From fea7e048a69b5c282b9b7e58eb6ae455ab2ebe64 Mon Sep 17 00:00:00 2001
From: sbiscigl <sbiscigl@amazon.com>
Date: Tue, 2 Dec 2025 16:04:01 -0500
Subject: [PATCH] fix dynamo default crednetials provider chain

---
 .../source/DynamoDBClient.cpp                 | 22 +++--
 .../auth/built-in/BearerTokenAuthScheme.h     |  8 ++
 .../identity/auth/built-in/NoAuthScheme.h     |  9 ++
 .../identity/auth/built-in/SigV4AuthScheme.h  |  6 ++
 .../identity/auth/built-in/SigV4aAuthScheme.h |  9 ++
 .../DefaultAwsCredentialIdentityResolver.h    | 98 +++++++++----------
 .../cpp/smithy/SmithyClientSourceInit.vm      | 10 +-
 7 files changed, 95 insertions(+), 67 deletions(-)

diff --git a/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp b/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp
index 1dce2d7dc4b..65eb589ab2c 100644
--- a/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp
+++ b/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp
@@ -101,15 +101,16 @@ const char* DynamoDBClient::GetAllocationTag() { return ALLOCATION_TAG; }
 
 DynamoDBClient::DynamoDBClient(const DynamoDB::DynamoDBClientConfiguration& clientConfiguration,
                                std::shared_ptr<DynamoDBEndpointProviderBase> endpointProvider)
-    : AwsSmithyClientT(clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
-                       Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG),
-                       endpointProvider ? endpointProvider : Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-                       Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
-                           ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
-                       {
-                           {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-                            smithy::SigV4AuthScheme{GetServiceName(), clientConfiguration.region}},
-                       }) {}
+    : AwsSmithyClientT(
+          clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
+          Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG),
+          endpointProvider ? endpointProvider : Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
+          Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+              ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
+          {
+              {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
+               smithy::SigV4AuthScheme{GetServiceName(), clientConfiguration.region, clientConfiguration.credentialProviderConfig}},
+          }) {}
 
 DynamoDBClient::DynamoDBClient(const AWSCredentials& credentials, std::shared_ptr<DynamoDBEndpointProviderBase> endpointProvider,
                                const DynamoDB::DynamoDBClientConfiguration& clientConfiguration)
@@ -148,7 +149,8 @@ DynamoDBClient::DynamoDBClient(const Client::ClientConfiguration& clientConfigur
                            ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
                        {
                            {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-                            smithy::SigV4AuthScheme{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG),
+                            smithy::SigV4AuthScheme{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(
+                                                        ALLOCATION_TAG, clientConfiguration.credentialProviderConfig),
                                                     GetServiceName(), clientConfiguration.region}},
                        }) {}
 
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h
index 38800b01190..f1eac437cb7 100644
--- a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h
+++ b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h
@@ -33,6 +33,14 @@ class BearerTokenAuthScheme : public AuthScheme<AwsBearerTokenIdentityBase>
         assert(m_signer);
     }
 
+    explicit BearerTokenAuthScheme(const Aws::String &serviceName, const Aws::String &region,
+                                   const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config)
+        : BearerTokenAuthScheme(Aws::MakeShared<DefaultAwsBearerTokenIdentityResolver>("BearerTokenAuthScheme"), serviceName, region) {
+      AWS_UNREFERENCED_PARAM(config);
+      assert(m_identityResolver);
+      assert(m_signer);
+    }
+
     explicit BearerTokenAuthScheme(const Aws::String &serviceName,
                                    const Aws::String &region)
         : BearerTokenAuthScheme(
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/NoAuthScheme.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/NoAuthScheme.h
index 18d6f38389a..15c380e450c 100644
--- a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/NoAuthScheme.h
+++ b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/NoAuthScheme.h
@@ -51,6 +51,15 @@ namespace smithy {
           assert(m_identityResolver);
         }
 
+        explicit NoAuthScheme(const Aws::String& serviceName, const Aws::String& region,
+                              const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config)
+            : NoAuthScheme(nullptr, serviceName, region)
+        {
+          AWS_UNREFERENCED_PARAM(config);
+          assert(m_signer);
+          assert(m_identityResolver);
+        }
+
         //legacy constructors
         explicit NoAuthScheme(std::shared_ptr<AwsCredentialIdentityResolverT> identityResolver, const Aws::String& serviceName, const Aws::String& region, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy policy, bool urlEscape)
             :  AuthScheme(NOAUTH),
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4AuthScheme.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4AuthScheme.h
index cf889f99fa1..283860c8aa7 100644
--- a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4AuthScheme.h
+++ b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4AuthScheme.h
@@ -59,6 +59,12 @@ namespace smithy {
         {
         }
 
+        explicit SigV4AuthScheme(const Aws::String& serviceName, const Aws::String& region,
+                                 const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config)
+            : SigV4AuthScheme(
+                  Aws::MakeShared<DefaultAwsCredentialIdentityResolver>("SigV4AuthScheme", config),
+                  serviceName, region) {}
+
         //For legacy constructors, signing requires additional input parameters
         explicit SigV4AuthScheme(const Aws::String& serviceName,
                                  const Aws::String& region,
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4aAuthScheme.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4aAuthScheme.h
index a184699a481..d101883b53f 100644
--- a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4aAuthScheme.h
+++ b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4aAuthScheme.h
@@ -36,6 +36,15 @@ namespace smithy {
             assert(m_signer);
         }
 
+        explicit SigV4aAuthScheme(const Aws::String& serviceName, const Aws::String& region,
+                                  const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config)
+            : SigV4aAuthScheme(
+                  Aws::MakeShared<DefaultAwsCredentialIdentityResolver>("SigV4aAuthScheme", config),
+                  serviceName, region) {
+          assert(m_identityResolver);
+          assert(m_signer);
+        }
+
         explicit SigV4aAuthScheme(const Aws::String& serviceName,
                                   const Aws::String& region)
             : SigV4aAuthScheme(Aws::MakeShared<DefaultAwsCredentialIdentityResolver>("SigV4aAuthScheme"), serviceName, region)
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h
index 83603236c76..560a2960ae4 100644
--- a/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h
+++ b/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h
@@ -4,59 +4,53 @@
  */
 #pragma once
 
-#include <smithy/identity/resolver/AwsCredentialIdentityResolver.h>
-
 #include <aws/core/auth/AWSCredentials.h>
 #include <aws/core/auth/AWSCredentialsProviderChain.h>
+#include <smithy/identity/resolver/AwsCredentialIdentityResolver.h>
 
 namespace smithy {
-    constexpr char ALLOC_ID[] = "DefaultAwsCredentialIdentityResolver";
-    /**
-     * A smithy SigV4 AWS Credentials resolver wrapper on top of legacy SDK Credentials provider
-     * TODO: refactor into own signer using smithy design
-     */
-    class DefaultAwsCredentialIdentityResolver : public AwsCredentialIdentityResolver {
-    protected:
-
-        mutable std::shared_ptr<Aws::Auth::AWSCredentialsProviderChain> legacyChain_sp;
-
-    public:
-        using SigV4AuthSchemeParameters = DefaultAuthSchemeResolverParameters;
-
-        DefaultAwsCredentialIdentityResolver(): legacyChain_sp{Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(ALLOC_ID)}{
-
-        };
-
-        DefaultAwsCredentialIdentityResolver(const Aws::Auth::DefaultAWSCredentialsProviderChain& credChain): legacyChain_sp{Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(ALLOC_ID, credChain)}{
-
-        };
-
-        DefaultAwsCredentialIdentityResolver(const DefaultAwsCredentialIdentityResolver& other) = delete;
-        DefaultAwsCredentialIdentityResolver(DefaultAwsCredentialIdentityResolver&& other) noexcept = default;
-        DefaultAwsCredentialIdentityResolver& operator=(const DefaultAwsCredentialIdentityResolver& other) = delete;
-        DefaultAwsCredentialIdentityResolver& operator=(DefaultAwsCredentialIdentityResolver&& other) noexcept = default;
-        virtual ~DefaultAwsCredentialIdentityResolver() = default;
-
-        DefaultAwsCredentialIdentityResolver(std::shared_ptr<Aws::Auth::AWSCredentialsProviderChain> providerChain): legacyChain_sp{providerChain}
-        {
-            assert(legacyChain_sp);
-        };
-
-        ResolveIdentityFutureOutcome getIdentity(const IdentityProperties& identityProperties, const AdditionalParameters& additionalParameters) override
-        {
-            AWS_UNREFERENCED_PARAM(identityProperties);
-            AWS_UNREFERENCED_PARAM(additionalParameters);
-
-            auto legacyCreds = legacyChain_sp->GetAWSCredentials();
-
-            auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("DefaultAwsCredentialIdentityResolver",
-                                                                     legacyCreds.GetAWSAccessKeyId(), 
-                                                                     legacyCreds.GetAWSSecretKey(),
-                                                                     legacyCreds.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken(),
-                                                                     legacyCreds.GetExpiration(),
-                                                                     legacyCreds.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetAccountId());
-
-            return ResolveIdentityFutureOutcome(std::move(smithyCreds));
-        }
-    };
-}
+constexpr char ALLOC_ID[] = "DefaultAwsCredentialIdentityResolver";
+/**
+ * A smithy SigV4 AWS Credentials resolver wrapper on top of legacy SDK Credentials provider
+ * TODO: refactor into own signer using smithy design
+ */
+class DefaultAwsCredentialIdentityResolver : public AwsCredentialIdentityResolver {
+ protected:
+  mutable std::shared_ptr<Aws::Auth::AWSCredentialsProviderChain> legacyChain_sp;
+
+ public:
+  using SigV4AuthSchemeParameters = DefaultAuthSchemeResolverParameters;
+
+  DefaultAwsCredentialIdentityResolver() : legacyChain_sp{Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(ALLOC_ID)} {};
+  DefaultAwsCredentialIdentityResolver(const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& config)
+      : legacyChain_sp{Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(ALLOC_ID, config)} {};
+  DefaultAwsCredentialIdentityResolver(const Aws::Auth::DefaultAWSCredentialsProviderChain& credChain)
+      : legacyChain_sp{Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(ALLOC_ID, credChain)} {};
+
+  DefaultAwsCredentialIdentityResolver(const DefaultAwsCredentialIdentityResolver& other) = delete;
+  DefaultAwsCredentialIdentityResolver(DefaultAwsCredentialIdentityResolver&& other) noexcept = default;
+  DefaultAwsCredentialIdentityResolver& operator=(const DefaultAwsCredentialIdentityResolver& other) = delete;
+  DefaultAwsCredentialIdentityResolver& operator=(DefaultAwsCredentialIdentityResolver&& other) noexcept = default;
+  virtual ~DefaultAwsCredentialIdentityResolver() = default;
+
+  DefaultAwsCredentialIdentityResolver(std::shared_ptr<Aws::Auth::AWSCredentialsProviderChain> providerChain)
+      : legacyChain_sp{providerChain} {
+    assert(legacyChain_sp);
+  };
+
+  ResolveIdentityFutureOutcome getIdentity(const IdentityProperties& identityProperties,
+                                           const AdditionalParameters& additionalParameters) override {
+    AWS_UNREFERENCED_PARAM(identityProperties);
+    AWS_UNREFERENCED_PARAM(additionalParameters);
+
+    auto legacyCreds = legacyChain_sp->GetAWSCredentials();
+
+    auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>(
+        "DefaultAwsCredentialIdentityResolver", legacyCreds.GetAWSAccessKeyId(), legacyCreds.GetAWSSecretKey(),
+        legacyCreds.GetSessionToken().empty() ? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken(),
+        legacyCreds.GetExpiration(), legacyCreds.GetAccountId().empty() ? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetAccountId());
+
+    return ResolveIdentityFutureOutcome(std::move(smithyCreds));
+  }
+};
+}  // namespace smithy
diff --git a/tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/smithy/SmithyClientSourceInit.vm b/tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/smithy/SmithyClientSourceInit.vm
index 4ff6a95e5c2..98850df733c 100644
--- a/tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/smithy/SmithyClientSourceInit.vm
+++ b/tools/code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/smithy/SmithyClientSourceInit.vm
@@ -69,7 +69,7 @@ ${className}::${className}(const ${clientConfiguration}& clientConfiguration,
         {
 #if($serviceModel.metadata.serviceId == "S3")
             [&]() ->  Aws::UnorderedMap<Aws::String, ${rootNamespace}::Crt::Variant<${AuthSchemeVariants}> > {
-                  auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG);
+                  auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig);
                   return {
 #foreach($entry in $AuthSchemeMapEntries)
 #if($AuthSchemes && $AuthSchemes[$foreach.index] == $s3_express_auth)
@@ -82,7 +82,7 @@ ${className}::${className}(const ${clientConfiguration}& clientConfiguration,
             }()
 #else
 #foreach($entry in $AuthSchemeMapEntries)
-            {${entry}{GetServiceName(), clientConfiguration.region}},
+            {${entry}{GetServiceName(), clientConfiguration.region, clientConfiguration.credentialProviderConfig}},
 #end
 #end
         })
@@ -188,7 +188,7 @@ ${className}::${className}(const Client::ClientConfiguration& clientConfiguratio
       Aws::MakeShared<${AuthSchemeResolver}>(ALLOCATION_TAG),
       {
             [&]() ->  Aws::UnorderedMap<Aws::String, ${rootNamespace}::Crt::Variant<${AuthSchemeVariants}> > {
-                  auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG);
+                  auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig);
                   return {
 #foreach($entry in $AuthSchemeMapEntries)
 #if($AuthSchemes && $AuthSchemes[$foreach.index] == $s3_express_auth)
@@ -271,7 +271,7 @@ ${className}::${className}(const ${className} &rhs) :
     Aws::Client::ClientWithAsyncTemplateMethods<S3Client>(), AwsSmithyClientT(rhs) {
      m_authSchemes =
           [&]() ->  Aws::UnorderedMap<Aws::String, ${rootNamespace}::Crt::Variant<${AuthSchemeVariants}> > {
-            auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG);
+            auto credsResolver = Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig);
             return {
 #foreach($entry in $AuthSchemeMapEntries)
 #if($AuthSchemes && $AuthSchemes[$foreach.index] == $s3_express_auth)
@@ -304,7 +304,7 @@ ${className}::${className}(const Client::ClientConfiguration& clientConfiguratio
 #if($entry.contains("smithy::BearerTokenAuthScheme"))
           {${entry}{Aws::MakeShared<smithy::AwsBearerTokenIdentityResolver>(ALLOCATION_TAG), GetServiceName(), clientConfiguration.region}},
 #else
-          {$entry{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG), GetServiceName(), clientConfiguration.region}},
+          {$entry{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG, clientConfiguration.credentialProviderConfig), GetServiceName(), clientConfiguration.region}},
 #end
 #end
       })