feat: add authentication scheme preference configuration

Author: AlexDaines

generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json

@@ -0,0 +1,11 @@
+{
+  "core": {
+    "changeLogMessages": [
+      "Added ability to configure authentication scheme preferences (e.g., prioritize SigV4a over SigV4)",
+      "Added support for AWS_AUTH_SCHEME_PREFERENCE environment variable and auth_scheme_preference configuration file setting",
+      "Improved authentication scheme resolution to support multiple authentication methods per service"
+    ],
+    "type": "minor",
+    "updateMinimum": true
+  }
+}

sdk/src/Core/AWSConfigs.cs

@@ -402,6 +402,64 @@ public static bool DisableLegacyPersistenceStore
 
         #endregion
 
+        #region Authentication Scheme Preference
+
+        /// <summary>
+        /// Key for the AuthSchemePreference property.
+        /// <seealso cref="Amazon.AWSConfigs.AuthSchemePreference"/>
+        /// </summary>
+        public const string AuthSchemePreferenceKey = "AWSAuthSchemePreference";
+
+        /// <summary>
+        /// Gets or sets the global authentication scheme preference for all AWS service clients.
+        /// <para>
+        /// This property allows you to specify a preference list of authentication schemes
+        /// that will be used to reprioritize the supported authentication schemes globally.
+        /// Individual client configurations can override this global setting.
+        /// </para>
+        /// <para>
+        /// This setting can be configured through environment variables or configuration files:
+        /// - Environment variable: AWS_AUTH_SCHEME_PREFERENCE
+        /// - Configuration file: auth_scheme_preference
+        /// </para>
+        /// </summary>
+        public static string AuthSchemePreference
+        {
+            get { return _rootConfig.AuthSchemePreference; }
+            set { _rootConfig.AuthSchemePreference = value; }
+        }
+
+        #endregion
+
+        #region SigV4a Region Set Configuration
+
+        /// <summary>
+        /// Key for the SigV4aSigningRegionSet property.
+        /// <seealso cref="Amazon.AWSConfigs.SigV4aSigningRegionSet"/>
+        /// </summary>
+        public const string SigV4aSigningRegionSetKey = "AWSSigV4aRegionSet";
+
+        /// <summary>
+        /// Gets or sets the global SigV4a signing region set configuration for all AWS service clients.
+        /// <para>
+        /// This property allows you to specify the region set that will be used for SigV4a signing globally.
+        /// The region set determines which regions the signed request is valid for.
+        /// Individual client configurations can override this global setting.
+        /// </para>
+        /// <para>
+        /// This setting can be configured through environment variables or configuration files:
+        /// - Environment variable: AWS_SIGV4A_SIGNING_REGION_SET
+        /// - Configuration file: sigv4a_signing_region_set
+        /// </para>
+        /// </summary>
+        public static string SigV4aSigningRegionSet
+        {
+            get { return _rootConfig.SigV4aSigningRegionSet; }
+            set { _rootConfig.SigV4aSigningRegionSet = value; }
+        }
+
+        #endregion
+
         #region AWS Config Sections
 
         /// <summary>

sdk/src/Core/Amazon.Runtime/ClientConfig.cs

@@ -1185,6 +1185,28 @@ public TelemetryProvider TelemetryProvider
             set { this.telemetryProvider = value; }
         }
 
+        /// <summary>
+        /// Gets or sets the authentication scheme preference for this client configuration.
+        /// <para>
+        /// This property allows you to specify a comma-separated preference list of authentication schemes
+        /// (e.g., "sigv4a,sigv4") that will be used to reprioritize the supported authentication schemes for this client.
+        /// If not set, the client will use environment variables, configuration files,
+        /// or fall back to the default model-based authentication scheme resolution.
+        /// </para>
+        /// </summary>
+        public string AuthSchemePreference { get; set; }
+
+        /// <summary>
+        /// Gets or sets the SigV4a signing region set for this client.
+        /// <para>
+        /// This property allows you to specify a comma-separated list of regions (e.g., "us-east-1,us-west-2")
+        /// that will be used for SigV4a signing. The region set determines which regions the signed request is valid for.
+        /// If not set, the client will use environment variables, configuration files,
+        /// endpoints metadata, or fall back to the client's configured region.
+        /// </para>
+        /// </summary>
+        public string SigV4aSigningRegionSet { get; set; }
+
         /// <summary>
         /// Determines the behavior for calculating checksums for request payloads.
         /// By default it is set to <see cref="RequestChecksumCalculation.WHEN_SUPPORTED"/>.

sdk/src/Core/Amazon.Runtime/Credentials/Internal/AuthSchemeOption.cs

@@ -23,11 +23,33 @@ public class AuthSchemeOption : IAuthSchemeOption
         /// <inheritdoc/>
         public string SchemeId { get; set; }
 
+        /// <summary>
+        /// Gets the short name of the authentication scheme (e.g., "sigv4" from "aws.auth#sigv4").
+        /// This is used for configuration purposes.
+        /// </summary>
+        public string Name => GetNameFromSchemeId(SchemeId);
+
         internal const string SigV4 = "aws.auth#sigv4";
         internal const string SigV4A = "aws.auth#sigv4a";
         internal const string Bearer = "smithy.api#httpBearerAuth";
         internal const string NoAuth = "smithy.api#noAuth";
 
+        /// <summary>
+        /// Extracts the short name from a fully qualified scheme ID.
+        /// </summary>
+        /// <param name="schemeId">The fully qualified scheme ID (e.g., "aws.auth#sigv4").</param>
+        /// <returns>The short name (e.g., "sigv4") or the original schemeId if no '#' is present.</returns>
+        public static string GetNameFromSchemeId(string schemeId)
+        {
+            if (string.IsNullOrEmpty(schemeId))
+                return schemeId;
+
+            int hashIndex = schemeId.IndexOf('#');
+            return hashIndex >= 0 && hashIndex < schemeId.Length - 1
+                ? schemeId.Substring(hashIndex + 1)
+                : schemeId;
+        }
+
         /// <summary>
         /// Default auth scheme options for services / operations that only support SigV4.
         /// </summary>

sdk/src/Core/Amazon.Runtime/IClientConfig.cs

@@ -397,6 +397,28 @@ public partial interface IClientConfig
         /// </summary>
         ResponseChecksumValidation ResponseChecksumValidation { get; }
 
+        /// <summary>
+        /// Gets or sets the authentication scheme preference for this client configuration.
+        /// <para>
+        /// This property allows you to specify a comma-separated preference list of authentication schemes
+        /// (e.g., "sigv4a,sigv4") that will be used to reprioritize the supported authentication schemes for this client.
+        /// If not set, the client will use environment variables, configuration files,
+        /// or fall back to the default model-based authentication scheme resolution.
+        /// </para>
+        /// </summary>
+        string AuthSchemePreference { get; }
+
+        /// <summary>
+        /// Gets or sets the SigV4a signing region set for this client.
+        /// <para>
+        /// This property allows you to specify a comma-separated list of regions (e.g., "us-east-1,us-west-2")
+        /// that will be used for SigV4a signing. The region set determines which regions the signed request is valid for.
+        /// If not set, the client will use environment variables, configuration files,
+        /// endpoints metadata, or fall back to the client's configured region.
+        /// </para>
+        /// </summary>
+        string SigV4aSigningRegionSet { get; }
+
         /// <summary>
         /// Controls whether the resolved endpoint will include the account id. This allows for direct routing of traffic
         /// to the cell responsible for a given account, which avoids the additional latency of extra backend hops and reduces

sdk/src/Core/Amazon.Runtime/Internal/InternalConfiguration.cs

@@ -114,6 +114,16 @@ public class InternalConfiguration
         /// Determines the behavior for validating checksums on response payloads.
         /// </summary>
         public ResponseChecksumValidation? ResponseChecksumValidation { get; set; }
+
+        /// <summary>
+        /// Comma-separated list of authentication scheme preferences (e.g., "sigv4a,sigv4").
+        /// </summary>
+        public string AuthSchemePreference { get; set; }
+
+        /// <summary>
+        /// Comma-separated list of regions for SigV4a signing (e.g., "us-east-1,us-west-2").
+        /// </summary>
+        public string SigV4aSigningRegionSet { get; set; }
     }
 
 #if BCL || NETSTANDARD
@@ -140,6 +150,8 @@ public class EnvironmentVariableInternalConfiguration : InternalConfiguration
         public const string ENVIRONMENT_VARAIBLE_AWS_ACCOUNT_ID_ENDPOINT_MODE = "AWS_ACCOUNT_ID_ENDPOINT_MODE";
         public const string ENVIRONMENT_VARIABLE_AWS_REQUEST_CHECKSUM_CALCULATION = "AWS_REQUEST_CHECKSUM_CALCULATION";
         public const string ENVIRONMENT_VARIABLE_AWS_RESPONSE_CHECKSUM_VALIDATION = "AWS_RESPONSE_CHECKSUM_VALIDATION";
+        public const string ENVIRONMENT_VARIABLE_AWS_AUTH_SCHEME_PREFERENCE = "AWS_AUTH_SCHEME_PREFERENCE";
+        public const string ENVIRONMENT_VARIABLE_AWS_SIGV4A_SIGNING_REGION_SET = "AWS_SIGV4A_SIGNING_REGION_SET";
         public const int AWS_SDK_UA_APP_ID_MAX_LENGTH = 50;
 
         /// <summary>
@@ -165,6 +177,10 @@ public EnvironmentVariableInternalConfiguration()
             RequestChecksumCalculation = GetEnvironmentVariable<RequestChecksumCalculation>(ENVIRONMENT_VARIABLE_AWS_REQUEST_CHECKSUM_CALCULATION);
             ResponseChecksumValidation = GetEnvironmentVariable<ResponseChecksumValidation>(ENVIRONMENT_VARIABLE_AWS_RESPONSE_CHECKSUM_VALIDATION);
             ClientAppId = GetClientAppIdEnvironmentVariable();
+            TryGetEnvironmentVariable(ENVIRONMENT_VARIABLE_AWS_AUTH_SCHEME_PREFERENCE, out var authPref);
+            AuthSchemePreference = authPref;
+            TryGetEnvironmentVariable(ENVIRONMENT_VARIABLE_AWS_SIGV4A_SIGNING_REGION_SET, out var regionSet);
+            SigV4aSigningRegionSet = regionSet;
         }
 
         private bool GetEnvironmentVariable(string name, bool defaultValue)
@@ -340,6 +356,16 @@ private void Setup(ICredentialProfileSource source, string profileName)
                 AccountIdEndpointMode = profile.AccountIdEndpointMode;
                 RequestChecksumCalculation = profile.RequestChecksumCalculation;
                 ResponseChecksumValidation = profile.ResponseChecksumValidation;
+                
+                // Auth scheme properties are stored in the Properties dictionary
+                if (profile.Properties.TryGetValue("auth_scheme_preference", out string authSchemePreference))
+                {
+                    AuthSchemePreference = string.IsNullOrWhiteSpace(authSchemePreference) ? null : authSchemePreference.Trim();
+                }
+                if (profile.Properties.TryGetValue("sigv4a_signing_region_set", out string sigv4aRegionSet))
+                {
+                    SigV4aSigningRegionSet = string.IsNullOrWhiteSpace(sigv4aRegionSet) ? null : sigv4aRegionSet.Trim();
+                }
             }
             else
             {
@@ -365,6 +391,8 @@ private void Setup(ICredentialProfileSource source, string profileName)
                 new KeyValuePair<string, object>("account_id_endpoint_mode", profile.AccountIdEndpointMode),
                 new KeyValuePair<string, object>("request_checksum_calculation", profile.RequestChecksumCalculation),
                 new KeyValuePair<string, object>("response_checksum_validation", profile.ResponseChecksumValidation),
+                new KeyValuePair<string, object>("auth_scheme_preference", AuthSchemePreference),
+                new KeyValuePair<string, object>("sigv4a_signing_region_set", SigV4aSigningRegionSet),
             };
 
             foreach(var item in items)
@@ -436,6 +464,8 @@ public static void Reset()
             _cachedConfiguration.AccountIdEndpointMode = SeekValue(standardGenerators,(c) => c.AccountIdEndpointMode);
             _cachedConfiguration.RequestChecksumCalculation = SeekValue(standardGenerators, (c) => c.RequestChecksumCalculation);
             _cachedConfiguration.ResponseChecksumValidation = SeekValue(standardGenerators, (c) => c.ResponseChecksumValidation);
+            _cachedConfiguration.AuthSchemePreference = SeekString(standardGenerators, (c) => c.AuthSchemePreference, defaultValue: null);
+            _cachedConfiguration.SigV4aSigningRegionSet = SeekString(standardGenerators, (c) => c.SigV4aSigningRegionSet, defaultValue: null);
         }        
 
         private static T? SeekValue<T>(List<ConfigGenerator> generators, Func<InternalConfiguration, T?> getValue) where T : struct
@@ -634,5 +664,27 @@ public static ResponseChecksumValidation? ResponseChecksumValidation
                 return _cachedConfiguration.ResponseChecksumValidation;
             }
         }
+
+        /// <summary>
+        /// Gets the authentication scheme preference from environment or config files.
+        /// </summary>
+        public static string AuthSchemePreference
+        {
+            get
+            {
+                return _cachedConfiguration.AuthSchemePreference;
+            }
+        }
+
+        /// <summary>
+        /// Gets the SigV4a signing region set from environment or config files.
+        /// </summary>
+        public static string SigV4aSigningRegionSet
+        {
+            get
+            {
+                return _cachedConfiguration.SigV4aSigningRegionSet;
+            }
+        }
     }
 }

sdk/src/Core/Amazon.Runtime/Internal/Settings/SettingsConstants.cs

@@ -57,6 +57,8 @@ public static class SettingsConstants
         public const string Services = "services";
         public const string EndpointUrl = "endpoint_url";
         public const string AwsAccountId = "aws_account_id";
+        public const string AuthSchemePreference = "auth_scheme_preference";
+        public const string SigV4aSigningRegionSet = "sigv4a_signing_region_set";
 
         // present in endpoint definitions in SAMLEndpoints.json file
         public const string EndpointField = "Endpoint";