smithy-lang
diff --git a/‎CHANGELOG.next.toml
Lines changed: 6 additions & 0 deletions b/‎CHANGELOG.next.toml
Lines changed: 6 additions & 0 deletions
diff --git a/‎aws/rust-runtime/aws-config/src/default_provider/credentials.rs
Lines changed: 8 additions & 5 deletions b/‎aws/rust-runtime/aws-config/src/default_provider/credentials.rs
Lines changed: 8 additions & 5 deletions
diff --git a/‎aws/rust-runtime/aws-config/src/lib.rs
Lines changed: 71 additions & 19 deletions b/‎aws/rust-runtime/aws-config/src/lib.rs
Lines changed: 71 additions & 19 deletions
diff --git a/‎aws/rust-runtime/aws-config/src/sts.rs
Lines changed: 1 addition & 3 deletions b/‎aws/rust-runtime/aws-config/src/sts.rs
Lines changed: 1 addition & 3 deletions
diff --git a/‎aws/rust-runtime/aws-http/src/user_agent.rs
Lines changed: 9 additions & 0 deletions b/‎aws/rust-runtime/aws-http/src/user_agent.rs
Lines changed: 9 additions & 0 deletions
diff --git a/‎aws/rust-runtime/aws-inlineable/src/apigateway_interceptors.rs
Lines changed: 3 additions & 3 deletions b/‎aws/rust-runtime/aws-inlineable/src/apigateway_interceptors.rs
Lines changed: 3 additions & 3 deletions
diff --git a/‎aws/rust-runtime/aws-inlineable/src/glacier_interceptors.rs
Lines changed: 11 additions & 9 deletions b/‎aws/rust-runtime/aws-inlineable/src/glacier_interceptors.rs
Lines changed: 11 additions & 9 deletions
diff --git a/‎aws/rust-runtime/aws-inlineable/src/http_request_checksum.rs
Lines changed: 6 additions & 9 deletions b/‎aws/rust-runtime/aws-inlineable/src/http_request_checksum.rs
Lines changed: 6 additions & 9 deletions
diff --git a/‎aws/rust-runtime/aws-inlineable/src/http_response_checksum.rs
Lines changed: 4 additions & 4 deletions b/‎aws/rust-runtime/aws-inlineable/src/http_response_checksum.rs
Lines changed: 4 additions & 4 deletions
@@ -11,6 +11,12 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+ [[aws-sdk-rust]]
+ message = "Automatically exclude X-Ray trace ID headers and authorization headers from SigV4 canonical request calculations."
+ references = ["smithy-rs#2815"]
+ meta = { "breaking" = false, "tada" = false, "bug" = true }
+ author = "relevantsam"
+
  [[aws-sdk-rust]]
  message = "Add accessors to Builders"
  references = ["smithy-rs#2791"]
 
@@ -250,11 +250,14 @@ mod test {
                 .await
                 .unwrap()
                 .with_provider_config($provider_config_builder)
-                .$func(|conf| async {
-                    crate::default_provider::credentials::Builder::default()
-                        .configure(conf)
-                        .build()
-                        .await
+                .$func(|conf| {
+                    let conf = conf.clone();
+                    async move {
+                        crate::default_provider::credentials::Builder::default()
+                            .configure(conf)
+                            .build()
+                            .await
+                    }
                 })
                 .await
             }
 
@@ -171,6 +171,17 @@ mod loader {
     use crate::profile::profile_file::ProfileFiles;
     use crate::provider_config::ProviderConfig;
 
+    #[derive(Default, Debug)]
+    enum CredentialsProviderOption {
+        /// No provider was set by the user. We can set up the default credentials provider chain.
+        #[default]
+        NotSet,
+        /// The credentials provider was explicitly unset. Do not set up a default chain.
+        ExplicitlyUnset,
+        /// Use the given credentials provider.
+        Set(SharedCredentialsProvider),
+    }
+
     /// Load a cross-service [`SdkConfig`](aws_types::SdkConfig) from the environment
     ///
     /// This builder supports overriding individual components of the generated config. Overriding a component
@@ -181,7 +192,7 @@ mod loader {
     pub struct ConfigLoader {
         app_name: Option<AppName>,
         credentials_cache: Option<CredentialsCache>,
-        credentials_provider: Option<SharedCredentialsProvider>,
+        credentials_provider: CredentialsProviderOption,
         endpoint_url: Option<String>,
         region: Option<Box<dyn ProvideRegion>>,
         retry_config: Option<RetryConfig>,
@@ -348,7 +359,33 @@ mod loader {
             mut self,
             credentials_provider: impl ProvideCredentials + 'static,
         ) -> Self {
-            self.credentials_provider = Some(SharedCredentialsProvider::new(credentials_provider));
+            self.credentials_provider = CredentialsProviderOption::Set(
+                SharedCredentialsProvider::new(credentials_provider),
+            );
+            self
+        }
+
+        // TODO(enableNewSmithyRuntimeLaunch): Remove the doc hidden from this function
+        #[doc(hidden)]
+        /// Don't use credentials to sign requests.
+        ///
+        /// Turning off signing with credentials is necessary in some cases, such as using
+        /// anonymous auth for S3, calling operations in STS that don't require a signature,
+        /// or using token-based auth.
+        ///
+        /// # Examples
+        ///
+        /// Turn off credentials in order to call a service without signing:
+        /// ```no_run
+        /// # async fn create_config() {
+        /// let config = aws_config::from_env()
+        ///     .no_credentials()
+        ///     .load()
+        ///     .await;
+        /// # }
+        /// ```
+        pub fn no_credentials(mut self) -> Self {
+            self.credentials_provider = CredentialsProviderOption::ExplicitlyUnset;
             self
         }
 
@@ -570,13 +607,28 @@ mod loader {
                 .http_connector
                 .unwrap_or_else(|| HttpConnector::ConnectorFn(Arc::new(default_connector)));
 
-            let credentials_cache = self.credentials_cache.unwrap_or_else(|| {
-                let mut builder = CredentialsCache::lazy_builder().time_source(
-                    aws_credential_types::time_source::TimeSource::shared(conf.time_source()),
-                );
-                builder.set_sleep(conf.sleep());
-                builder.into_credentials_cache()
-            });
+            let credentials_provider = match self.credentials_provider {
+                CredentialsProviderOption::Set(provider) => Some(provider),
+                CredentialsProviderOption::NotSet => {
+                    let mut builder =
+                        credentials::DefaultCredentialsChain::builder().configure(conf.clone());
+                    builder.set_region(region.clone());
+                    Some(SharedCredentialsProvider::new(builder.build().await))
+                }
+                CredentialsProviderOption::ExplicitlyUnset => None,
+            };
+
+            let credentials_cache = if credentials_provider.is_some() {
+                Some(self.credentials_cache.unwrap_or_else(|| {
+                    let mut builder = CredentialsCache::lazy_builder().time_source(
+                        aws_credential_types::time_source::TimeSource::shared(conf.time_source()),
+                    );
+                    builder.set_sleep(conf.sleep());
+                    builder.into_credentials_cache()
+                }))
+            } else {
+                None
+            };
 
             let use_fips = if let Some(use_fips) = self.use_fips {
                 Some(use_fips)
@@ -590,26 +642,18 @@ mod loader {
                 use_dual_stack_provider(&conf).await
             };
 
-            let credentials_provider = if let Some(provider) = self.credentials_provider {
-                provider
-            } else {
-                let mut builder = credentials::DefaultCredentialsChain::builder().configure(conf);
-                builder.set_region(region.clone());
-                SharedCredentialsProvider::new(builder.build().await)
-            };
-
             let ts = self.time_source.unwrap_or_default();
 
             let mut builder = SdkConfig::builder()
                 .region(region)
                 .retry_config(retry_config)
                 .timeout_config(timeout_config)
-                .credentials_cache(credentials_cache)
-                .credentials_provider(credentials_provider)
                 .time_source(ts)
                 .http_connector(http_connector);
 
             builder.set_app_name(app_name);
+            builder.set_credentials_cache(credentials_cache);
+            builder.set_credentials_provider(credentials_provider);
             builder.set_sleep_impl(sleep_impl);
             builder.set_endpoint_url(self.endpoint_url);
             builder.set_use_fips(use_fips);
@@ -719,5 +763,13 @@ mod loader {
             let conf = base_conf().app_name(app_name.clone()).load().await;
             assert_eq!(Some(&app_name), conf.app_name());
         }
+
+        #[cfg(aws_sdk_orchestrator_mode)]
+        #[tokio::test]
+        async fn disable_default_credentials() {
+            let config = from_env().no_credentials().load().await;
+            assert!(config.credentials_cache().is_none());
+            assert!(config.credentials_provider().is_none());
+        }
     }
 }
@@ -12,7 +12,6 @@ pub use assume_role::{AssumeRoleProvider, AssumeRoleProviderBuilder};
 mod assume_role;
 
 use crate::connector::expect_connector;
-use aws_credential_types::cache::CredentialsCache;
 use aws_sdk_sts::config::Builder as StsConfigBuilder;
 use aws_smithy_types::retry::RetryConfig;
 
@@ -22,8 +21,7 @@ impl crate::provider_config::ProviderConfig {
             .http_connector(expect_connector(self.connector(&Default::default())))
             .retry_config(RetryConfig::standard())
             .region(self.region())
-            .time_source(self.time_source())
-            .credentials_cache(CredentialsCache::no_caching());
+            .time_source(self.time_source());
         builder.set_sleep_impl(self.sleep());
         builder
     }
 
@@ -5,6 +5,7 @@
 
 use aws_smithy_http::middleware::MapRequest;
 use aws_smithy_http::operation::Request;
+use aws_smithy_types::config_bag::{Storable, StoreReplace};
 use aws_types::app_name::AppName;
 use aws_types::build_metadata::{OsFamily, BUILD_METADATA};
 use aws_types::os_shim_internal::Env;
@@ -211,6 +212,10 @@ impl AwsUserAgent {
     }
 }
 
+impl Storable for AwsUserAgent {
+    type Storer = StoreReplace<Self>;
+}
+
 #[derive(Clone, Copy, Debug)]
 struct SdkMetadata {
     name: &'static str,
@@ -246,6 +251,10 @@ impl fmt::Display for ApiMetadata {
     }
 }
 
+impl Storable for ApiMetadata {
+    type Storer = StoreReplace<Self>;
+}
+
 /// Error for when an user agent metadata doesn't meet character requirements.
 ///
 /// Metadata may only have alphanumeric characters and any of these characters:
 
@@ -5,9 +5,9 @@
 
 #![allow(dead_code)]
 
-use aws_smithy_runtime_api::client::interceptors::{
-    BeforeTransmitInterceptorContextMut, BoxError, Interceptor,
-};
+use aws_smithy_runtime_api::box_error::BoxError;
+use aws_smithy_runtime_api::client::interceptors::context::BeforeTransmitInterceptorContextMut;
+use aws_smithy_runtime_api::client::interceptors::Interceptor;
 use aws_smithy_types::config_bag::ConfigBag;
 use http::header::ACCEPT;
 use http::HeaderValue;
 
@@ -10,11 +10,13 @@ use aws_runtime::auth::sigv4::SigV4OperationSigningConfig;
 use aws_sigv4::http_request::SignableBody;
 use aws_smithy_http::body::SdkBody;
 use aws_smithy_http::byte_stream;
-use aws_smithy_runtime_api::client::interceptors::{
-    BeforeSerializationInterceptorContextMut, BeforeTransmitInterceptorContextMut, BoxError,
-    Interceptor,
+use aws_smithy_runtime_api::box_error::BoxError;
+use aws_smithy_runtime_api::client::config_bag_accessors::ConfigBagAccessors;
+use aws_smithy_runtime_api::client::interceptors::context::{
+    BeforeSerializationInterceptorContextMut, BeforeTransmitInterceptorContextMut,
 };
-use aws_smithy_runtime_api::client::orchestrator::{ConfigBagAccessors, LoadedRequestBody};
+use aws_smithy_runtime_api::client::interceptors::Interceptor;
+use aws_smithy_runtime_api::client::orchestrator::LoadedRequestBody;
 use aws_smithy_types::config_bag::ConfigBag;
 use bytes::Bytes;
 use http::header::{HeaderName, HeaderValue};
@@ -129,18 +131,18 @@ impl Interceptor for GlacierTreeHashHeaderInterceptor {
         context: &mut BeforeTransmitInterceptorContextMut<'_>,
         cfg: &mut ConfigBag,
     ) -> Result<(), BoxError> {
-        let maybe_loaded_body = cfg.get::<LoadedRequestBody>();
+        let maybe_loaded_body = cfg.load::<LoadedRequestBody>();
         if let Some(LoadedRequestBody::Loaded(body)) = maybe_loaded_body {
             let content_sha256 = add_checksum_treehash(context.request_mut(), body)?;
 
             // Override the signing payload with this precomputed hash
             let mut signing_config = cfg
-                .get::<SigV4OperationSigningConfig>()
+                .load::<SigV4OperationSigningConfig>()
                 .ok_or("SigV4OperationSigningConfig not found")?
                 .clone();
             signing_config.signing_options.payload_override =
                 Some(SignableBody::Precomputed(content_sha256));
-            cfg.interceptor_state().put(signing_config);
+            cfg.interceptor_state().store_put(signing_config);
         } else {
             return Err(
                 "the request body wasn't loaded into memory before the retry loop, \
@@ -234,7 +236,7 @@ fn compute_hash_tree(mut hashes: Vec<Digest>) -> Digest {
 #[cfg(test)]
 mod account_id_autofill_tests {
     use super::*;
-    use aws_smithy_runtime_api::client::interceptors::InterceptorContext;
+    use aws_smithy_runtime_api::client::interceptors::context::InterceptorContext;
     use aws_smithy_types::type_erasure::TypedBox;
 
     #[test]
@@ -273,7 +275,7 @@ mod account_id_autofill_tests {
 #[cfg(test)]
 mod api_version_tests {
     use super::*;
-    use aws_smithy_runtime_api::client::interceptors::InterceptorContext;
+    use aws_smithy_runtime_api::client::interceptors::context::InterceptorContext;
     use aws_smithy_types::type_erasure::TypedBox;
 
     #[test]
 
@@ -14,11 +14,11 @@ use aws_smithy_checksums::ChecksumAlgorithm;
 use aws_smithy_checksums::{body::calculate, http::HttpChecksum};
 use aws_smithy_http::body::{BoxBody, SdkBody};
 use aws_smithy_http::operation::error::BuildError;
-use aws_smithy_runtime_api::client::interceptors::context::Input;
-use aws_smithy_runtime_api::client::interceptors::{
-    BeforeSerializationInterceptorContextRef, BeforeTransmitInterceptorContextMut, BoxError,
-    Interceptor,
+use aws_smithy_runtime_api::box_error::BoxError;
+use aws_smithy_runtime_api::client::interceptors::context::{
+    BeforeSerializationInterceptorContextRef, BeforeTransmitInterceptorContextMut, Input,
 };
+use aws_smithy_runtime_api::client::interceptors::Interceptor;
 use aws_smithy_types::config_bag::{ConfigBag, Layer, Storable, StoreReplace};
 use http::HeaderValue;
 use http_body::Body;
@@ -132,13 +132,10 @@ fn add_checksum_for_request_body(
         // Body is streaming: wrap the body so it will emit a checksum as a trailer.
         None => {
             tracing::debug!("applying {checksum_algorithm:?} of the request body as a trailer");
-            if let Some(mut signing_config) = cfg.get::<SigV4OperationSigningConfig>().cloned() {
+            if let Some(mut signing_config) = cfg.load::<SigV4OperationSigningConfig>().cloned() {
                 signing_config.signing_options.payload_override =
                     Some(SignableBody::StreamingUnsignedPayloadTrailer);
-
-                let mut layer = Layer::new("http_body_checksum_sigv4_payload_override");
-                layer.put(signing_config);
-                cfg.push_layer(layer);
+                cfg.interceptor_state().store_put(signing_config);
             }
             wrap_streaming_request_body_in_checksum_calculating_body(request, checksum_algorithm)?;
         }
 
@@ -9,11 +9,11 @@
 
 use aws_smithy_checksums::ChecksumAlgorithm;
 use aws_smithy_http::body::{BoxBody, SdkBody};
-use aws_smithy_runtime_api::client::interceptors::context::Input;
-use aws_smithy_runtime_api::client::interceptors::{
-    BeforeDeserializationInterceptorContextMut, BeforeSerializationInterceptorContextRef, BoxError,
-    Interceptor,
+use aws_smithy_runtime_api::box_error::BoxError;
+use aws_smithy_runtime_api::client::interceptors::context::{
+    BeforeDeserializationInterceptorContextMut, BeforeSerializationInterceptorContextRef, Input,
 };
+use aws_smithy_runtime_api::client::interceptors::Interceptor;
 use aws_smithy_types::config_bag::{ConfigBag, Layer, Storable, StoreReplace};
 use http::HeaderValue;
 use std::{fmt, mem};