feat(credential-providers): add logger for credential providers

packages/credential-provider-cognito-identity/src/fromCognitoIdentity.ts

@@ -1,3 +1,4 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
@@ -29,6 +30,7 @@ export type CognitoIdentityCredentialProvider = Provider<CognitoIdentityCredenti
  */
 export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters): CognitoIdentityCredentialProvider {
   return async (): Promise<CognitoIdentityCredentials> => {
+    parameters.logger?.debug("@aws-sdk/credential-provider-cognito-identity", "fromCognitoIdentity");
     const { GetCredentialsForIdentityCommand, CognitoIdentityClient } = await import("./loadCognitoIdentity");
 
     const {
@@ -59,7 +61,7 @@ export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters):
 /**
  * @internal
  */
-export interface FromCognitoIdentityParameters extends CognitoProviderParameters {
+export interface FromCognitoIdentityParameters extends CognitoProviderParameters, CredentialProviderOptions {
   /**
    * The unique identifier for the identity against which credentials will be
    * issued.

packages/credential-provider-cognito-identity/src/fromCognitoIdentityPool.ts

@@ -1,3 +1,4 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 
 import { CognitoProviderParameters } from "./CognitoProviderParameters";
@@ -25,7 +26,9 @@ export function fromCognitoIdentityPool({
   identityPoolId,
   logins,
   userIdentifier = !logins || Object.keys(logins).length === 0 ? "ANONYMOUS" : undefined,
+  logger,
 }: FromCognitoIdentityPoolParameters): CognitoIdentityCredentialProvider {
+  logger?.debug("@aws-sdk/credential-provider-cognito-identity", "fromCognitoIdentity");
   const cacheKey: string | undefined = userIdentifier
     ? `aws:cognito-identity-credentials:${identityPoolId}:${userIdentifier}`
     : undefined;
@@ -72,7 +75,7 @@ export function fromCognitoIdentityPool({
 /**
  * @internal
  */
-export interface FromCognitoIdentityPoolParameters extends CognitoProviderParameters {
+export interface FromCognitoIdentityPoolParameters extends CognitoProviderParameters, CredentialProviderOptions {
   /**
    * A standard AWS account ID (9+ digits).
    */

packages/credential-provider-env/src/fromEnv.ts

@@ -1,6 +1,9 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
+export interface FromEnvInit extends CredentialProviderOptions {}
+
 /**
  * @internal
  */
@@ -29,22 +32,25 @@ export const ENV_CREDENTIAL_SCOPE = "AWS_CREDENTIAL_SCOPE";
  * `AWS_ACCESS_KEY_ID` or `AWS_SECRET_ACCESS_KEY` environment variable is not
  * set in this process, the provider will return a rejected promise.
  */
-export const fromEnv = (): AwsCredentialIdentityProvider => async () => {
-  const accessKeyId: string | undefined = process.env[ENV_KEY];
-  const secretAccessKey: string | undefined = process.env[ENV_SECRET];
-  const sessionToken: string | undefined = process.env[ENV_SESSION];
-  const expiry: string | undefined = process.env[ENV_EXPIRATION];
-  const credentialScope: string | undefined = process.env[ENV_CREDENTIAL_SCOPE];
+export const fromEnv =
+  (init?: FromEnvInit): AwsCredentialIdentityProvider =>
+  async () => {
+    init?.logger?.debug("@aws-sdk/credential-provider-env", "fromEnv");
+    const accessKeyId: string | undefined = process.env[ENV_KEY];
+    const secretAccessKey: string | undefined = process.env[ENV_SECRET];
+    const sessionToken: string | undefined = process.env[ENV_SESSION];
+    const expiry: string | undefined = process.env[ENV_EXPIRATION];
+    const credentialScope: string | undefined = process.env[ENV_CREDENTIAL_SCOPE];
 
-  if (accessKeyId && secretAccessKey) {
-    return {
-      accessKeyId,
-      secretAccessKey,
-      ...(sessionToken && { sessionToken }),
-      ...(expiry && { expiration: new Date(expiry) }),
-      ...(credentialScope && { credentialScope }),
-    };
-  }
+    if (accessKeyId && secretAccessKey) {
+      return {
+        accessKeyId,
+        secretAccessKey,
+        ...(sessionToken && { sessionToken }),
+        ...(expiry && { expiration: new Date(expiry) }),
+        ...(credentialScope && { credentialScope }),
+      };
+    }
 
-  throw new CredentialsProviderError("Unable to find environment variable credentials.");
-};
+    throw new CredentialsProviderError("Unable to find environment variable credentials.");
+  };

packages/credential-provider-http/src/fromHttp/fromHttp.browser.ts

@@ -11,6 +11,7 @@ import { retryWrapper } from "./retry-wrapper";
  * Creates a provider that gets credentials via HTTP request.
  */
 export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvider => {
+  options.logger?.debug("@aws-sdk/credential-provider-http", "fromHttp");
   let host: string;
 
   const full = options.credentialsFullUri;

packages/credential-provider-http/src/fromHttp/fromHttp.ts

@@ -18,6 +18,7 @@ const AWS_CONTAINER_AUTHORIZATION_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
  * Creates a provider that gets credentials via HTTP request.
  */
 export const fromHttp = (options: FromHttpOptions): AwsCredentialIdentityProvider => {
+  options.logger?.debug("@aws-sdk/credential-provider-http", "fromHttp");
   let host: string;
 
   const relative = options.awsContainerCredentialsRelativeUri ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI];

packages/credential-provider-http/src/fromHttp/fromHttpTypes.ts

@@ -1,9 +1,11 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
+
 /**
  * @public
  *
  * Input for the fromHttp function in the HTTP Credentials Provider for Node.js.
  */
-export interface FromHttpOptions {
+export interface FromHttpOptions extends CredentialProviderOptions {
   /**
    * If this value is provided, it will be used as-is.
    *

packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts

@@ -105,7 +105,7 @@ export const resolveAssumeRoleCredentials = async (
         ...visitedProfiles,
         [source_profile]: true,
       })
-    : resolveCredentialSource(data.credential_source!, profileName)();
+    : resolveCredentialSource(data.credential_source!, profileName)(options)();
 
   const params: AssumeRoleParams = {
     RoleArn: data.role_arn!,

packages/credential-provider-ini/src/resolveCredentialSource.ts

@@ -1,4 +1,5 @@
 import { fromEnv } from "@aws-sdk/credential-provider-env";
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { fromContainerMetadata, fromInstanceMetadata } from "@smithy/credential-provider-imds";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
@@ -15,14 +16,14 @@ import { AwsCredentialIdentityProvider } from "@smithy/types";
 export const resolveCredentialSource = (
   credentialSource: string,
   profileName: string
-): AwsCredentialIdentityProvider => {
-  const sourceProvidersMap: Record<string, () => AwsCredentialIdentityProvider> = {
+): ((options?: CredentialProviderOptions) => AwsCredentialIdentityProvider) => {
+  const sourceProvidersMap: Record<string, (options?: CredentialProviderOptions) => AwsCredentialIdentityProvider> = {
     EcsContainer: fromContainerMetadata,
     Ec2InstanceMetadata: fromInstanceMetadata,
     Environment: fromEnv,
   };
   if (credentialSource in sourceProvidersMap) {
-    return sourceProvidersMap[credentialSource]();
+    return sourceProvidersMap[credentialSource];
   } else {
     throw new CredentialsProviderError(
       `Unsupported credential source in profile ${profileName}. Got ${credentialSource}, ` +

packages/credential-provider-node/src/defaultProvider.ts

@@ -55,27 +55,33 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
         ? []
         : [
             async () => {
+              init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::fromEnv");
               const { fromEnv } = await import("@aws-sdk/credential-provider-env");
               return fromEnv()();
             },
           ]),
       async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::fromSSO");
         const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
         return fromSSO(init)();
       },
       async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::fromIni");
         const { fromIni } = await import("@aws-sdk/credential-provider-ini");
         return fromIni(init)();
       },
       async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::fromProcess");
         const { fromProcess } = await import("@aws-sdk/credential-provider-process");
         return fromProcess(init)();
       },
       async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::fromTokenFile");
         const { fromTokenFile } = await import("@aws-sdk/credential-provider-web-identity");
         return fromTokenFile(init)();
       },
       async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node", "defaultProvider::remoteProvider");
         return (await remoteProvider(init))();
       },
       async () => {

packages/credential-provider-node/src/remoteProvider.ts

@@ -13,6 +13,7 @@ export const remoteProvider = async (init: RemoteProviderInit): Promise<AwsCrede
   );
 
   if (process.env[ENV_CMDS_RELATIVE_URI] || process.env[ENV_CMDS_FULL_URI]) {
+    init.logger?.debug("@aws-sdk/credential-provider-node", "remoteProvider::fromContainerMetadata");
     return fromContainerMetadata(init);
   }
 
@@ -22,5 +23,6 @@ export const remoteProvider = async (init: RemoteProviderInit): Promise<AwsCrede
     };
   }
 
+  init.logger?.debug("@aws-sdk/credential-provider-node", "remoteProvider::fromInstanceMetadata");
   return fromInstanceMetadata(init);
 };

packages/credential-providers/src/fromContainerMetadata.ts

@@ -1,10 +1,11 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import {
   fromContainerMetadata as _fromContainerMetadata,
   RemoteProviderInit as _RemoteProviderInit,
 } from "@smithy/credential-provider-imds";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
-export interface RemoteProviderInit extends _RemoteProviderInit {}
+export interface RemoteProviderInit extends _RemoteProviderInit, CredentialProviderOptions {}
 
 /**
  * Create a credential provider function that reads from ECS container metadata service.
@@ -25,5 +26,7 @@ export interface RemoteProviderInit extends _RemoteProviderInit {}
  * });
  * ```
  */
-export const fromContainerMetadata = (init?: RemoteProviderInit): AwsCredentialIdentityProvider =>
-  _fromContainerMetadata(init);
+export const fromContainerMetadata = (init?: RemoteProviderInit): AwsCredentialIdentityProvider => {
+  init?.logger?.debug("@smithy/credential-provider-imds", "fromContainerMetadata");
+  return _fromContainerMetadata(init);
+};

packages/credential-providers/src/fromEnv.ts

@@ -1,4 +1,4 @@
-import { fromEnv as _fromEnv } from "@aws-sdk/credential-provider-env";
+import { fromEnv as _fromEnv, FromEnvInit } from "@aws-sdk/credential-provider-env";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
 
 /**
@@ -25,4 +25,4 @@ import { AwsCredentialIdentityProvider } from "@smithy/types";
  * });
  * ```
  */
-export const fromEnv = (): AwsCredentialIdentityProvider => _fromEnv();
+export const fromEnv = (init?: FromEnvInit): AwsCredentialIdentityProvider => _fromEnv(init);

packages/credential-providers/src/fromInstanceMetadata.ts

@@ -1,3 +1,4 @@
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import {
   fromInstanceMetadata as _fromInstanceMetadata,
   RemoteProviderConfig as _RemoteProviderInit,
@@ -23,5 +24,9 @@ import { AwsCredentialIdentityProvider } from "@smithy/types";
  * });
  * ```
  */
-export const fromInstanceMetadata = (init?: _RemoteProviderInit): AwsCredentialIdentityProvider =>
-  _fromInstanceMetadata(init);
+export const fromInstanceMetadata = (
+  init?: _RemoteProviderInit & CredentialProviderOptions
+): AwsCredentialIdentityProvider => {
+  init?.logger?.debug("@smithy/credential-provider-imds", "fromInstanceMetadata");
+  return _fromInstanceMetadata(init);
+};

packages/credential-providers/src/fromTemporaryCredentials.ts

@@ -1,8 +1,9 @@
 import type { AssumeRoleCommandInput, STSClient, STSClientConfig } from "@aws-sdk/client-sts";
+import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, AwsCredentialIdentityProvider, Pluggable } from "@smithy/types";
 
-export interface FromTemporaryCredentialsOptions {
+export interface FromTemporaryCredentialsOptions extends CredentialProviderOptions {
   params: Omit<AssumeRoleCommandInput, "RoleSessionName"> & { RoleSessionName?: string };
   masterCredentials?: AwsCredentialIdentity | AwsCredentialIdentityProvider;
   clientConfig?: STSClientConfig;
@@ -53,6 +54,7 @@ export interface FromTemporaryCredentialsOptions {
 export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOptions): AwsCredentialIdentityProvider => {
   let stsClient: STSClient;
   return async (): Promise<AwsCredentialIdentity> => {
+    options.logger?.debug("@aws-sdk/credential-providers", "fromTemporaryCredentials (STS)");
     const params = { ...options.params, RoleSessionName: options.params.RoleSessionName ?? "aws-sdk-js-" + Date.now() };
     if (params?.SerialNumber) {
       if (!options.mfaCodeProvider) {