Add support for environment token provider for services whose SigV4 signing names are bedrock (#4241)

## Motivation and Context
Adds support for environment token provider for AWS services whose SigV4
service signing name matches `bedrock`. Setting this environment
variable, `AWS_BEARER_TOKEN_BEDROCK`, allows SDKs to prefer the
`httpBearerAuth` auth scheme and to retrieve a `Token` value from the
said environment.

## Description
Customers would use the environment variable in question like so:
```
    // export AWS_BEARER_TOKEN_BEDROCK=my-token

    let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;

    let bedrock_client = aws_sdk_bedrock::Client::new(&sdk_config);
    // call an operation on `bedrock_client`...
```
Under the hood, this is equivalent roughly to
```
    let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;
    let bedrock_config = aws_sdk_bedrock::config::Builder::from(sdk_config)
        .auth_scheme_preference([HTTP_BEARER_AUTH_SCHEME_ID])
        .token_provider(Token::new("my-token", None))
        .build();

    let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
    // call an operation on `bedrock_client`...
```
This behind-the-scenes convenience is implemented in `impl
From<&SdkConfig> for Builder`, similar to how a service-specific
environment is implemented for the [endpoint
URL](https://docs.aws.amazon.com/sdkref/latest/guide/feature-ss-endpoints.html#ss-endpoints-envar).

However, `impl From<&SdkConfig> for Builder` implies that customers need
to create a service client from `SdkConfig` (typically through
[ConfigLoader::load](https://docs.rs/aws-config/latest/aws_config/struct.ConfigLoader.html#method.load))
in order to take advantage of the environment variable. If customers
create the service client directly from the service config builder, the
environment variable will not be applied, i.e.
```
    // export AWS_BEARER_TOKEN_BEDROCK=my-token

    let bedrock_config = aws_sdk_bedrock::Config::builder()
        // other configurations
        .build();

    let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
    // `bedrock_client` neither prefers HTTP_BEARER_AUTH_SCHEME_ID nor sets a Token with my-token.
```

## Testing
- Added integration tests for `bedrockruntime` (whose model is already
checked in to `aws/sdk/aws-models`)

## Checklist
- [x] For changes to the AWS SDK, generated SDK code, or SDK runtime
crates, I have created a changelog entry Markdown file in the
`.changelog` directory, specifying "aws-sdk-rust" in the `applies_to`
key.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

Author: ysaito1001

.changelog/1753975543.md

@@ -0,0 +1,37 @@
+---
+applies_to:
+- aws-sdk-rust
+authors:
+- ysaito1001
+references:
+- smithy-rs#4241
+breaking: false
+new_feature: true
+bug_fix: false
+---
+Add support for environment token provider for AWS services whose SigV4 service signing name matches `bedrock`. Setting this environment variable, `AWS_BEARER_TOKEN_BEDROCK`, allows SDKs to prefer the `httpBearerAuth` auth scheme and to retrieve a Token value from the said environment. Customers would use the environment variable as follows:
+```
+// export AWS_BEARER_TOKEN_BEDROCK=my-token
+let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;
+let bedrock_client = aws_sdk_bedrock::Client::new(&sdk_config);
+// call an operation on `bedrock_client`...
+```
+Under the hood, this is equivalent roughly to
+```
+let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;
+let bedrock_config = aws_sdk_bedrock::config::Builder::from(sdk_config)
+    .auth_scheme_preference([HTTP_BEARER_AUTH_SCHEME_ID])
+    .token_provider(Token::new("my-token", None))
+    .build();
+let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
+// call an operation on `bedrock_client`...
+```
+However, note that if customers create the service client directly from the service config builder, the environment variable will not be applied:
+```
+// export AWS_BEARER_TOKEN_BEDROCK=my-token
+let bedrock_config = aws_sdk_bedrock::Config::builder()
+    // other configurations
+    .build();
+let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
+// `bedrock_client` neither prefers HTTP_BEARER_AUTH_SCHEME_ID nor sets a Token with my-token.
+```

aws/rust-runtime/Cargo.lock

@@ -894,31 +894,13 @@ mod loader {
                 TriStateOption::ExplicitlyUnset => None,
             };
 
-            let token_provider = match self.token_provider {
-                Some(provider) => Some(provider),
-                None => {
-                    #[cfg(feature = "sso")]
-                    {
-                        let mut builder =
-                            crate::default_provider::token::DefaultTokenChain::builder()
-                                .configure(conf.clone());
-                        builder.set_region(region.clone());
-                        Some(SharedTokenProvider::new(builder.build().await))
-                    }
-                    #[cfg(not(feature = "sso"))]
-                    {
-                        None
-                    }
-                }
-            };
-
             let profiles = conf.profile().await;
             let service_config = EnvServiceConfig {
                 env: conf.env(),
                 env_config_sections: profiles.cloned().unwrap_or_default(),
             };
             let mut builder = SdkConfig::builder()
-                .region(region)
+                .region(region.clone())
                 .retry_config(retry_config)
                 .timeout_config(timeout_config)
                 .time_source(time_source)
@@ -950,6 +932,30 @@ mod loader {
                 }
             };
 
+            let token_provider = match self.token_provider {
+                Some(provider) => {
+                    builder.insert_origin("token_provider", Origin::shared_config());
+                    Some(provider)
+                }
+                None => {
+                    #[cfg(feature = "sso")]
+                    {
+                        let mut builder =
+                            crate::default_provider::token::DefaultTokenChain::builder()
+                                .configure(conf.clone());
+                        builder.set_region(region);
+                        Some(SharedTokenProvider::new(builder.build().await))
+                    }
+                    #[cfg(not(feature = "sso"))]
+                    {
+                        None
+                    }
+                    // Not setting `Origin` in this arm, and that's good for now as long as we know
+                    // it's not programmatically set in the shared config.
+                    // We can consider adding `Origin::Default` if needed.
+                }
+            };
+
             builder.set_endpoint_url(endpoint_url);
             builder.set_behavior_version(self.behavior_version);
             builder.set_http_client(self.http_client);
@@ -989,9 +995,12 @@ mod loader {
 
             let auth_scheme_preference =
                 if let Some(auth_scheme_preference) = self.auth_scheme_preference {
+                    builder.insert_origin("auth_scheme_preference", Origin::shared_config());
                     Some(auth_scheme_preference)
                 } else {
                     auth_scheme_preference::auth_scheme_preference_provider(&conf).await
+                    // Not setting `Origin` in this arm, and that's good for now as long as we know
+                    // it's not programmatically set in the shared config.
                 };
 
             builder.set_request_checksum_calculation(request_checksum_calculation);

aws/rust-runtime/aws-config/src/lib.rs

@@ -45,6 +45,8 @@ pub enum AwsCredentialFeature {
     CredentialsHttp,
     /// An operation called using credentials resolved from the instance metadata service (IMDS)
     CredentialsImds,
+    /// An operation called using a Bearer token resolved from service-specific environment variables
+    BearerServiceEnvVars,
 }
 
 impl Storable for AwsCredentialFeature {

aws/rust-runtime/aws-credential-types/src/credential_feature.rs

@@ -14,6 +14,10 @@ use aws_smithy_types::config_bag::{Storable, StoreAppend};
 pub enum AwsSdkFeature {
     /// Indicates that an operation was called by the S3 Transfer Manager
     S3Transfer,
+    /// Calling an SSO-OIDC operation as part of the SSO login flow, when using the OAuth2.0 device code grant
+    SsoLoginDevice,
+    /// Calling an SSO-OIDC operation as part of the SSO login flow, when using the OAuth2.0 authorization code grant
+    SsoLoginAuth,
 }
 
 impl Storable for AwsSdkFeature {

aws/rust-runtime/aws-runtime/src/sdk_feature.rs

@@ -161,7 +161,10 @@ iterable_enum!(
     CredentialsBoto2ConfigFile,
     CredentialsAwsSdkStore,
     CredentialsHttp,
-    CredentialsImds
+    CredentialsImds,
+    SsoLoginDevice,
+    SsoLoginAuth,
+    BearerServiceEnvVars
 );
 
 pub(crate) trait ProvideBusinessMetric {
@@ -214,6 +217,8 @@ impl ProvideBusinessMetric for AwsSdkFeature {
         use AwsSdkFeature::*;
         match self {
             S3Transfer => Some(BusinessMetric::S3Transfer),
+            SsoLoginDevice => Some(BusinessMetric::SsoLoginDevice),
+            SsoLoginAuth => Some(BusinessMetric::SsoLoginAuth),
         }
     }
 }
@@ -248,6 +253,7 @@ impl ProvideBusinessMetric for AwsCredentialFeature {
             CredentialsProcess => Some(BusinessMetric::CredentialsProcess),
             CredentialsHttp => Some(BusinessMetric::CredentialsHttp),
             CredentialsImds => Some(BusinessMetric::CredentialsImds),
+            BearerServiceEnvVars => Some(BusinessMetric::BearerServiceEnvVars),
             otherwise => {
                 // This may occur if a customer upgrades only the `aws-smithy-runtime-api` crate
                 // while continuing to use an outdated version of an SDK crate or the `aws-credential-types`
@@ -336,64 +342,7 @@ mod tests {
 
     #[test]
     fn feature_id_to_metric_value() {
-        const EXPECTED: &str = r#"
-{
-  "RESOURCE_MODEL": "A",
-  "WAITER": "B",
-  "PAGINATOR": "C",
-  "RETRY_MODE_LEGACY": "D",
-  "RETRY_MODE_STANDARD": "E",
-  "RETRY_MODE_ADAPTIVE": "F",
-  "S3_TRANSFER": "G",
-  "S3_CRYPTO_V1N": "H",
-  "S3_CRYPTO_V2": "I",
-  "S3_EXPRESS_BUCKET": "J",
-  "S3_ACCESS_GRANTS": "K",
-  "GZIP_REQUEST_COMPRESSION": "L",
-  "PROTOCOL_RPC_V2_CBOR": "M",
-  "ENDPOINT_OVERRIDE": "N",
-  "ACCOUNT_ID_ENDPOINT": "O",
-  "ACCOUNT_ID_MODE_PREFERRED": "P",
-  "ACCOUNT_ID_MODE_DISABLED": "Q",
-  "ACCOUNT_ID_MODE_REQUIRED": "R",
-  "SIGV4A_SIGNING": "S",
-  "RESOLVED_ACCOUNT_ID": "T",
-  "FLEXIBLE_CHECKSUMS_REQ_CRC32" : "U",
-  "FLEXIBLE_CHECKSUMS_REQ_CRC32C" : "V",
-  "FLEXIBLE_CHECKSUMS_REQ_CRC64" : "W",
-  "FLEXIBLE_CHECKSUMS_REQ_SHA1" : "X",
-  "FLEXIBLE_CHECKSUMS_REQ_SHA256" : "Y",
-  "FLEXIBLE_CHECKSUMS_REQ_WHEN_SUPPORTED" : "Z",
-  "FLEXIBLE_CHECKSUMS_REQ_WHEN_REQUIRED" : "a",
-  "FLEXIBLE_CHECKSUMS_RES_WHEN_SUPPORTED" : "b",
-  "FLEXIBLE_CHECKSUMS_RES_WHEN_REQUIRED" : "c",
-  "DDB_MAPPER" : "d",
-  "CREDENTIALS_CODE" : "e",
-  "CREDENTIALS_JVM_SYSTEM_PROPERTIES" : "f",
-  "CREDENTIALS_ENV_VARS" : "g",
-  "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN" : "h",
-  "CREDENTIALS_STS_ASSUME_ROLE" : "i",
-  "CREDENTIALS_STS_ASSUME_ROLE_SAML" : "j",
-  "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID" : "k",
-  "CREDENTIALS_STS_FEDERATION_TOKEN" : "l",
-  "CREDENTIALS_STS_SESSION_TOKEN" : "m",
-  "CREDENTIALS_PROFILE" : "n",
-  "CREDENTIALS_PROFILE_SOURCE_PROFILE" : "o",
-  "CREDENTIALS_PROFILE_NAMED_PROVIDER" : "p",
-  "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN" : "q",
-  "CREDENTIALS_PROFILE_SSO" : "r",
-  "CREDENTIALS_SSO" : "s",
-  "CREDENTIALS_PROFILE_SSO_LEGACY" : "t",
-  "CREDENTIALS_SSO_LEGACY" : "u",
-  "CREDENTIALS_PROFILE_PROCESS" : "v",
-  "CREDENTIALS_PROCESS" : "w",
-  "CREDENTIALS_BOTO2_CONFIG_FILE" : "x",
-  "CREDENTIALS_AWS_SDK_STORE" : "y",
-  "CREDENTIALS_HTTP" : "z",
-  "CREDENTIALS_IMDS" : "0"
-
-}
-        "#;
+        const EXPECTED: &str = include_str!("test_data/feature_id_to_metric_value.json");
 
         let expected: HashMap<&str, &str> = serde_json::from_str(EXPECTED).unwrap();
         assert_eq!(expected.len(), FEATURE_ID_TO_METRIC_VALUE.len());