misc: credentials business metrics

aws-runtime/aws-config/api/aws-config.api

@@ -98,8 +98,8 @@ public final class aws/sdk/kotlin/runtime/auth/credentials/InvalidSsoTokenExcept
 }
 
 public final class aws/sdk/kotlin/runtime/auth/credentials/LazilyInitializedCredentialsProvider : aws/smithy/kotlin/runtime/auth/awscredentials/CredentialsProvider {
-	public fun <init> (Ljava/lang/String;Lkotlin/jvm/functions/Function0;)V
-	public synthetic fun <init> (Ljava/lang/String;Lkotlin/jvm/functions/Function0;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun <init> (Ljava/lang/String;Laws/smithy/kotlin/runtime/businessmetrics/BusinessMetric;Lkotlin/jvm/functions/Function0;)V
+	public synthetic fun <init> (Ljava/lang/String;Laws/smithy/kotlin/runtime/businessmetrics/BusinessMetric;Lkotlin/jvm/functions/Function0;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public fun resolve (Laws/smithy/kotlin/runtime/collections/Attributes;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public fun toString ()Ljava/lang/String;
 }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/DefaultChainCredentialsProvider.kt

@@ -7,6 +7,7 @@ package aws.sdk.kotlin.runtime.auth.credentials
 
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
 import aws.sdk.kotlin.runtime.config.imds.ImdsClient
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.collections.Attributes
 import aws.smithy.kotlin.runtime.http.engine.DefaultHttpEngine
@@ -52,7 +53,10 @@ public class DefaultChainCredentialsProvider constructor(
     private val chain = CredentialsProviderChain(
         SystemPropertyCredentialsProvider(platformProvider::getProperty),
         EnvironmentCredentialsProvider(platformProvider::getenv),
-        LazilyInitializedCredentialsProvider("EnvironmentStsWebIdentityCredentialsProvider") {
+        LazilyInitializedCredentialsProvider(
+            "EnvironmentStsWebIdentityCredentialsProvider",
+            AwsBusinessMetric.Credentials.CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN,
+        ) {
             // STS web identity provider can be constructed from either the profile OR 100% from the environment
             StsWebIdentityCredentialsProvider.fromEnvironment(
                 platformProvider = platformProvider,

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/EcsCredentialsProvider.kt

@@ -7,6 +7,8 @@ package aws.sdk.kotlin.runtime.auth.credentials
 
 import aws.sdk.kotlin.runtime.auth.credentials.internal.credentials
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.ErrorMetadata
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.client.endpoints.Endpoint
@@ -76,6 +78,7 @@ public class EcsCredentialsProvider(
 
     override suspend fun resolve(attributes: Attributes): Credentials {
         val logger = coroutineContext.logger<EcsCredentialsProvider>()
+
         val authToken = loadAuthToken()
         val relativeUri = AwsSdkSetting.AwsContainerCredentialsRelativeUri.resolve(platformProvider)
         val fullUri = AwsSdkSetting.AwsContainerCredentialsFullUri.resolve(platformProvider)
@@ -110,7 +113,7 @@ public class EcsCredentialsProvider(
 
         logger.debug { "obtained credentials from container metadata service; expiration=${creds.expiration?.format(TimestampFormat.ISO_8601)}" }
 
-        return creds
+        return creds.emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_HTTP)
     }
 
     private suspend fun loadAuthToken(): String? {

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/EnvironmentCredentialsProvider.kt

@@ -7,6 +7,8 @@ package aws.sdk.kotlin.runtime.auth.credentials
 
 import aws.sdk.kotlin.runtime.auth.credentials.internal.credentials
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
 import aws.smithy.kotlin.runtime.auth.awscredentials.simpleClassName
@@ -36,13 +38,14 @@ public class EnvironmentCredentialsProvider(
         coroutineContext.trace<EnvironmentCredentialsProvider> {
             "Attempting to load credentials from env vars $ACCESS_KEY_ID/$SECRET_ACCESS_KEY/$SESSION_TOKEN"
         }
+
         return credentials(
             accessKeyId = requireEnv(ACCESS_KEY_ID),
             secretAccessKey = requireEnv(SECRET_ACCESS_KEY),
             sessionToken = getEnv(SESSION_TOKEN),
             providerName = PROVIDER_NAME,
             accountId = getEnv(ACCOUNT_ID),
-        )
+        ).emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_ENV_VARS)
     }
 
     override fun toString(): String = this.simpleClassName

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ImdsCredentialsProvider.kt

@@ -9,6 +9,8 @@ import aws.sdk.kotlin.runtime.config.AwsSdkSetting
 import aws.sdk.kotlin.runtime.config.imds.EC2MetadataError
 import aws.sdk.kotlin.runtime.config.imds.ImdsClient
 import aws.sdk.kotlin.runtime.config.imds.InstanceMetadataProvider
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.collections.Attributes
 import aws.smithy.kotlin.runtime.config.resolve
@@ -106,7 +108,7 @@ public class ImdsCredentialsProvider(
                     resp.sessionToken,
                     resp.expiration,
                     PROVIDER_NAME,
-                )
+                ).emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_IMDS)
 
                 creds.also {
                     mu.withLock { previousCredentials = it }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/LazilyInitializedCredentialsProvider.kt

@@ -1,7 +1,9 @@
 package aws.sdk.kotlin.runtime.auth.credentials
 
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
+import aws.smithy.kotlin.runtime.businessmetrics.BusinessMetric
 import aws.smithy.kotlin.runtime.collections.Attributes
 
 /**
@@ -10,15 +12,22 @@ import aws.smithy.kotlin.runtime.collections.Attributes
  * or should be deferred until credentials are actually needed.
  *
  * @param providerName The name of the credentials provider that is being wrapped. Will default to "LazilyInitializedCredentialsProvider".
+ * @param businessMetric The provider's business metric to emit when credentials are resolved.
  * @param initializer A lambda function that provides the actual [CredentialsProvider] to be initialized lazily.
  */
 public class LazilyInitializedCredentialsProvider(
     private val providerName: String = "LazilyInitializedCredentialsProvider",
+    private val businessMetric: BusinessMetric? = null,
     initializer: () -> CredentialsProvider,
 ) : CredentialsProvider {
     private val provider = lazy(initializer)
 
-    override suspend fun resolve(attributes: Attributes): Credentials = provider.value.resolve(attributes)
+    override suspend fun resolve(attributes: Attributes): Credentials =
+        if (businessMetric == null) {
+            provider.value.resolve(attributes)
+        } else {
+            provider.value.resolve(attributes).emitBusinessMetric(businessMetric)
+        }
 
     override fun toString(): String = providerName
 }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ProcessCredentialsProvider.kt

@@ -5,10 +5,9 @@
 package aws.sdk.kotlin.runtime.auth.credentials
 
 import aws.sdk.kotlin.runtime.auth.credentials.internal.credentials
-import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
-import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
-import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderException
-import aws.smithy.kotlin.runtime.auth.awscredentials.simpleClassName
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
+import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.collections.Attributes
 import aws.smithy.kotlin.runtime.serde.json.JsonDeserializer
 import aws.smithy.kotlin.runtime.telemetry.logging.logger
@@ -68,14 +67,16 @@ public class ProcessCredentialsProvider(
         val deserializer = JsonDeserializer(payload)
 
         return when (val resp = deserializeJsonProcessCredentials(deserializer)) {
-            is JsonCredentialsResponse.SessionCredentials -> credentials(
-                resp.accessKeyId,
-                resp.secretAccessKey,
-                resp.sessionToken,
-                resp.expiration ?: Instant.MAX_VALUE,
-                PROVIDER_NAME,
-                resp.accountId,
-            )
+            is JsonCredentialsResponse.SessionCredentials -> {
+                credentials(
+                    resp.accessKeyId,
+                    resp.secretAccessKey,
+                    resp.sessionToken,
+                    resp.expiration ?: Instant.MAX_VALUE,
+                    PROVIDER_NAME,
+                    resp.accountId,
+                ).emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_PROCESS)
+            }
             else -> throw CredentialsProviderException("Credentials response was not of expected format")
         }
     }

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/ProfileCredentialsProvider.kt

@@ -9,16 +9,18 @@ import aws.sdk.kotlin.runtime.InternalSdkApi
 import aws.sdk.kotlin.runtime.auth.credentials.profile.LeafProvider
 import aws.sdk.kotlin.runtime.auth.credentials.profile.ProfileChain
 import aws.sdk.kotlin.runtime.auth.credentials.profile.RoleArn
+import aws.sdk.kotlin.runtime.auth.credentials.profile.RoleArnSource
 import aws.sdk.kotlin.runtime.client.AwsClientOption
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
 import aws.sdk.kotlin.runtime.config.imds.ImdsClient
 import aws.sdk.kotlin.runtime.config.profile.AwsConfigurationSource
 import aws.sdk.kotlin.runtime.config.profile.loadAwsSharedConfig
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetrics
 import aws.sdk.kotlin.runtime.region.resolveRegion
-import aws.smithy.kotlin.runtime.auth.awscredentials.CloseableCredentialsProvider
-import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
-import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
-import aws.smithy.kotlin.runtime.auth.awscredentials.simpleClassName
+import aws.smithy.kotlin.runtime.auth.awscredentials.*
+import aws.smithy.kotlin.runtime.businessmetrics.BusinessMetric
+import aws.smithy.kotlin.runtime.businessmetrics.BusinessMetrics
 import aws.smithy.kotlin.runtime.collections.Attributes
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
 import aws.smithy.kotlin.runtime.io.closeIfCloseable
@@ -86,6 +88,7 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
     public val httpClient: HttpClientEngine? = null,
     public val configurationSource: AwsConfigurationSource? = null,
 ) : CloseableCredentialsProvider {
+    private val credentialsBusinessMetrics: MutableSet<BusinessMetric> = mutableSetOf()
 
     public constructor(
         profileName: String? = null,
@@ -131,12 +134,21 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
 
         chain.roles.forEach { roleArn ->
             logger.debug { "Assuming role `${roleArn.roleArn}`" }
+            if (roleArn.source == RoleArnSource.SOURCE_PROFILE) {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_SOURCE_PROFILE)
+            }
+
             val assumeProvider = roleArn.toCredentialsProvider(creds, region)
+
+            creds.attributes.getOrNull(BusinessMetrics)?.forEach { metric ->
+                credentialsBusinessMetrics.add(metric)
+            }
+
             creds = assumeProvider.resolve(attributes)
         }
 
         logger.debug { "Obtained credentials from profile; expiration=${creds.expiration?.format(TimestampFormat.ISO_8601)}" }
-        return creds
+        return creds.emitBusinessMetrics(credentialsBusinessMetrics)
     }
 
     override fun close() {
@@ -147,10 +159,13 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
 
     private suspend fun LeafProvider.toCredentialsProvider(region: LazyAsyncValue<String?>): CredentialsProvider =
         when (this) {
-            is LeafProvider.NamedSource -> namedProviders[name]
-                ?: throw ProviderConfigurationException("unknown credentials source: $name")
+            is LeafProvider.NamedSource -> namedProviders[name].also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_NAMED_PROVIDER)
+            } ?: throw ProviderConfigurationException("unknown credentials source: $name")
 
-            is LeafProvider.AccessKey -> StaticCredentialsProvider(credentials)
+            is LeafProvider.AccessKey -> StaticCredentialsProvider(credentials).also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE)
+            }
 
             is LeafProvider.WebIdentityTokenRole -> StsWebIdentityCredentialsProvider(
                 roleArn,
@@ -159,7 +174,9 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
                 roleSessionName = sessionName,
                 platformProvider = platformProvider,
                 httpClient = httpClient,
-            )
+            ).also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN)
+            }
 
             is LeafProvider.SsoSession -> SsoCredentialsProvider(
                 accountId = ssoAccountId,
@@ -169,7 +186,9 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
                 ssoSessionName = ssoSessionName,
                 httpClient = httpClient,
                 platformProvider = platformProvider,
-            )
+            ).also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_SSO)
+            }
 
             is LeafProvider.LegacySso -> SsoCredentialsProvider(
                 accountId = ssoAccountId,
@@ -178,9 +197,13 @@ public class ProfileCredentialsProvider @InternalSdkApi constructor(
                 ssoRegion = ssoRegion,
                 httpClient = httpClient,
                 platformProvider = platformProvider,
-            )
+            ).also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_SSO_LEGACY)
+            }
 
-            is LeafProvider.Process -> ProcessCredentialsProvider(command)
+            is LeafProvider.Process -> ProcessCredentialsProvider(command).also {
+                credentialsBusinessMetrics.add(AwsBusinessMetric.Credentials.CREDENTIALS_PROFILE_PROCESS)
+            }
         }
 
     private suspend fun RoleArn.toCredentialsProvider(

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/SsoCredentialsProvider.kt

@@ -8,14 +8,12 @@ package aws.sdk.kotlin.runtime.auth.credentials
 import aws.sdk.kotlin.runtime.auth.credentials.internal.credentials
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sso.SsoClient
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sso.getRoleCredentials
-import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
-import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
-import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProviderException
-import aws.smithy.kotlin.runtime.auth.awscredentials.simpleClassName
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
+import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.client.SdkClientOption
 import aws.smithy.kotlin.runtime.collections.Attributes
 import aws.smithy.kotlin.runtime.http.engine.HttpClientEngine
-import aws.smithy.kotlin.runtime.serde.json.*
 import aws.smithy.kotlin.runtime.telemetry.logging.logger
 import aws.smithy.kotlin.runtime.telemetry.telemetryProvider
 import aws.smithy.kotlin.runtime.time.Clock
@@ -121,14 +119,20 @@ public class SsoCredentialsProvider public constructor(
 
         val roleCredentials = resp.roleCredentials ?: throw CredentialsProviderException("Expected SSO roleCredentials to not be null")
 
-        return credentials(
+        val creds = credentials(
             accessKeyId = checkNotNull(roleCredentials.accessKeyId) { "Expected accessKeyId in SSO roleCredentials response" },
             secretAccessKey = checkNotNull(roleCredentials.secretAccessKey) { "Expected secretAccessKey in SSO roleCredentials response" },
             sessionToken = roleCredentials.sessionToken,
             expiration = Instant.fromEpochMilliseconds(roleCredentials.expiration),
             PROVIDER_NAME,
             accountId = accountId,
         )
+
+        return if (ssoTokenProvider != null) {
+            creds.emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_SSO)
+        } else {
+            creds.emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_SSO_LEGACY)
+        }
     }
 
     // non sso-session legacy token flow

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsAssumeRoleCredentialsProvider.kt

@@ -13,6 +13,8 @@ import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.model.PolicyDescript
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.model.RegionDisabledException
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.model.Tag
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.client.SdkClientOption
 import aws.smithy.kotlin.runtime.collections.Attributes
@@ -146,7 +148,7 @@ public class StsAssumeRoleCredentialsProvider(
             expiration = roleCredentials.expiration,
             providerName = PROVIDER_NAME,
             accountId = accountId,
-        )
+        ).emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_STS_ASSUME_ROLE)
     }
 
     override fun toString(): String = this.simpleClassName

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/StsWebIdentityCredentialsProvider.kt

@@ -11,6 +11,8 @@ import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.StsClient
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.assumeRoleWithWebIdentity
 import aws.sdk.kotlin.runtime.auth.credentials.internal.sts.model.PolicyDescriptorType
 import aws.sdk.kotlin.runtime.config.AwsSdkSetting
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.AwsBusinessMetric
+import aws.sdk.kotlin.runtime.http.interceptors.businessmetrics.emitBusinessMetric
 import aws.smithy.kotlin.runtime.auth.awscredentials.*
 import aws.smithy.kotlin.runtime.client.SdkClientOption
 import aws.smithy.kotlin.runtime.collections.Attributes
@@ -104,6 +106,7 @@ public class StsWebIdentityCredentialsProvider(
     override suspend fun resolve(attributes: Attributes): Credentials {
         val logger = coroutineContext.logger<StsAssumeRoleCredentialsProvider>()
         logger.debug { "retrieving assumed credentials via web identity" }
+
         val provider = this
         val params = provider.webIdentityParameters
 
@@ -149,7 +152,7 @@ public class StsWebIdentityCredentialsProvider(
             expiration = roleCredentials.expiration,
             providerName = PROVIDER_NAME,
             accountId = accountId,
-        )
+        ).emitBusinessMetric(AwsBusinessMetric.Credentials.CREDENTIALS_STS_ASSUME_ROLE_WEB_ID)
     }
 
     override fun toString(): String = this.simpleClassName