unwrap()
     }
 
+    /// Create a simple token response
     pub(crate) fn token_response(ttl: u32, token: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
@@ -712,6 +713,7 @@ pub(crate) mod test {
         .unwrap()
     }
 
+    /// Create a simple IMDS request
     pub(crate) fn imds_request(path: &'static str, token: &str) -> HttpRequest {
         http::Request::builder()
             .uri(Uri::from_static(path))
@@ -723,6 +725,7 @@ pub(crate) mod test {
             .unwrap()
     }
 
+    /// Create a simple IMDS response
     pub(crate) fn imds_response(body: &'static str) -> HttpResponse {
         HttpResponse::try_from(
             http::Response::builder()
@@ -733,6 +736,7 @@ pub(crate) mod test {
         .unwrap()
     }
 
+    /// Create an IMDS client with an underlying [StaticReplayClient]
     pub(crate) fn make_imds_client(http_client: &StaticReplayClient) -> super::Client {
         tokio::time::pause();
         super::Client::builder()