Add proxy config for credential providers (#281)

azkrishpy · TingDaoK · web-flow · commit 37ebf2d27cf4 · 2025-12-05T18:46:00.000-08:00
Co-authored-by: Dengke Tang &lt;dengket@amazon.com&gt;
Co-authored-by: Krish &lt;&gt;
diff --git a/include/aws/auth/aws_imds_client.h b/include/aws/auth/aws_imds_client.h
@@ -43,6 +43,12 @@ struct aws_imds_client_options {
      */
     struct aws_retry_strategy *retry_strategy;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /*
      * What version of the imds protocol to use
      *
diff --git a/include/aws/auth/credentials.h b/include/aws/auth/credentials.h
@@ -10,6 +10,7 @@
 #include <aws/common/array_list.h>
 #include <aws/common/atomics.h>
 #include <aws/common/linked_list.h>
+#include <aws/http/proxy.h>
 #include <aws/io/io.h>
 
 AWS_PUSH_SANE_WARNING_LEVEL
@@ -224,6 +225,12 @@ struct aws_credentials_provider_imds_options {
 
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
+
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
 };
 
 /*
@@ -259,6 +266,12 @@ struct aws_credentials_provider_ecs_environment_options {
      */
     struct aws_tls_ctx *tls_ctx;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
 };
@@ -310,6 +323,12 @@ struct aws_credentials_provider_ecs_options {
      */
     struct aws_tls_ctx *tls_ctx;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
 
@@ -354,6 +373,12 @@ struct aws_credentials_provider_x509_options {
      */
     const struct aws_http_proxy_options *proxy_options;
 
+    /**
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
 };
@@ -401,6 +426,12 @@ struct aws_credentials_provider_sts_web_identity_options {
      */
     struct aws_tls_ctx *tls_ctx;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
 
@@ -470,6 +501,12 @@ struct aws_credentials_provider_sso_options {
      */
     struct aws_tls_ctx *tls_ctx;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
     aws_io_clock_fn *system_clock_fn;
@@ -525,6 +562,12 @@ struct aws_credentials_provider_sts_options {
      */
     const struct aws_http_proxy_options *http_proxy_options;
 
+    /**
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /**
      * (Optional)
      * Uses a cached config file profile collection (~/.aws/config). You can also pass a merged profile collection,
@@ -628,6 +671,12 @@ struct aws_credentials_provider_chain_default_options {
      * If enabled, the Environment Credentials Provider is not added to the chain.
      */
     bool skip_environment_credentials_provider;
+
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
 };
 
 typedef int(aws_credentials_provider_delegate_get_credentials_fn)(
@@ -722,6 +771,12 @@ struct aws_credentials_provider_cognito_options {
      */
     const struct aws_http_proxy_options *http_proxy_options;
 
+    /**
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
 
@@ -795,6 +850,12 @@ struct aws_credentials_provider_login_options {
      */
     struct aws_tls_ctx *tls_ctx;
 
+    /*
+     * (Optional) Settings propagated down to http connection manager to choose proxy options from environment. Read
+     * aws_http_credentials_provider.h for more information.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking, leave NULL otherwise */
     struct aws_auth_http_system_vtable *function_table;
     aws_io_clock_fn *system_clock_fn;
diff --git a/include/aws/auth/private/aws_http_credentials_provider.h b/include/aws/auth/private/aws_http_credentials_provider.h
@@ -50,6 +50,15 @@ struct aws_credentials_provider_http_options {
      */
     struct aws_retry_strategy *retry_strategy;
 
+    /*
+     * Optional.
+     * Configuration for fetching proxy configuration from environment for http connections.
+     * By Default proxy_ev_settings.aws_http_proxy_env_var_type is set to AWS_HPEV_DISABLE which means we don't read
+     * proxy configuration from environment. If proxy_options exist for a particular credential provider and is set by
+     * the user, it overrides what is set from the environment.
+     */
+    const struct proxy_env_var_settings *proxy_ev_settings;
+
     /* For mocking the http layer in tests, leave NULL otherwise */
     const struct aws_auth_http_system_vtable *function_table;
 };
diff --git a/source/aws_http_credentials_provider.c b/source/aws_http_credentials_provider.c
@@ -419,6 +419,7 @@ int aws_http_credentials_provider_init_base(
     manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
     manager_options.shutdown_complete_user_data = provider;
     manager_options.tls_connection_options = &tls_connection_options;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     impl->function_table = options->function_table;
     if (impl->function_table == NULL) {
diff --git a/source/aws_imds_client.c b/source/aws_imds_client.c
@@ -168,6 +168,7 @@ struct aws_imds_client *aws_imds_client_new(
     manager_options.max_connections = 10;
     manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
     manager_options.shutdown_complete_user_data = client;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     client->connection_manager = client->function_table->aws_http_connection_manager_new(allocator, &manager_options);
     if (!client->connection_manager) {
diff --git a/source/credentials_provider_cognito.c b/source/credentials_provider_cognito.c
@@ -817,6 +817,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_cognito(
     manager_options.shutdown_complete_user_data = provider;
     manager_options.tls_connection_options = &tls_connection_options;
     manager_options.proxy_options = options->http_proxy_options;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     impl->function_table = options->function_table;
     if (impl->function_table == NULL) {
diff --git a/source/credentials_provider_default_chain.c b/source/credentials_provider_default_chain.c
@@ -35,13 +35,15 @@ static struct aws_credentials_provider *s_aws_credentials_provider_new_ecs_or_im
     struct aws_allocator *allocator,
     const struct aws_credentials_provider_shutdown_options *shutdown_options,
     struct aws_client_bootstrap *bootstrap,
-    struct aws_tls_ctx *tls_ctx) {
+    struct aws_tls_ctx *tls_ctx,
+    const struct proxy_env_var_settings *proxy_ev_settings) {
 
     /* Try to create the ECS provider. This will fail if its environment variables aren't set */
     struct aws_credentials_provider_ecs_environment_options ecs_options = {
         .shutdown_options = *shutdown_options,
         .bootstrap = bootstrap,
         .tls_ctx = tls_ctx,
+        .proxy_ev_settings = proxy_ev_settings,
     };
     struct aws_credentials_provider *ecs_provider =
         aws_credentials_provider_new_ecs_from_environment(allocator, &ecs_options);
@@ -64,6 +66,7 @@ static struct aws_credentials_provider *s_aws_credentials_provider_new_ecs_or_im
         struct aws_credentials_provider_imds_options imds_options = {
             .shutdown_options = *shutdown_options,
             .bootstrap = bootstrap,
+            .proxy_ev_settings = proxy_ev_settings,
         };
         return aws_credentials_provider_new_imds(allocator, &imds_options);
     }
@@ -301,6 +304,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
     sts_options.shutdown_options = sub_provider_shutdown_options;
     sts_options.config_profile_collection_cached = options->profile_collection_cached;
     sts_options.profile_name_override = options->profile_name_override;
+    sts_options.proxy_ev_settings = options->proxy_ev_settings;
     sts_provider = aws_credentials_provider_new_sts_web_identity(allocator, &sts_options);
     if (sts_provider != NULL) {
         providers[index++] = sts_provider;
@@ -311,7 +315,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_chain_default(
     /* Providers that will always make a network call unless explicitly disabled... */
 
     ecs_or_imds_provider = s_aws_credentials_provider_new_ecs_or_imds(
-        allocator, &sub_provider_shutdown_options, options->bootstrap, tls_ctx);
+        allocator, &sub_provider_shutdown_options, options->bootstrap, tls_ctx, options->proxy_ev_settings);
     if (ecs_or_imds_provider != NULL) {
         providers[index++] = ecs_or_imds_provider;
         /* 1 shutdown call from the imds or ecs provider's shutdown */
diff --git a/source/credentials_provider_ecs.c b/source/credentials_provider_ecs.c
@@ -799,6 +799,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_ecs(
     manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
     manager_options.shutdown_complete_user_data = provider;
     manager_options.tls_connection_options = options->tls_ctx ? &tls_connection_options : NULL;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     impl->function_table = options->function_table;
     if (impl->function_table == NULL) {
@@ -869,6 +870,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_ecs_from_environme
         .shutdown_options = options->shutdown_options,
         .bootstrap = options->bootstrap,
         .function_table = options->function_table,
+        .proxy_ev_settings = options->proxy_ev_settings,
     };
 
     struct aws_string *ecs_env_token_file_path = NULL;
diff --git a/source/credentials_provider_imds.c b/source/credentials_provider_imds.c
@@ -90,6 +90,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_imds(
                 .shutdown_callback = s_on_imds_client_shutdown,
                 .shutdown_user_data = provider,
             },
+        .proxy_ev_settings = options->proxy_ev_settings,
     };
 
     impl->client = aws_imds_client_new(allocator, &client_options);
diff --git a/source/credentials_provider_login.c b/source/credentials_provider_login.c
@@ -463,6 +463,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_login(
     http_options.function_table = options->function_table;
     http_options.endpoint = aws_byte_cursor_from_string(parameters->endpoint);
     http_options.max_connections = 2;
+    http_options.proxy_ev_settings = options->proxy_ev_settings;
 
     login_user_data->parameters = parameters;
     login_user_data->request_vtable = &s_login_request_vtable;
diff --git a/source/credentials_provider_sso.c b/source/credentials_provider_sso.c
@@ -426,6 +426,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_sso(
     http_options->function_table = options->function_table;
     http_options->endpoint = aws_byte_cursor_from_string(parameters->endpoint);
     http_options->max_connections = 2;
+    http_options->proxy_ev_settings = options->proxy_ev_settings;
 
     sso_user_data->parameters = parameters;
     sso_user_data->request_vtable = &s_sso_request_vtable;
diff --git a/source/credentials_provider_sts.c b/source/credentials_provider_sts.c
@@ -954,6 +954,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_sts(
         .socket_options = &socket_options,
         .tls_connection_options = &tls_connection_options,
         .proxy_options = options->http_proxy_options,
+        .proxy_ev_settings = options->proxy_ev_settings,
     };
 
     impl->connection_manager =
diff --git a/source/credentials_provider_sts_web_identity.c b/source/credentials_provider_sts_web_identity.c
@@ -1166,6 +1166,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_sts_web_identity(
     manager_options.shutdown_complete_callback = s_on_connection_manager_shutdown;
     manager_options.shutdown_complete_user_data = provider;
     manager_options.tls_connection_options = &tls_connection_options;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     impl->function_table = options->function_table;
     if (impl->function_table == NULL) {
diff --git a/source/credentials_provider_x509.c b/source/credentials_provider_x509.c
@@ -583,6 +583,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_x509(
     manager_options.shutdown_complete_user_data = provider;
     manager_options.tls_connection_options = &impl->tls_connection_options;
     manager_options.proxy_options = options->proxy_options;
+    manager_options.proxy_ev_settings = options->proxy_ev_settings;
 
     impl->function_table = options->function_table;
     if (impl->function_table == NULL) {
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -41,6 +41,7 @@ add_test_case(credentials_provider_imds_insecure_then_secure_success)
 add_test_case(credentials_provider_imds_success_multi_part_role_name)
 add_test_case(credentials_provider_imds_success_multi_part_doc)
 add_test_case(credentials_provider_imds_real_new_destroy)
+add_net_test_case(credentials_provider_imds_proxy_routing_enabled_test)
 
 if(AWS_BUILDING_ON_EC2)
     add_test_case(credentials_provider_imds_real_success)
@@ -58,6 +59,7 @@ add_net_test_case(credentials_provider_ecs_basic_success_uri_env)
 add_net_test_case(credentials_provider_ecs_no_auth_token_success)
 add_net_test_case(credentials_provider_ecs_success_multi_part_doc)
 add_net_test_case(credentials_provider_ecs_real_new_destroy)
+add_net_test_case(credentials_provider_ecs_proxy_routing_enabled_test)
 
 if(AWS_BUILDING_ON_ECS)
     add_test_case(credentials_provider_ecs_real_success)
@@ -70,6 +72,7 @@ add_test_case(credentials_provider_x509_bad_document_failure)
 add_test_case(credentials_provider_x509_basic_success)
 add_test_case(credentials_provider_x509_success_multi_part_doc)
 add_test_case(credentials_provider_x509_real_new_destroy)
+add_test_case(credentials_provider_x509_proxy_routing_enabled_test)
 
 add_net_test_case(credentials_provider_sts_web_identity_new_destroy_from_parameters)
 add_net_test_case(credentials_provider_sts_web_identity_new_destroy_from_env)
@@ -86,6 +89,7 @@ add_net_test_case(credentials_provider_sts_web_identity_basic_success_env)
 add_net_test_case(credentials_provider_sts_web_identity_basic_success_config)
 add_net_test_case(credentials_provider_sts_web_identity_success_multi_part_doc)
 add_net_test_case(credentials_provider_sts_web_identity_real_new_destroy)
+add_net_test_case(credentials_provider_sts_web_identity_proxy_routing_enabled_test)
 
 add_net_test_case(credentials_provider_sts_direct_config_succeeds)
 add_net_test_case(credentials_provider_sts_direct_config_with_external_id_succeeds)
@@ -108,6 +112,7 @@ add_net_test_case(credentials_provider_sts_from_profile_config_with_chain_cycle_
 add_net_test_case(credentials_provider_sts_from_profile_config_manual_tls_succeeds)
 add_net_test_case(credentials_provider_sts_from_profile_config_environment_succeeds)
 add_net_test_case(credentials_provider_sts_cache_expiration_conflict)
+add_net_test_case(credentials_provider_sts_proxy_routing_enabled_test)
 
 add_test_case(credentials_provider_process_new_destroy_from_config)
 add_test_case(credentials_provider_process_new_destroy_from_config_without_token)
@@ -130,6 +135,7 @@ add_net_test_case(credentials_provider_cognito_success_after_retry)
 add_net_test_case(credentials_provider_cognito_failure_dynamic_token_pairs)
 add_net_test_case(credentials_provider_cognito_failure_dynamic_token_pairs_completion)
 add_net_test_case(credentials_provider_cognito_success_dynamic_token_pairs)
+add_net_test_case(credentials_provider_cognito_proxy_routing_enabled_test)
 
 if(AWS_HAS_CI_ENVIRONMENT)
     add_net_test_case(credentials_provider_cognito_success_unauthenticated)
diff --git a/tests/credentials_provider_cognito_tests.c b/tests/credentials_provider_cognito_tests.c
diff --git a/tests/credentials_provider_ecs_tests.c b/tests/credentials_provider_ecs_tests.c
diff --git a/tests/credentials_provider_imds_tests.c b/tests/credentials_provider_imds_tests.c
diff --git a/tests/credentials_provider_sts_tests.c b/tests/credentials_provider_sts_tests.c
diff --git a/tests/credentials_provider_sts_web_identity_tests.c b/tests/credentials_provider_sts_web_identity_tests.c
diff --git a/tests/credentials_provider_x509_tests.c b/tests/credentials_provider_x509_tests.c
