aws
diff --git a/‎packages/credential-provider-ini/src/fromIni.integ.spec.ts‎
Lines changed: 0 additions & 160 deletions b/‎packages/credential-provider-ini/src/fromIni.integ.spec.ts‎
Lines changed: 0 additions & 160 deletions
diff --git a/‎packages/credential-provider-node/src/defaultProvider.spec.ts‎
Lines changed: 3 additions & 1 deletion b/‎packages/credential-provider-node/src/defaultProvider.spec.ts‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎packages/credential-provider-node/src/defaultProvider.ts‎
Lines changed: 18 additions & 17 deletions b/‎packages/credential-provider-node/src/defaultProvider.ts‎
Lines changed: 18 additions & 17 deletions
diff --git a/‎packages/credential-provider-node/src/runtime/memoize-chain.spec.ts‎
Lines changed: 134 additions & 0 deletions b/‎packages/credential-provider-node/src/runtime/memoize-chain.spec.ts‎
Lines changed: 134 additions & 0 deletions
@@ -306,164 +306,4 @@ describe("fromIni region search order", () => {
       sessionToken: "STS_AR_SESSION_TOKEN_us-east-1",
     });
   });
-
-  describe("logic table", () => {
-    type Parameters = {
-      // has caller context client
-      withCaller: boolean;
-      // has region specified on the caller client
-      codeRegion: boolean;
-      // AWS_REGION is set
-      envRegion: boolean;
-      // profile regions are set
-      profileRegion: boolean;
-      // provider itself has a clientConfig.region
-      providerRegion: boolean;
-      // profile name
-      profile: string | undefined;
-    };
-
-    for (const withCaller of [true, false]) {
-      for (const codeRegion of [true, false]) {
-        for (const envRegion of [true, false]) {
-          for (const profileRegion of [true, false]) {
-            for (const providerRegion of [true, false]) {
-              for (const profile of ["default", "alt", undefined]) {
-                if (!codeRegion && !profileRegion && !envRegion) {
-                  continue;
-                }
-
-                const params = {
-                  withCaller,
-                  codeRegion,
-                  envRegion,
-                  profileRegion,
-                  providerRegion,
-                  profile,
-                };
-
-                it(`should resolve region as expected with params=${JSON.stringify(params)}`, async () => {
-                  const region = await resolveStsRegion(params);
-
-                  if (providerRegion) {
-                    expect(region).toBe("provider-region");
-                    return;
-                  }
-
-                  if (profileRegion) {
-                    expect(region).toBe(`${profile ?? "default"}-profile-region`);
-                    return;
-                  }
-
-                  if (codeRegion && withCaller) {
-                    expect(region).toBe("code-region");
-                    return;
-                  }
-
-                  if (envRegion) {
-                    expect(region).toBe("env-region");
-                    return;
-                  }
-
-                  expect(region).toBe("us-east-1");
-                });
-              }
-            }
-          }
-        }
-      }
-    }
-
-    async function resolveStsRegion({
-      withCaller,
-      envRegion,
-      profile,
-      profileRegion,
-      codeRegion,
-      providerRegion,
-    }: Parameters) {
-      if (envRegion) {
-        process.env.AWS_REGION = "env-region";
-      } else {
-        delete process.env.AWS_REGION;
-      }
-
-      if (profileRegion) {
-        iniProfileData = {
-          default: {
-            region: "default-profile-region",
-            role_arn: "ROLE_ARN",
-            role_session_name: "ROLE_SESSION_NAME",
-            external_id: "EXTERNAL_ID",
-            source_profile: "assume",
-          },
-          assume: {
-            region: "assume-profile-region",
-            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-          },
-          alt: {
-            region: "alt-profile-region",
-            role_arn: "ROLE_ARN",
-            role_session_name: "ROLE_SESSION_NAME",
-            external_id: "EXTERNAL_ID",
-            source_profile: "assume2",
-          },
-          assume2: {
-            region: "assume2-profile-region",
-            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-          },
-        };
-      } else {
-        iniProfileData = {
-          default: {
-            role_arn: "ROLE_ARN",
-            role_session_name: "ROLE_SESSION_NAME",
-            external_id: "EXTERNAL_ID",
-            source_profile: "assume",
-          },
-          assume: {
-            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-          },
-          alt: {
-            role_arn: "ROLE_ARN",
-            role_session_name: "ROLE_SESSION_NAME",
-            external_id: "EXTERNAL_ID",
-            source_profile: "assume2",
-          },
-          assume2: {
-            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-          },
-        };
-      }
-      setIniProfileData(iniProfileData);
-
-      const provider = fromIni({
-        profile,
-        clientConfig: {
-          region: providerRegion ? "provider-region" : undefined,
-          requestHandler: new MockNodeHttpHandler(),
-        },
-      });
-
-      if (withCaller) {
-        const sts = new STS({
-          profile,
-          requestHandler: new MockNodeHttpHandler(),
-          region: codeRegion ? "code-region" : undefined,
-          credentials: provider,
-        });
-
-        await sts.getCallerIdentity({});
-        const credentials = await sts.config.credentials();
-        return credentials.sessionToken!.replace("STS_AR_SESSION_TOKEN_", "");
-      }
-
-      const credentials = await provider();
-      return credentials.sessionToken!.replace("STS_AR_SESSION_TOKEN_", "");
-    }
-  });
 });
@@ -26,7 +26,9 @@ describe(defaultProvider.name, () => {
   };
 
   const credentials = () => {
-    throw new CredentialsProviderError("test", true);
+    throw new CredentialsProviderError("test", {
+      tryNextLink: true,
+    });
   };
 
   const finalCredentials = () => {
 
@@ -4,12 +4,14 @@ import type { FromIniInit } from "@aws-sdk/credential-provider-ini";
 import type { FromProcessInit } from "@aws-sdk/credential-provider-process";
 import type { FromSSOInit, SsoCredentialsParameters } from "@aws-sdk/credential-provider-sso";
 import type { FromTokenFileInit } from "@aws-sdk/credential-provider-web-identity";
+import type { AwsIdentityProperties } from "@aws-sdk/types";
 import type { RemoteProviderInit } from "@smithy/credential-provider-imds";
-import { chain, CredentialsProviderError, memoize } from "@smithy/property-provider";
+import { CredentialsProviderError } from "@smithy/property-provider";
 import { ENV_PROFILE } from "@smithy/shared-ini-file-loader";
-import { AwsCredentialIdentity, MemoizedProvider } from "@smithy/types";
+import type { AwsCredentialIdentity } from "@smithy/types";
 
 import { remoteProvider } from "./remoteProvider";
+import { type MemoizedRuntimeConfigAwsCredentialIdentityProvider, memoizeChain } from "./runtime/memoize-chain";
 
 /**
  * @public
@@ -60,9 +62,9 @@ let multipleCredentialSourceWarningEmitted = false;
  * @see {@link fromContainerMetadata}   The function used to source credentials from the
  *                                      ECS Container Metadata Service.
  */
-export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvider<AwsCredentialIdentity> =>
-  memoize(
-    chain(
+export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedRuntimeConfigAwsCredentialIdentityProvider =>
+  memoizeChain(
+    [
       async () => {
         const profile = init.profile ?? process.env[ENV_PROFILE];
         if (profile) {
@@ -95,7 +97,7 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromEnv");
         return fromEnv(init)();
       },
-      async () => {
+      async (awsIdentityProperties?: AwsIdentityProperties) => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromSSO");
         const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
         if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
@@ -105,22 +107,22 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
           );
         }
         const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
-        return fromSSO(init)();
+        return fromSSO(init)(awsIdentityProperties);
       },
-      async () => {
+      async (awsIdentityProperties?: AwsIdentityProperties) => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromIni");
         const { fromIni } = await import("@aws-sdk/credential-provider-ini");
-        return fromIni(init)();
+        return fromIni(init)(awsIdentityProperties);
       },
-      async () => {
+      async (awsIdentityProperties?: AwsIdentityProperties) => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromProcess");
         const { fromProcess } = await import("@aws-sdk/credential-provider-process");
-        return fromProcess(init)();
+        return fromProcess(init)(awsIdentityProperties);
       },
-      async () => {
+      async (awsIdentityProperties?: AwsIdentityProperties) => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromTokenFile");
         const { fromTokenFile } = await import("@aws-sdk/credential-provider-web-identity");
-        return fromTokenFile(init)();
+        return fromTokenFile(init)(awsIdentityProperties);
       },
       async () => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider");
@@ -131,10 +133,9 @@ export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvide
           tryNextLink: false,
           logger: init.logger,
         });
-      }
-    ),
-    credentialsTreatedAsExpired,
-    credentialsWillNeedRefresh
+      },
+    ],
+    credentialsTreatedAsExpired
   );
 
 /**
 
@@ -0,0 +1,134 @@
+import type { AwsIdentityProperties, RuntimeConfigAwsCredentialIdentityProvider } from "@aws-sdk/types";
+import { beforeEach, describe, expect, test as it, vi } from "vitest";
+
+import { credentialsWillNeedRefresh } from "../defaultProvider";
+import { memoizeChain } from "./memoize-chain";
+
+describe("memoize runtime config aware AWS credential chain", () => {
+  let staticCredentials!: RuntimeConfigAwsCredentialIdentityProvider;
+  let expiringCredentials!: RuntimeConfigAwsCredentialIdentityProvider;
+
+  const expiration = new Date();
+
+  beforeEach(() => {
+    vi.resetAllMocks();
+    staticCredentials = vi.fn().mockImplementation(async (options?: AwsIdentityProperties) => {
+      await new Promise((r) => setTimeout(r, 100));
+      return {
+        accessKeyId: "",
+        secretAccessKey: "",
+        runtimeOptions: Object.keys(options ?? {}).concat(Object.keys(options?.callerClientConfig ?? {})),
+      };
+    });
+
+    let sequence = 0;
+
+    expiringCredentials = vi.fn().mockImplementation(async (options?: AwsIdentityProperties) => {
+      await new Promise((r) => setTimeout(r, 100));
+      return {
+        accessKeyId: "",
+        secretAccessKey: "",
+        expiration,
+        sequence: sequence++,
+        runtimeOptions: Object.keys(options ?? {}).concat(Object.keys(options?.callerClientConfig ?? {})),
+      };
+    });
+  });
+
+  it("should call composed provider functions", async () => {
+    const provider = memoizeChain([staticCredentials], credentialsWillNeedRefresh);
+
+    const credentials = await provider({
+      callerClientConfig: {
+        region: async () => "context-region",
+        profile: "alt",
+      },
+    });
+
+    expect(credentials).toEqual({
+      accessKeyId: "",
+      secretAccessKey: "",
+      runtimeOptions: ["callerClientConfig", "region", "profile"],
+    });
+    expect(staticCredentials).toHaveBeenCalledTimes(1);
+  });
+
+  it("should use an active lock when no credentials exist", async () => {
+    const provider = memoizeChain([staticCredentials], credentialsWillNeedRefresh);
+
+    const [credentials] = await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+
+    expect(credentials).toEqual({
+      accessKeyId: "",
+      secretAccessKey: "",
+      runtimeOptions: [],
+    });
+    expect(staticCredentials).toHaveBeenCalledTimes(1);
+  });
+
+  it("should use a cache", async () => {
+    const provider = memoizeChain([staticCredentials], credentialsWillNeedRefresh);
+
+    await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+    const [credentials] = await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+
+    expect(credentials).toEqual({
+      accessKeyId: "",
+      secretAccessKey: "",
+      runtimeOptions: [],
+    });
+    expect(staticCredentials).toHaveBeenCalledTimes(1);
+  });
+
+  it("should use a passive lock when credentials do exist", async () => {
+    const provider = memoizeChain([expiringCredentials], credentialsWillNeedRefresh);
+
+    {
+      // initial invocation returns sequence-0 credentials.
+      const credentials = await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+      for (const c of credentials) {
+        expect(c).toEqual({
+          accessKeyId: "",
+          secretAccessKey: "",
+          expiration,
+          sequence: 0,
+          runtimeOptions: [],
+        });
+      }
+      expect(expiringCredentials).toHaveBeenCalledTimes(1);
+    }
+
+    {
+      // second invocation returns sequence-0 credentials, but background initializes refresh.
+      const credentials = await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+      for (const c of credentials) {
+        expect(c).toEqual({
+          accessKeyId: "",
+          secretAccessKey: "",
+          expiration,
+          sequence: 0,
+          runtimeOptions: [],
+        });
+      }
+      expect(expiringCredentials).toHaveBeenCalledTimes(2);
+    }
+
+    // allow new credentials to settle
+    await new Promise((r) => setTimeout(r, 200));
+
+    {
+      // third invocation group returns sequence-1 credentials, also with background refresh.
+      const credentials = await Promise.all([provider(), provider(), provider(), provider(), provider()]);
+      for (const c of credentials) {
+        expect(c).toEqual({
+          accessKeyId: "",
+          secretAccessKey: "",
+          expiration,
+          sequence: 1,
+          runtimeOptions: [],
+        });
+      }
+      expect(expiringCredentials).toHaveBeenCalledTimes(3);
+    }
+  });
+});