smithy-lang · landonxjames · Jul 30, 2025 · Jul 24, 2025 · Jul 27, 2025 · Jul 28, 2025
diff --git a/aws/rust-runtime/Cargo.lock b/aws/rust-runtime/Cargo.lock
diff --git a/aws/rust-runtime/aws-config/Cargo.lock b/aws/rust-runtime/aws-config/Cargo.lock
diff --git a/aws/rust-runtime/aws-config/Cargo.toml b/aws/rust-runtime/aws-config/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "aws-config"
-version = "1.8.3"
+version = "1.8.4"
 authors = [
     "AWS Rust SDK Team <[email protected]>",
     "Russell Cohen <[email protected]>",
@@ -61,8 +61,8 @@ aws-sdk-ssooidc = { path = "../../sdk/build/aws-sdk/sdk/ssooidc", default-featur
 
 [dev-dependencies]
 aws-smithy-async = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-async", features = ["rt-tokio", "test-util"] }
-aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["client", "test-util"] }
 aws-smithy-http-client = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-http-client", features = ["default-client", "test-util"] }
+aws-smithy-runtime = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime", features = ["client", "test-util"] }
 aws-smithy-runtime-api = { path = "../../sdk/build/aws-sdk/sdk/aws-smithy-runtime-api", features = ["test-util"] }
 futures-util = { version = "0.3.29", default-features = false }
 tracing-test = "0.2.4"

diff --git a/aws/rust-runtime/aws-config/external-types.toml b/aws/rust-runtime/aws-config/external-types.toml
@@ -16,9 +16,11 @@ allowed_external_types = [
    "aws_runtime::env_config::section::Profile",
    "aws_smithy_async::rt::sleep::AsyncSleep",
    "aws_smithy_async::time::TimeSource",
+   "aws_smithy_http_client::test_util::replay::StaticReplayClient",
    "aws_smithy_runtime::client::identity::cache::IdentityCache",
    "aws_smithy_runtime::client::identity::cache::lazy::LazyCacheBuilder",
    "aws_smithy_runtime_api::client::auth::AuthSchemePreference",
+   "aws_smithy_runtime_api::client::orchestrator::HttpRequest",
    "aws_smithy_runtime_api::box_error::BoxError",
    "aws_smithy_runtime_api::client::behavior_version::BehaviorVersion",
    "aws_smithy_runtime_api::client::dns::ResolveDns",

diff --git a/aws/rust-runtime/aws-config/src/credential_process.rs b/aws/rust-runtime/aws-config/src/credential_process.rs
@@ -10,6 +10,7 @@
 use crate::json_credentials::{json_parse_loop, InvalidJsonCredentials};
 use crate::sensitive_command::CommandWithSensitiveArgs;
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_smithy_json::deserialize::Token;
@@ -122,14 +123,19 @@ impl CredentialProcessProvider {
             ))
         })?;
 
-        parse_credential_process_json_credentials(output, self.profile_account_id.as_ref()).map_err(
-            |invalid| {
+        parse_credential_process_json_credentials(output, self.profile_account_id.as_ref())
+            .map(|mut creds| {
+                creds
+                    .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+                    .push(AwsCredentialFeature::CredentialsProcess);
+                creds
+            })
+            .map_err(|invalid| {
                 CredentialsError::provider_error(format!(
                 "Error retrieving credentials from external process, could not parse response: {}",
                 invalid
             ))
-            },
-        )
+            })
     }
 }
 
@@ -264,6 +270,7 @@ fn parse_expiration(expiration: impl AsRef<str>) -> Result<SystemTime, InvalidJs
 mod test {
     use crate::credential_process::CredentialProcessProvider;
     use crate::sensitive_command::CommandWithSensitiveArgs;
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::ProvideCredentials;
     use std::time::{Duration, SystemTime};
     use time::format_description::well_known::Rfc3339;
@@ -339,4 +346,19 @@ mod test {
         let creds = provider.provide_credentials().await.unwrap();
         assert_eq!("111122223333", creds.account_id().unwrap().as_str());
     }
+
+    #[tokio::test]
+    async fn credential_feature() {
+        let provider = CredentialProcessProvider::builder()
+            .command(CommandWithSensitiveArgs::new(String::from(
+                r#"echo '{ "Version": 1, "AccessKeyId": "ASIARTESTID", "SecretAccessKey": "TESTSECRETKEY", "AccountId": "111122223333" }'"#,
+            )))
+            .account_id("012345678901")
+            .build();
+        let creds = provider.provide_credentials().await.unwrap();
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsProcess],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
 }
diff --git a/aws/rust-runtime/aws-config/src/environment/credentials.rs b/aws/rust-runtime/aws-config/src/environment/credentials.rs
@@ -6,6 +6,7 @@
 use std::env::VarError;
 
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
 use aws_credential_types::Credentials;
 use aws_types::os_shim_internal::Env;
@@ -58,7 +59,11 @@ impl EnvironmentVariableCredentialsProvider {
             .provider_name(ENV_PROVIDER);
         builder.set_session_token(session_token);
         builder.set_account_id(account_id);
-        Ok(builder.build())
+        let mut creds = builder.build();
+        creds
+            .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+            .push(AwsCredentialFeature::CredentialsEnvVars);
+        Ok(creds)
     }
 }
 
@@ -110,6 +115,7 @@ fn err_if_blank(value: String) -> Result<String, VarError> {
 
 #[cfg(test)]
 mod test {
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::{error::CredentialsError, ProvideCredentials};
     use aws_types::os_shim_internal::Env;
     use futures_util::FutureExt;
@@ -250,6 +256,26 @@ mod test {
         }
     }
 
+    #[test]
+    fn credentials_feature() {
+        let provider = make_provider(&[
+            ("AWS_ACCESS_KEY_ID", "access"),
+            ("AWS_SECRET_ACCESS_KEY", "secret"),
+            ("SECRET_ACCESS_KEY", "secret"),
+            ("AWS_SESSION_TOKEN", "token"),
+        ]);
+
+        let creds = provider
+            .provide_credentials()
+            .now_or_never()
+            .unwrap()
+            .expect("valid credentials");
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsEnvVars],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
+
     #[test]
     fn real_environment() {
         let provider = EnvironmentVariableCredentialsProvider::new();

diff --git a/aws/rust-runtime/aws-config/src/http_credential_provider.rs b/aws/rust-runtime/aws-config/src/http_credential_provider.rs
@@ -11,6 +11,7 @@
 use crate::json_credentials::{parse_json_credentials, JsonCredentials, RefreshableCredentials};
 use crate::provider_config::ProviderConfig;
 use aws_credential_types::attributes::AccountId;
+use aws_credential_types::credential_feature::AwsCredentialFeature;
 use aws_credential_types::provider::{self, error::CredentialsError};
 use aws_credential_types::Credentials;
 use aws_smithy_runtime::client::metrics::MetricsRuntimePlugin;
@@ -54,7 +55,16 @@ impl HttpCredentialProvider {
     }
 
     pub(crate) async fn credentials(&self, auth: Option<HeaderValue>) -> provider::Result {
-        let credentials = self.operation.invoke(HttpProviderAuth { auth }).await;
+        let credentials =
+            self.operation
+                .invoke(HttpProviderAuth { auth })
+                .await
+                .map(|mut creds| {
+                    creds
+                        .get_property_mut_or_default::<Vec<AwsCredentialFeature>>()
+                        .push(AwsCredentialFeature::CredentialsHttp);
+                    creds
+                });
         match credentials {
             Ok(creds) => Ok(creds),
             Err(SdkError::ServiceError(context)) => Err(context.into_err()),
@@ -233,6 +243,7 @@ impl ClassifyRetry for HttpCredentialRetryClassifier {
 #[cfg(test)]
 mod test {
     use super::*;
+    use aws_credential_types::credential_feature::AwsCredentialFeature;
     use aws_credential_types::provider::error::CredentialsError;
     use aws_smithy_http_client::test_util::{ReplayEvent, StaticReplayClient};
     use aws_smithy_types::body::SdkBody;
@@ -346,4 +357,14 @@ mod test {
         );
         http_client.assert_requests_match(&[]);
     }
+
+    #[tokio::test]
+    async fn credentials_feature() {
+        let http_client = StaticReplayClient::new(vec![successful_req_resp()]);
+        let creds = provide_creds(http_client.clone()).await.expect("success");
+        assert_eq!(
+            &vec![AwsCredentialFeature::CredentialsHttp],
+            creds.get_property::<Vec<AwsCredentialFeature>>().unwrap()
+        );
+    }
 }