update crt, enable HTTPS_PROXY var for crt credentials providers

src/aws-cpp-sdk-core/include/aws/core/auth/ProfileCredentialsProvider.h

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <aws/core/Core_EXPORTS.h>
+#include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/utils/memory/stl/AWSString.h>
 #include <aws/core/auth/AWSCredentials.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
@@ -25,6 +26,12 @@ class AWS_CORE_API ProfileCredentialsProvider : public AWSCredentialsProvider {
    */
   ProfileCredentialsProvider(const char* profile, long refreshRateMs = REFRESH_THRESHOLD);
 
+  /**
+   * Initializes from a CredentialProviderConfiguration so settings such as allowSystemProxy can flow through.
+   */
+  ProfileCredentialsProvider(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config,
+                             long refreshRateMs = REFRESH_THRESHOLD);
+
   /**
    * Retrieves the credentials if found, otherwise returns empty credential set.
    */

src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h

@@ -526,6 +526,13 @@ namespace Aws
              */
             Aws::String region;
 
+            /**
+             * Allow CRT-based credential providers to honor HTTP_PROXY / HTTPS_PROXY / NO_PROXY environment
+             * variables when fetching credentials. Off by default to mirror ClientConfiguration::allowSystemProxy
+             * and avoid silently routing credential traffic through an unintended proxy.
+             */
+            bool allowSystemProxy = false;
+
             /**
              * IMDS configuration settings
              */
@@ -597,6 +604,14 @@ namespace Aws
             } loginCredentialProviderConfig;
           } credentialProviderConfig;
 
+          /**
+           * Returns a copy of credentialProviderConfig with parent fields (such as allowSystemProxy) re-synced
+           * from their current values on this ClientConfiguration. Use this at the point of constructing a
+           * credentials provider so post-construction assignments to parent fields are picked up; reading
+           * credentialProviderConfig directly captures values from ClientConfiguration construction time only.
+           */
+          CredentialProviderConfiguration ResolveCredentialProviderConfig() const;
+
           /**
            * Authentication scheme preferences in order of preference.
            * First available auth scheme will be used for each operation.

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp

@@ -90,7 +90,7 @@ DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain() : AWSCr
 DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config) : AWSCredentialsProviderChain()
 {
     AddProvider(Aws::MakeShared<EnvironmentAWSCredentialsProvider>(DefaultCredentialsProviderChainTag));
-    AddProvider(Aws::MakeShared<ProfileCredentialsProvider>(DefaultCredentialsProviderChainTag,config.profile.c_str()));
+    AddProvider(Aws::MakeShared<ProfileCredentialsProvider>(DefaultCredentialsProviderChainTag, config));
     AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag, config));
     AddProvider(Aws::MakeShared<SSOCredentialsProvider>(DefaultCredentialsProviderChainTag,config.profile));
     AddProvider(Aws::MakeShared<LoginCredentialsProvider>(DefaultCredentialsProviderChainTag, config));

src/aws-cpp-sdk-core/source/auth/ProfileCredentialsProvider.cpp

@@ -1,9 +1,15 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/core/Globals.h>
 #include <aws/core/auth/CrtCredentialsProvider.h>
 #include <aws/core/auth/ProfileCredentialsProvider.h>
 #include <aws/core/client/UserAgent.h>
 #include <aws/core/platform/Environment.h>
 #include <aws/core/platform/FileSystem.h>
 #include <aws/crt/auth/Credentials.h>
+#include <aws/crt/http/HttpConnection.h>
 
 #include <chrono>
 
@@ -17,6 +23,29 @@ const char PROFILE_AWS_CREDENTIALS_FILE[] = "AWS_SHARED_CREDENTIALS_FILE";
 const char PROFILE_DEFAULT_CREDENTIALS_FILE[] = "credentials";
 const char PROFILE_PROFILE_DIRECTORY[] = ".aws";
 const long DEFAULT_REFRESH_RATE_MS = 300000;
+
+std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> GetProfileCrtProvider(
+    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig) {
+  CredentialsProviderProfileConfig config{};
+  config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(credentialsConfig.profile.c_str());
+  config.Bootstrap = Aws::GetDefaultClientBootstrap();
+  const auto tlsOptions = Aws::GetDefaultTlsConnectionOptions();
+  if (tlsOptions) {
+    config.TlsConnectionOptions = *tlsOptions;
+  }
+
+  if (credentialsConfig.allowSystemProxy) {
+    Aws::Crt::Http::ProxyEnvVarOptions options{};
+    options.proxyEnvVarType = Aws::Crt::Http::ProxyEnvVarType::Enabled;
+    options.connectionType = Aws::Crt::Http::AwsHttpProxyConnectionType::Legacy;
+    if (tlsOptions) {
+      options.TlsOptions = *tlsOptions;
+    }
+    config.ProxyEnvVarOptions = options;
+  }
+
+  return CredentialsProvider::CreateCredentialsProviderProfile(config);
+}
 }  // namespace
 
 class ProfileCredentialsProvider::ProfileCredentialsProviderImp : public CrtCredentialsProvider {
@@ -29,12 +58,10 @@ class ProfileCredentialsProvider::ProfileCredentialsProviderImp : public CrtCred
             },
             std::chrono::milliseconds(DEFAULT_REFRESH_RATE_MS), UserAgentFeature::CREDENTIALS_PROFILE, "ProfileCredentialsProvider") {}
 
-  ProfileCredentialsProviderImp(const char* profile)
+  ProfileCredentialsProviderImp(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig)
       : CrtCredentialsProvider(
-            [profile]() -> std::shared_ptr<ICredentialsProvider> {
-              CredentialsProviderProfileConfig config;
-              config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile);
-              return CredentialsProvider::CreateCredentialsProviderProfile(config);
+            [credentialsConfig]() -> std::shared_ptr<ICredentialsProvider> {
+              return GetProfileCrtProvider(credentialsConfig);
             },
             std::chrono::milliseconds(DEFAULT_REFRESH_RATE_MS), UserAgentFeature::CREDENTIALS_PROFILE,
             "ProfileCredentialsProvider") {}
@@ -63,8 +90,16 @@ ProfileCredentialsProvider::ProfileCredentialsProvider(long refreshRateMs) : m_i
   AWS_UNREFERENCED_PARAM(refreshRateMs);
 }
 
-ProfileCredentialsProvider::ProfileCredentialsProvider(const char* profile, long refreshRateMs)
-    : m_impl(std::make_shared<ProfileCredentialsProviderImp>(profile)) {
+ProfileCredentialsProvider::ProfileCredentialsProvider(const char* profile, long refreshRateMs) {
+  Aws::Client::ClientConfiguration::CredentialProviderConfiguration credentialsConfig{};
+  credentialsConfig.profile = profile;
+  m_impl = std::make_shared<ProfileCredentialsProviderImp>(credentialsConfig);
+  AWS_UNREFERENCED_PARAM(refreshRateMs);
+}
+
+ProfileCredentialsProvider::ProfileCredentialsProvider(
+    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig, long refreshRateMs)
+    : m_impl(std::make_shared<ProfileCredentialsProviderImp>(credentialsConfig)) {
   AWS_UNREFERENCED_PARAM(refreshRateMs);
 }
 

src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp

@@ -18,8 +18,6 @@ std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> GetSTSCrtProvider(
     Aws::Crt::Io::ClientBootstrap* defaultClientBootstrap) {
   Aws::Crt::Auth::CredentialsProviderSTSWebIdentityConfig stsConfig{};
   stsConfig.Bootstrap = defaultClientBootstrap;
-  Aws::Crt::Io::TlsContextOptions tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient();
-  const Aws::Crt::Io::TlsContext tlsContext(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT);
   const auto tlsOptions = Aws::GetDefaultTlsConnectionOptions();
   if (tlsOptions) {
     stsConfig.TlsConnectionOptions = *tlsOptions;
@@ -35,18 +33,18 @@ std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> GetSTSCrtProvider(
   }()
                                                         .c_str();
 
+  if (credentialsConfig.allowSystemProxy) {
+    Aws::Crt::Http::ProxyEnvVarOptions options{};
+    options.proxyEnvVarType = Aws::Crt::Http::ProxyEnvVarType::Enabled;
+    options.connectionType = Aws::Crt::Http::AwsHttpProxyConnectionType::Legacy;
+    if (tlsOptions) {
+      options.TlsOptions = *tlsOptions;
+    }
+    stsConfig.ProxyEnvVarOptions = options;
+  }
+
   return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderSTSWebIdentity(stsConfig);
 }
-}  // namespace
-
-STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(
-    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig)
-    : CrtCredentialsProvider{[&credentialsConfig]() -> std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> {
-                               return GetSTSCrtProvider(credentialsConfig, GetDefaultClientBootstrap());
-                             },
-                             credentialsConfig.stsCredentialsProviderConfig.retrieveCredentialsFutureTimeout,
-                             Aws::Client::UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN,
-                             "STSAssumeRoleWebIdentityCredentialsProvider"} {}
 
 Aws::String GetLegacySettingFromEnvOrProfile(const Aws::String& envVar,
                                              std::function<Aws::String(Aws::Config::Profile)> profileFetchFunction) {
@@ -58,20 +56,35 @@ Aws::String GetLegacySettingFromEnvOrProfile(const Aws::String& envVar,
   return value;
 }
 
+Aws::Client::ClientConfiguration::CredentialProviderConfiguration BuildLegacyConfig() {
+  Aws::Client::ClientConfiguration::CredentialProviderConfiguration config{};
+  config.profile = Aws::Auth::GetConfigProfileName();
+  config.region = GetLegacySettingFromEnvOrProfile(
+      "AWS_DEFAULT_REGION",
+      [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRegion(); });
+  config.stsCredentialsProviderConfig.roleArn = GetLegacySettingFromEnvOrProfile(
+      "AWS_ROLE_ARN",
+      [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRoleArn(); });
+  config.stsCredentialsProviderConfig.sessionName = GetLegacySettingFromEnvOrProfile(
+      "AWS_ROLE_SESSION_NAME",
+      [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("role_session_name"); });
+  config.stsCredentialsProviderConfig.tokenFilePath = GetLegacySettingFromEnvOrProfile(
+      "AWS_WEB_IDENTITY_TOKEN_FILE",
+      [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("web_identity_token_file"); });
+  return config;
+}
+}  // namespace
+
+STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(
+    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig)
+    : CrtCredentialsProvider{[&credentialsConfig]() -> std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> {
+                               return GetSTSCrtProvider(credentialsConfig, GetDefaultClientBootstrap());
+                             },
+                             credentialsConfig.stsCredentialsProviderConfig.retrieveCredentialsFutureTimeout,
+                             Aws::Client::UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN,
+                             "STSAssumeRoleWebIdentityCredentialsProvider"} {}
+
 STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider()
-    : STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration::CredentialProviderConfiguration{
-          Aws::Auth::GetConfigProfileName(),
-          GetLegacySettingFromEnvOrProfile("AWS_DEFAULT_REGION",
-                                           [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRegion(); }),
-          {},
-          {GetLegacySettingFromEnvOrProfile("AWS_ROLE_ARN",
-                                            [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRoleArn(); }),
-           GetLegacySettingFromEnvOrProfile(
-               "AWS_ROLE_SESSION_NAME",
-               [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("role_session_name"); }),
-           GetLegacySettingFromEnvOrProfile(
-               "AWS_WEB_IDENTITY_TOKEN_FILE",
-               [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("web_identity_token_file"); })},
-          {}}) {}
+    : STSAssumeRoleWebIdentityCredentialsProvider(BuildLegacyConfig()) {}
 
 STSAssumeRoleWebIdentityCredentialsProvider::~STSAssumeRoleWebIdentityCredentialsProvider() = default;

src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp

@@ -649,5 +649,15 @@ Aws::String ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(const A
   return option;
 }
 
+ClientConfiguration::CredentialProviderConfiguration ClientConfiguration::ResolveCredentialProviderConfig() const
+{
+    auto resolved = credentialProviderConfig;
+    resolved.region = region;
+    resolved.profile = profileName;
+    resolved.imdsConfig.disableImds = disableIMDS;
+    resolved.allowSystemProxy = allowSystemProxy;
+    return resolved;
+}
+
 } // namespace Client
 } // namespace Aws

tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/ServiceClientSourceInit.vm

@@ -63,7 +63,7 @@
 #set($AdditionalServiceSpecificConfigLoadString = "Load${metadata.classNamePrefix}SpecificConfig(config);")
 #end
 #set($clientConfigurationNamespace = "Aws::Client")
-#set($defaultCredentialsProviderChainParam = "Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig)")
+#set($defaultCredentialsProviderChainParam = "Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG, clientConfiguration.ResolveCredentialProviderConfig())")
 #set($s3ExpressIdentityProviderParam = "clientConfiguration.identityProviderSupplier(*this)")
 #set($simpleCredentialsProviderParam = "Aws::MakeShared<SimpleAWSCredentialsProvider>(ALLOCATION_TAG, credentials)")
 #set($hasEventStreamInputOperation = $serviceModel.hasStreamingRequestShapes())

tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/ServiceClientSourceLegacyConstructors.vm

@@ -57,7 +57,7 @@
 #set($AdditionalServiceSpecificConfigLoadString = "Load${metadata.classNamePrefix}SpecificConfig(config);")
 #end
 #set($clientConfigurationNamespace = "Aws::Client")
-#set($defaultCredentialsProviderChainParam = "Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig)")
+#set($defaultCredentialsProviderChainParam = "Aws::MakeShared<DefaultAWSCredentialsProviderChain>(ALLOCATION_TAG, clientConfiguration.ResolveCredentialProviderConfig())")
 #set($simpleCredentialsProviderParam = "Aws::MakeShared<SimpleAWSCredentialsProvider>(ALLOCATION_TAG, credentials)")
 #set($hasEventStreamInputOperation = $serviceModel.hasStreamingRequestShapes())
 #set($signerToMake = "AWSAuthV4Signer")