fix(credentials-provider-ini): include general http provider when sourcing EcsContainer credentials

[kuhe]

Issue

investigating https://github.com/smithy-lang/smithy-typescript/pull/1288

this PR requires that https://github.com/smithy-lang/smithy-typescript/pull/1290 be published. It is using new APIs from that PR.

Description

Fixes:

• When resolving EcsContainer as source in the ini provider, include also fromHttp next to fromContainerMetadata.
• When resolving credentials in ini-provider using an assume role "source_profile", do not require the source_profile to declare a role_arn. The role_arn should be declared by the origin profile.
• improve logging information for the credential chain process

Explanation from smithy-ts#1288:

• CredentialsProviderError: 169.254.170.23 is not a valid container metadata service hostname this is the superficial error, which makes it look like we need to add more hosts to the hardcoded allowlist within packages/credential-provider-imds/src/fromContainerMetadata.ts

  • however, this is misleading, since the default credential provider chain in AWS SDKs for Node.js has many steps, and only reports the final terminal exception. There are actually many thrown & caught exceptions along the way as each credential provider within the chain is attempted.
  • as a fix, we will improve the logging of the AWS SDK's node default credential chain, https://github.com/smithy-lang/smithy-typescript/pull/1290 & downstream in aws-sdk-js-v3 PR 6132.

• the real root cause has two parts

  1. the @aws-sdk/credential-provider-ini pkg, which is part of the default chain and is responsible for file-configured assumeRole credential resolution, does not route to the newer fromHttp provider, only the older fromContainerMetadata provider. The fix PR will add this.
  2. the same package, when merging a source_profile, expects the source_profile to also have a role_arn. This is a separate bug, and I believe this isn't consistent with our docs at https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html. It is not the source profile that should have a role_arn, it is the root profile.

Testing

• [x] add to credential chain integration test

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.