Fix ProfileFileCredentialsProvider not propogating fips/dualstack to STS (#4629)

## Motivation and Context
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here -->
Closes #4614

## Description
<!--- Describe your changes in detail -->
`ProviderConfig::client_config()` builds the `SdkConfig` used by the
internal STS client by reading
ProviderConfig::use_fips()/use_dual_stack(), which are only populated
through explicit setters (`with_use_fips` / `with_use_dual_stack`).
Those setters are invoked by `ConfigLoader::load` (via
`use_fips_provider` / `use_dual_stack_provider`) but not when a user
builds `ProfileFileCredentialsProvider` directly. As a result, the STS
client in `AssumeRoleProvider::credentials()` received `use_fips =
false` / `use_dual_stack = false`.

In `ChainProvider::provide_credentials`, resolve `use_fips` and
`use_dual_stack` from the profile (via the existing `use_fips_provider`
/`use_dual_stack_provider` helpers, which handle env-then-profile
precedence) before constructing the STS `SdkConfig`, but only when they
haven't been set explicitly on `ProviderConfig` This mirrors the exact
pattern used in `ConfigLoader::load` and in the test harness.

## Testing
<!--- Please describe in detail how you tested your changes -->
<!--- Include details of your testing environment, and the tests you ran
to -->
<!--- see how your change affects other areas of the code, etc. -->
Added new unit test to cover this

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [x] For changes to the smithy-rs codegen or runtime crates, I have
created a changelog entry Markdown file in the `.changelog` directory,
specifying "client," "server," or both in the `applies_to` key.
- [x] For changes to the AWS SDK, generated SDK code, or SDK runtime
crates, I have created a changelog entry Markdown file in the
`.changelog` directory, specifying "aws-sdk-rust" in the `applies_to`
key.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

Author: landonxjames

.changelog/profile-fips-sts.md

@@ -0,0 +1,14 @@
+---
+applies_to:
+- aws-sdk-rust
+- client
+authors:
+- lnj
+references:
+- smithy-rs#4614
+breaking: false
+new_feature: false
+bug_fix: true
+---
+
+Fix `ProfileFileCredentialsProvider` so that profile-level `use_fips_endpoint` and `use_dualstack_endpoint` settings are propagated to the internal STS client used during assume-role credential chaining. Previously these settings were only applied when the provider was built through `aws_config::ConfigLoader::load`, so users constructing `ProfileFileCredentialsProvider` directly via its builder would see STS requests go to non-FIPS / non-dual-stack endpoints even when the selected profile enabled them.

aws/rust-runtime/aws-config/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "aws-config"
-version = "1.8.16"
+version = "1.8.17"
 authors = [
     "AWS Rust SDK Team <aws-sdk-rust@amazon.com>",
     "Russell Cohen <rcoh@amazon.com>",

aws/rust-runtime/aws-config/Cargo.toml

@@ -552,7 +552,26 @@ impl ChainProvider {
 
             // we want to create `SdkConfig` _after_ we have resolved the profile or else
             // we won't get things like `service_config()` set appropriately.
-            let sdk_config = config.provider_config.client_config();
+            //
+            // Resolve FIPS/dual-stack from the profile if they weren't set explicitly on the
+            // `ProviderConfig` (e.g. when `ProfileFileCredentialsProvider` is constructed
+            // directly via its builder, bypassing `ConfigLoader::load`).
+            let mut sdk_config_builder = config.provider_config.client_config().into_builder();
+            if config.provider_config.use_fips().is_none() {
+                sdk_config_builder.set_use_fips(
+                    crate::default_provider::use_fips::use_fips_provider(&config.provider_config)
+                        .await,
+                );
+            }
+            if config.provider_config.use_dual_stack().is_none() {
+                sdk_config_builder.set_use_dual_stack(
+                    crate::default_provider::use_dual_stack::use_dual_stack_provider(
+                        &config.provider_config,
+                    )
+                    .await,
+                );
+            }
+            let sdk_config = sdk_config_builder.build();
             for provider in chain.chain().iter() {
                 let next_creds = provider
                     .credentials(creds, &sdk_config)
@@ -633,6 +652,67 @@ mod test {
     make_test!(assume_role_override_service_env_url);
     make_test!(assume_role_override_global_profile_url);
     make_test!(assume_role_override_service_profile_url);
+
+    /// Regression test for https://github.com/smithy-lang/smithy-rs/issues/4614:
+    /// when building `ProfileFileCredentialsProvider` directly via its builder (bypassing
+    /// `ConfigLoader::load`), the profile's `use_fips_endpoint` and `use_dualstack_endpoint`
+    /// settings must still propagate to the internal STS client used for assume-role.
+    #[tokio::test]
+    async fn profile_use_fips_endpoint_propagates_to_sts_client() {
+        #[allow(deprecated)]
+        use crate::profile::profile_file::{ProfileFileKind, ProfileFiles};
+        use crate::provider_config::ProviderConfig;
+        use aws_smithy_http_client::test_util::capture_request;
+        use aws_smithy_types::body::SdkBody;
+        use aws_types::os_shim_internal::Env;
+        use aws_types::region::Region;
+
+        let (http_client, rx) = capture_request(Some(
+            http::Response::builder()
+                .status(200)
+                .body(SdkBody::from(
+                    r#"<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+                        <AssumeRoleResult>
+                          <Credentials>
+                            <AccessKeyId>ASIAFAKEKEY</AccessKeyId>
+                            <SecretAccessKey>fakesecret</SecretAccessKey>
+                            <SessionToken>fakesession</SessionToken>
+                            <Expiration>2099-01-01T00:00:00Z</Expiration>
+                          </Credentials>
+                        </AssumeRoleResult>
+                       </AssumeRoleResponse>"#,
+                ))
+                .unwrap(),
+        ));
+
+        let provider_config = ProviderConfig::empty()
+            .with_env(Env::from_slice(&[]))
+            .with_region(Some(Region::new("us-east-1")))
+            .with_http_client(http_client);
+
+        #[allow(deprecated)]
+        let profile_files = ProfileFiles::builder()
+            .with_contents(
+                ProfileFileKind::Config,
+                "[profile fips-test]\nuse_fips_endpoint = true\nuse_dualstack_endpoint = true\nregion = us-east-1\nrole_arn = arn:aws:iam::123456789012:role/FakeTestRole\nsource_profile = source\n\n[profile source]\naws_access_key_id = AKIAIOSFODNN7EXAMPLE\naws_secret_access_key = secret\n",
+            )
+            .build();
+
+        let provider = Builder::default()
+            .configure(&provider_config)
+            .profile_files(profile_files)
+            .profile_name("fips-test")
+            .build();
+
+        let _ = provider.provide_credentials().await;
+        let request = rx.expect_request();
+        let uri = request.uri().to_string();
+        // FIPS + dual-stack STS endpoint has the form `sts-fips.<region>.api.aws`.
+        assert!(
+            uri.contains("sts-fips.us-east-1.api.aws"),
+            "expected STS FIPS + dual-stack endpoint, got: {uri}"
+        );
+    }
 }
 
 #[cfg(all(test, feature = "sso"))]

aws/rust-runtime/aws-config/src/profile/credentials.rs

@@ -42,7 +42,7 @@ http-body-1-0 = { package = "http-body", version = "1.0.1", optional = true }
 http-body-util = { version = "0.1.3", optional = true }
 hyper-0-14 = { package = "hyper", version = "0.14.26", optional = true }
 itoa = "1.0.17"
-num-integer = "0.1.44"
+num-integer = "0.1.46"
 pin-project-lite = "0.2.14"
 pin-utils = "0.1.0"
 ryu = "1.0.22"