fix(core): make CREDENTIALS_CODE mutually exclusive with other credential sources (#7615)

smilkuri · web-flow · commit 05e017ef8879 · 2026-01-05T15:33:43.000-05:00
diff --git a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.spec.ts b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.spec.ts
@@ -93,9 +93,6 @@ describe(resolveAwsSdkSigV4Config.name, () => {
     expect(await config.credentials()).toEqual({
       accessKeyId: "unit-test",
       secretAccessKey: "unit-test",
-      $source: {
-        CREDENTIALS_CODE: "e",
-      },
     });
 
     {
diff --git a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts
@@ -139,10 +139,19 @@ export const resolveAwsSdkSigV4Config = <T>(
       });
       const boundProvider = bindCallerConfig(config, memoizedProvider);
       if (isUserSupplied && !boundProvider.attributed) {
-        resolvedCredentials = async (options: Record<string, any> | undefined) =>
-          boundProvider(options).then((creds: AttributedAwsCredentialIdentity) =>
-            setCredentialFeature(creds, "CREDENTIALS_CODE", "e")
-          );
+        // Check if the original input was a credential object
+        const isCredentialObject = typeof inputCredentials === "object" && inputCredentials !== null;
+
+        resolvedCredentials = async (options: Record<string, any> | undefined) => {
+          const creds = await boundProvider(options);
+          const attributedCreds = creds as AttributedAwsCredentialIdentity;
+
+          // Only set CREDENTIALS_CODE if user provided a credential object and no source attribution exists
+          if (isCredentialObject && (!attributedCreds.$source || Object.keys(attributedCreds.$source).length === 0)) {
+            return setCredentialFeature(attributedCreds, "CREDENTIALS_CODE", "e");
+          }
+          return attributedCreds;
+        };
         resolvedCredentials.memoized = boundProvider.memoized;
         resolvedCredentials.configBound = boundProvider.configBound;
         resolvedCredentials.attributed = true;
diff --git a/packages/credential-provider-node/tests/credential-provider-node.integ.spec.ts b/packages/credential-provider-node/tests/credential-provider-node.integ.spec.ts
@@ -236,7 +236,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "SSO_SESSION_TOKEN_us-sso-region-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_SSO_LEGACY: "u",
         },
       });
@@ -523,7 +522,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -567,7 +565,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -613,7 +610,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -666,7 +662,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -724,7 +719,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_ARWI_SESSION_TOKEN_ap-northeast-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
         },
       });
@@ -765,7 +759,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_ARWI_SESSION_TOKEN_eu-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
         },
       });
@@ -827,7 +820,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "COGNITO_SESSION_TOKEN_ap-northeast-1",
         identityId: "",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
-        $source: { CREDENTIALS_CODE: "e" },
       });
     });
 
@@ -846,7 +838,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "COGNITO_SESSION_TOKEN_ap-northeast-1",
         identityId: "ap-northeast-1:COGNITO_IDENTITY_ID",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
-        $source: { CREDENTIALS_CODE: "e" },
       });
     });
 
@@ -875,7 +866,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_eu-west-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -907,7 +897,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_AR_SESSION_TOKEN_eu-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -930,7 +919,6 @@ describe("credential-provider-node integration test", () => {
         sessionToken: "STS_ARWI_SESSION_TOKEN_ap-northeast-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
         },
       });
@@ -1108,7 +1096,6 @@ describe("credential-provider-node integration test", () => {
           sessionToken: "STS_AR_SESSION_TOKEN_ap-northeast-1",
           expiration: new Date("3000-01-01T00:00:00.000Z"),
           $source: {
-            CREDENTIALS_CODE: "e",
             CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
             CREDENTIALS_STS_ASSUME_ROLE: "i",
           },
@@ -1156,7 +1143,6 @@ describe("credential-provider-node integration test", () => {
         secretAccessKey: "DEFAULT",
         sessionToken: undefined,
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE: "n",
         },
       });
@@ -1232,7 +1218,6 @@ describe("credential-provider-node integration test", () => {
             sessionToken: "SSO_SESSION_TOKEN_us-sso-region-2",
             expiration: new Date("3000-01-01T00:00:00.000Z"),
             $source: {
-              CREDENTIALS_CODE: "e",
               CREDENTIALS_PROFILE_SSO: "r",
               CREDENTIALS_SSO: "s",
             },
@@ -1306,9 +1291,6 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AK1",
         secretAccessKey: "STS_SAK1",
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
       });
     });
 
@@ -1321,18 +1303,12 @@ describe("credential-provider-node integration test", () => {
       expect(credentials1).toEqual({
         accessKeyId: "STS_AK1",
         secretAccessKey: "STS_SAK1",
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
       });
 
       const credentials2 = await client.config.credentials({});
       expect(credentials2).toEqual({
         accessKeyId: "STS_AK1",
         secretAccessKey: "STS_SAK1",
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
       });
 
       const credentials3 = await client.config.credentials({
@@ -1341,18 +1317,12 @@ describe("credential-provider-node integration test", () => {
       expect(credentials3).toEqual({
         accessKeyId: "STS_AK2",
         secretAccessKey: "STS_SAK2",
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
       });
 
       const credentials4 = await client.config.credentials({});
       expect(credentials4).toEqual({
         accessKeyId: "STS_AK2",
         secretAccessKey: "STS_SAK2",
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
       });
     });
   });
diff --git a/packages/credential-providers/tests/fromCognitoIdentity.integ.spec.ts b/packages/credential-providers/tests/fromCognitoIdentity.integ.spec.ts
@@ -41,9 +41,6 @@ describe(fromCognitoIdentity.name, () => {
       });
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
         accessKeyId: "COGNITO_ACCESS_KEY_ID",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         identityId: "us-east-2:128d0a74-c82f-4553-916d-90053example",
diff --git a/packages/credential-providers/tests/fromCognitoIdentityPool.integ.spec.ts b/packages/credential-providers/tests/fromCognitoIdentityPool.integ.spec.ts
@@ -41,9 +41,6 @@ describe(fromCognitoIdentityPool.name, () => {
       });
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
-        $source: {
-          CREDENTIALS_CODE: "e",
-        },
         accessKeyId: "COGNITO_ACCESS_KEY_ID",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         identityId: "us-east-2:COGNITO_IDENTITY_ID",
diff --git a/packages/credential-providers/tests/fromHttp.integ.spec.ts b/packages/credential-providers/tests/fromHttp.integ.spec.ts
@@ -20,7 +20,6 @@ describe(fromHttp.name, () => {
       expect(await s3.config.credentials()).toEqual({
         $source: {
           CREDENTIALS_HTTP: "z",
-          CREDENTIALS_CODE: "e",
         },
         accessKeyId: "CONTAINER_ACCESS_KEY",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
@@ -48,7 +47,6 @@ describe(fromHttp.name, () => {
       expect(await s3.config.credentials()).toEqual({
         $source: {
           CREDENTIALS_HTTP: "z",
-          CREDENTIALS_CODE: "e",
         },
         accessKeyId: "CONTAINER_ACCESS_KEY",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
diff --git a/packages/credential-providers/tests/fromIni.integ.spec.ts b/packages/credential-providers/tests/fromIni.integ.spec.ts
@@ -31,7 +31,6 @@ describe(fromIni.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE: "n",
         },
         accessKeyId: "A",
@@ -57,7 +56,6 @@ describe(fromIni.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE: "n",
         },
         accessKeyId: "A",
@@ -84,7 +82,6 @@ describe(fromIni.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE: "n",
         },
         accessKeyId: "A",
diff --git a/packages/credential-providers/tests/fromLoginCredentials.integ.spec.ts b/packages/credential-providers/tests/fromLoginCredentials.integ.spec.ts
@@ -75,7 +75,6 @@ describe(fromLoginCredentials.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_LOGIN: "AD",
         },
         accessKeyId: "LOGIN_ACCESS_KEY_ID",
@@ -123,7 +122,6 @@ describe(fromLoginCredentials.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_LOGIN: "AD",
         },
         accessKeyId: "LOGIN_ACCESS_KEY_ID",
diff --git a/packages/credential-providers/tests/fromProcess.integ.spec.ts b/packages/credential-providers/tests/fromProcess.integ.spec.ts
@@ -24,7 +24,6 @@ describe(fromProcess.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROCESS: "w",
         },
         accessKeyId: "PROCESS_ACCESS_KEY_ID",
@@ -48,7 +47,6 @@ describe(fromProcess.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROCESS: "w",
         },
         accessKeyId: "PROCESS_ACCESS_KEY_ID",
@@ -73,7 +71,6 @@ describe(fromProcess.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROCESS: "w",
         },
         accessKeyId: "PROCESS_ACCESS_KEY_ID",
diff --git a/packages/credential-providers/tests/fromSSO.integ.spec.ts b/packages/credential-providers/tests/fromSSO.integ.spec.ts
@@ -45,7 +45,6 @@ describe(fromSSO.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_SSO_LEGACY: "u",
         },
         accessKeyId: "SSO_ACCESS_KEY_ID",
@@ -69,7 +68,6 @@ describe(fromSSO.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_SSO_LEGACY: "u",
         },
         accessKeyId: "SSO_ACCESS_KEY_ID",
diff --git a/packages/credential-providers/tests/fromTokenFile.integ.spec.ts b/packages/credential-providers/tests/fromTokenFile.integ.spec.ts
@@ -32,7 +32,6 @@ describe(fromTokenFile.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
           CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN: "h",
         },
@@ -63,7 +62,6 @@ describe(fromTokenFile.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
         },
         accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
diff --git a/packages/credential-providers/tests/fromWebToken.integ.spec.ts b/packages/credential-providers/tests/fromWebToken.integ.spec.ts
@@ -45,7 +45,6 @@ describe(fromWebToken.name, () => {
       await s3.listBuckets();
       expect(await s3.config.credentials()).toEqual({
         $source: {
-          CREDENTIALS_CODE: "e",
           CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
         },
         accessKeyId: "STS_ARWI_ACCESS_KEY_ID",

Original file line number	Diff line number	Diff line change
`@@ -93,9 +93,6 @@ describe(resolveAwsSdkSigV4Config.name, () => {`
`93`	`93`	`expect(await config.credentials()).toEqual({`
`94`	`94`	`accessKeyId: "unit-test",`
`95`	`95`	`secretAccessKey: "unit-test",`
`96`		`- $source: {`
`97`		`- CREDENTIALS_CODE: "e",`
`98`		`- },`
`99`	`96`	`});`
`100`	`97`
`101`	`98`	`{`