Add AWS Process Credential Resolver

[jonathan343]

Important

This PR adds a standalone AWS process credential resolver. We do not currently support reading from the shared AWS config file. However, this will unblock anyone from using a process based credential provider.

Overview

This PR adds an AWS process-based credentials resolver to smithy-aws-core so credential providers can source credentials from an external command, while handling the common failure modes and caching behavior expected for both long-lived and temporary credentials.

Summary

• Introduces ProcessCredentialsResolver and ProcessCredentialsConfig in the AWS identity package and exports them as part of the public identity surface.
• Executes a configured credential process asynchronously, validates the returned JSON payload, and converts it into an AWSCredentialsIdentity.
• Handles operational edge cases around process startup failures, timeouts, non-zero exits, unsupported response versions, and missing required credential fields.
• Reuses cached credentials when they are still valid and refreshes them when temporary credentials have expired.
• Improves command handling so callers can provide either explicit argument lists or a shell-style command string.

Testing

• Adds unit coverage for successful credential loading, optional fields, validation failures, timeout and startup error handling, chained-resolver fallback behavior, credential caching/refresh, and multi-argument command parsing.

Note

This was tested with internal AWS process tools for sourcing credentials. TODO: Test with popular external tools.

import asyncio

from aws_sdk_bedrock_runtime.client import BedrockRuntimeClient
from aws_sdk_bedrock_runtime.config import Config
from aws_sdk_bedrock_runtime.models import (
    ContentBlockText,
    ConverseInput,
    Message,
)
from smithy_aws_core.identity import ProcessCredentialsResolver


async def main():
    client = BedrockRuntimeClient(
        config=Config(
            region="us-west-2",
            aws_credentials_identity_resolver=ProcessCredentialsResolver(
                command=["<insert command here>"]
            ),
        )
    )
    input_message = Message(
        role="user", content=[ContentBlockText(value="What is boto3?")]
    )
    response = await client.converse(
        ConverseInput(
            model_id="global.amazon.nova-2-lite-v1:0", messages=[input_message]
        )
    )

    output_message = response.output
    print(output_message)


asyncio.run(main())

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[SamRemis]

The PR description says we will accept a command string:

Improves command handling so callers can provide either explicit argument lists or a shell-style command string.

Looking at the commit history, it looks like you intentionally removed this capability. I'm alright with this; we can always add support later. What was the reason for the revert?

[SamRemis]

Should we include the returncode in the exception message in case it is useful in debugging?

[SamRemis]

Second comment here - we are assuming that this will always be parse-able as valid UTF-8.

While any other response encoding would be considered malformed output, a user would see a UnicodeDecodeError instead of the SmithyIdentityError. We should be guarding against other encodings or binary garbage being returned by the unknown process.

[SamRemis]

High level: I'm starting to get a little concerned with all of the things we are missing since we don't have support for them yet and how we will track them. In this case, it's feature id tracking and adding this to the default chain (which will need to look in the config file).

Should we add some TODOs here?

[SamRemis]

[Non-blocking]

JSONDecodeError contains the json document being parsed. The string representation of this generally does not contain the JSON document, but any downstream error parser may wind up leaking any secrets that may have been contained in this json error.

The alternative here is to not raise this error using from e, but just raise it alone.

Since this scenario seems far-fetched, and SDK users should not be sharing raw error info with untrusted users, I'd say this approach is sufficiently secure and helpful for users looking to debug their credentials process. Just wanted to flag the potential concern, but I'm not requesting changes.

[SamRemis]

Suggested change

	if version is None or version != 1:
	if version != 1:

Nit: the None check is redundant here since None != 1 returns True.

[SamRemis]

Did you mean to add more test cases here, like a tuple or a space separated string?

I'm not sure why you chose to have a generic name with pymark.test.parametrize, but only one test case

[SamRemis]

Nit: we could make a test class and just have this annotation once (or a few times as it makes sense to separate out the classes) instead of 19 times

[SamRemis]

How is this different than test_valid_credentials_with_session_token?

[SamRemis]

Same as above, this is similar to test_valid_credentials_without_session_token

[SamRemis]

Couldn't this be renamed to test_credentials_with_optional_fields and consolidated with test_credentials_with_account_id and also add session token in here?

[SamRemis]

We are mocking process.communicate, but this error gets raised during wait_for.

Can we get this updated to reflect the expected code path for this error?

[SamRemis]

Can we add a negative test case for invalid string expirations and another for non-string expirations?

[SamRemis]

Nit: Should we parametrize this and the next test? Either way is fine, it's just duplicated code.

[SamRemis]

What does this look like when we have an invalid string (for instance foo)?

That will raise ValueError: Invalid isoformat string, so maybe we need another try/except here.

[SamRemis]

Can we add an assertion that "Process error message" is in the error value?