fix: use default credentials provider for all provided SDK clients (#1303)

---------

Co-authored-by: Scott Gerring <[email protected]>

Author: roamingthings

powertools-core/src/main/java/software/amazon/lambda/powertools/core/internal/LambdaConstants.java

@@ -16,7 +16,11 @@
 public class LambdaConstants {
     public static final String LAMBDA_FUNCTION_NAME_ENV = "AWS_LAMBDA_FUNCTION_NAME";
     public static final String AWS_REGION_ENV = "AWS_REGION";
+    // Also you can use AWS_LAMBDA_INITIALIZATION_TYPE to distinguish between on-demand and SnapStart initialization
+    // it's not recommended to use this env variable to initialize SDK clients or other resources.
+    @Deprecated
     public static final String AWS_LAMBDA_INITIALIZATION_TYPE = "AWS_LAMBDA_INITIALIZATION_TYPE";
+    @Deprecated
     public static final String ON_DEMAND = "on-demand";
     public static final String X_AMZN_TRACE_ID = "_X_AMZN_TRACE_ID";
     public static final String AWS_SAM_LOCAL = "AWS_SAM_LOCAL";

powertools-idempotency/src/main/java/software/amazon/lambda/powertools/idempotency/persistence/DynamoDBPersistenceStore.java

@@ -15,11 +15,9 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
-import software.amazon.awssdk.services.dynamodb.DynamoDbClientBuilder;
 import software.amazon.awssdk.services.dynamodb.model.*;
 import software.amazon.awssdk.utils.StringUtils;
 import software.amazon.lambda.powertools.idempotency.Constants;
@@ -34,10 +32,8 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_LAMBDA_INITIALIZATION_TYPE;
 import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_REGION_ENV;
 import static software.amazon.lambda.powertools.core.internal.LambdaConstants.LAMBDA_FUNCTION_NAME_ENV;
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.ON_DEMAND;
 import static software.amazon.lambda.powertools.idempotency.persistence.DataRecord.Status.INPROGRESS;
 
 /**
@@ -88,19 +84,10 @@ private DynamoDBPersistenceStore(String tableName,
         } else {
             String idempotencyDisabledEnv = System.getenv().get(Constants.IDEMPOTENCY_DISABLED_ENV);
             if (idempotencyDisabledEnv == null || idempotencyDisabledEnv.equalsIgnoreCase("false")) {
-                DynamoDbClientBuilder ddbBuilder = DynamoDbClient.builder()
+                this.dynamoDbClient = DynamoDbClient.builder()
                         .httpClient(UrlConnectionHttpClient.builder().build())
-                        .region(Region.of(System.getenv(AWS_REGION_ENV)));
-
-                // AWS_LAMBDA_INITIALIZATION_TYPE has two values on-demand and snap-start
-                // when using snap-start mode, the env var creds provider isn't used and causes a fatal error if set
-                // fall back to the default provider chain if the mode is anything other than on-demand.
-                String initializationType = System.getenv().get(AWS_LAMBDA_INITIALIZATION_TYPE);
-                if (initializationType  != null && initializationType.equals(ON_DEMAND)) {
-                    ddbBuilder.credentialsProvider(EnvironmentVariableCredentialsProvider.create());
-                }
-
-                this.dynamoDbClient = ddbBuilder.build();
+                        .region(Region.of(System.getenv(AWS_REGION_ENV)))
+                        .build();
             } else {
                 // we do not want to create a DynamoDbClient if idempotency is disabled
                 // null is ok as idempotency won't be called

powertools-parameters/src/main/java/software/amazon/lambda/powertools/parameters/AppConfigProvider.java

@@ -1,23 +1,18 @@
 package software.amazon.lambda.powertools.parameters;
 
-import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.appconfigdata.AppConfigDataClient;
-import software.amazon.awssdk.services.appconfigdata.AppConfigDataClientBuilder;
 import software.amazon.awssdk.services.appconfigdata.model.GetLatestConfigurationRequest;
 import software.amazon.awssdk.services.appconfigdata.model.GetLatestConfigurationResponse;
 import software.amazon.awssdk.services.appconfigdata.model.StartConfigurationSessionRequest;
-import software.amazon.lambda.powertools.core.internal.LambdaConstants;
 import software.amazon.lambda.powertools.parameters.cache.CacheManager;
 import software.amazon.lambda.powertools.parameters.transform.TransformationManager;
 
 import java.util.HashMap;
 import java.util.Map;
 
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_LAMBDA_INITIALIZATION_TYPE;
-
 /**
  * Implements a {@link ParamProvider} on top of the AppConfig service. AppConfig provides
  * a mechanism to retrieve and update configuration of applications over time.
@@ -144,19 +139,10 @@ public AppConfigProvider build() {
 
             // Create a AppConfigDataClient if we haven't been given one
             if (client == null) {
-                AppConfigDataClientBuilder appConfigDataClientBuilder = AppConfigDataClient.builder()
+                client = AppConfigDataClient.builder()
                         .httpClientBuilder(UrlConnectionHttpClient.builder())
-                        .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())));
-
-                // AWS_LAMBDA_INITIALIZATION_TYPE has two values on-demand and snap-start
-                // when using snap-start mode, the env var creds provider isn't used and causes a fatal error if set
-                // fall back to the default provider chain if the mode is anything other than on-demand.
-                String initializationType = System.getenv().get(AWS_LAMBDA_INITIALIZATION_TYPE);
-                if (initializationType  != null && initializationType.equals(LambdaConstants.ON_DEMAND)) {
-                    appConfigDataClientBuilder.credentialsProvider(EnvironmentVariableCredentialsProvider.create());
-                }
-
-                client = appConfigDataClientBuilder.build();
+                        .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())))
+                        .build();
             }
 
             AppConfigProvider provider = new AppConfigProvider(cacheManager, client, environment, application);

powertools-parameters/src/main/java/software/amazon/lambda/powertools/parameters/DynamoDbProvider.java

@@ -1,17 +1,14 @@
 package software.amazon.lambda.powertools.parameters;
 
-import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
-import software.amazon.awssdk.services.dynamodb.DynamoDbClientBuilder;
 import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
 import software.amazon.awssdk.services.dynamodb.model.GetItemRequest;
 import software.amazon.awssdk.services.dynamodb.model.GetItemResponse;
 import software.amazon.awssdk.services.dynamodb.model.QueryRequest;
 import software.amazon.awssdk.services.dynamodb.model.QueryResponse;
-import software.amazon.lambda.powertools.core.internal.LambdaConstants;
 import software.amazon.lambda.powertools.parameters.cache.CacheManager;
 import software.amazon.lambda.powertools.parameters.exception.DynamoDbProviderSchemaException;
 import software.amazon.lambda.powertools.parameters.transform.TransformationManager;
@@ -20,8 +17,6 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_LAMBDA_INITIALIZATION_TYPE;
-
 /**
  * Implements a {@link ParamProvider} on top of DynamoDB. The schema of the table
  * is described in the Powertools for AWS Lambda (Java) documentation.
@@ -190,19 +185,10 @@ public DynamoDbProvider.Builder withTransformationManager(TransformationManager
         }
 
         private static DynamoDbClient createClient() {
-            DynamoDbClientBuilder dynamoDbClientBuilder = DynamoDbClient.builder()
+            return DynamoDbClient.builder()
                     .httpClientBuilder(UrlConnectionHttpClient.builder())
-                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())));
-
-            // AWS_LAMBDA_INITIALIZATION_TYPE has two values on-demand and snap-start
-            // when using snap-start mode, the env var creds provider isn't used and causes a fatal error if set
-            // fall back to the default provider chain if the mode is anything other than on-demand.
-            String initializationType = System.getenv().get(AWS_LAMBDA_INITIALIZATION_TYPE);
-            if (initializationType  != null && initializationType.equals(LambdaConstants.ON_DEMAND)) {
-                dynamoDbClientBuilder.credentialsProvider(EnvironmentVariableCredentialsProvider.create());
-            }
-
-            return dynamoDbClientBuilder.build();
+                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())))
+                    .build();
         }
     }
 }

powertools-parameters/src/main/java/software/amazon/lambda/powertools/parameters/SSMProvider.java

@@ -13,17 +13,14 @@
  */
 package software.amazon.lambda.powertools.parameters;
 
-import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.ssm.SsmClient;
-import software.amazon.awssdk.services.ssm.SsmClientBuilder;
 import software.amazon.awssdk.services.ssm.model.GetParameterRequest;
 import software.amazon.awssdk.services.ssm.model.GetParametersByPathRequest;
 import software.amazon.awssdk.services.ssm.model.GetParametersByPathResponse;
 import software.amazon.awssdk.utils.StringUtils;
-import software.amazon.lambda.powertools.core.internal.LambdaConstants;
 import software.amazon.lambda.powertools.parameters.cache.CacheManager;
 import software.amazon.lambda.powertools.parameters.transform.TransformationManager;
 import software.amazon.lambda.powertools.parameters.transform.Transformer;
@@ -32,8 +29,6 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_LAMBDA_INITIALIZATION_TYPE;
-
 /**
  * AWS System Manager Parameter Store Provider <br/><br/>
  *
@@ -283,19 +278,10 @@ public SSMProvider.Builder withClient(SsmClient client) {
         }
 
         private static SsmClient createClient() {
-            SsmClientBuilder ssmClientBuilder = SsmClient.builder()
+            return SsmClient.builder()
                     .httpClientBuilder(UrlConnectionHttpClient.builder())
-                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())));
-
-            // AWS_LAMBDA_INITIALIZATION_TYPE has two values on-demand and snap-start
-            // when using snap-start mode, the env var creds provider isn't used and causes a fatal error if set
-            // fall back to the default provider chain if the mode is anything other than on-demand.
-            String initializationType = System.getenv().get(AWS_LAMBDA_INITIALIZATION_TYPE);
-            if (initializationType  != null && initializationType.equals(LambdaConstants.ON_DEMAND)) {
-                ssmClientBuilder.credentialsProvider(EnvironmentVariableCredentialsProvider.create());
-            }
-
-            return ssmClientBuilder.build();
+                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())))
+                    .build();
         }
 
         /**

powertools-parameters/src/main/java/software/amazon/lambda/powertools/parameters/SecretsProvider.java

@@ -13,14 +13,11 @@
  */
 package software.amazon.lambda.powertools.parameters;
 
-import software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider;
 import software.amazon.awssdk.core.SdkSystemSetting;
 import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
-import software.amazon.awssdk.services.secretsmanager.SecretsManagerClientBuilder;
 import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
-import software.amazon.lambda.powertools.core.internal.LambdaConstants;
 import software.amazon.lambda.powertools.parameters.cache.CacheManager;
 import software.amazon.lambda.powertools.parameters.transform.TransformationManager;
 import software.amazon.lambda.powertools.parameters.transform.Transformer;
@@ -30,7 +27,6 @@
 import java.util.Map;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static software.amazon.lambda.powertools.core.internal.LambdaConstants.AWS_LAMBDA_INITIALIZATION_TYPE;
 
 /**
  * AWS Secrets Manager Parameter Provider<br/><br/>
@@ -191,19 +187,10 @@ public Builder withClient(SecretsManagerClient client) {
         }
 
         private static SecretsManagerClient createClient() {
-            SecretsManagerClientBuilder secretsManagerClientBuilder = SecretsManagerClient.builder()
+            return SecretsManagerClient.builder()
                     .httpClientBuilder(UrlConnectionHttpClient.builder())
-                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())));
-
-            // AWS_LAMBDA_INITIALIZATION_TYPE has two values on-demand and snap-start
-            // when using snap-start mode, the env var creds provider isn't used and causes a fatal error if set
-            // fall back to the default provider chain if the mode is anything other than on-demand.
-            String initializationType = System.getenv().get(AWS_LAMBDA_INITIALIZATION_TYPE);
-            if (initializationType  != null && initializationType.equals(LambdaConstants.ON_DEMAND)) {
-                secretsManagerClientBuilder.credentialsProvider(EnvironmentVariableCredentialsProvider.create());
-            }
-
-            return secretsManagerClientBuilder.build();
+                    .region(Region.of(System.getenv(SdkSystemSetting.AWS_REGION.environmentVariable())))
+                    .build();
         }
 
         /**