refactor: address PR review comments on delegated auth

- Pass reqwest::Client and AwsCredentials from upstream into
  get_delegated_api_key instead of building them internally
- Extract try_delegated_auth helper in decrypt.rs to resolve
  credentials (including SnapStart) before calling the client
- Remove duplicate get_snapstart_credentials from client.rs
- Remove IntakeKeyResponse/Data/Attributes structs; use serde_json::Value
- Read response body once to avoid conceptual double-read
- Log body length only (not body content) in parse error for security
- Downgrade info! URL log to debug! in client.rs
- Move success info! log to decrypt.rs (caller) only
- Add doc comments to magic constants in auth_proof.rs
- Add comments explaining SnapStart credential flow and us-east-1 fallback
- Add proxy comment on get_delegated_api_key explaining HTTPS_PROXY support

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: jchrostek-dd

bottlecap/src/bin/bottlecap/main.rs

@@ -150,7 +150,8 @@ async fn main() -> anyhow::Result<()> {
     let config = Arc::new(config::get_config(Path::new(&lambda_directory)));
 
     let aws_config = Arc::new(aws_config);
-    let api_key_factory = create_api_key_factory(&config, &aws_config);
+    let shared_client = bottlecap::http::get_client(&config);
+    let api_key_factory = create_api_key_factory(&config, &aws_config, &shared_client);
 
     let r = response
         .await
@@ -161,6 +162,7 @@ async fn main() -> anyhow::Result<()> {
         Arc::clone(&aws_config),
         &config,
         &client,
+        shared_client,
         &r,
         Arc::clone(&api_key_factory),
         start_time,
@@ -246,17 +248,23 @@ fn get_flush_strategy_for_mode(
     }
 }
 
-fn create_api_key_factory(config: &Arc<Config>, aws_config: &Arc<AwsConfig>) -> Arc<ApiKeyFactory> {
+fn create_api_key_factory(
+    config: &Arc<Config>,
+    aws_config: &Arc<AwsConfig>,
+    client: &reqwest::Client,
+) -> Arc<ApiKeyFactory> {
     let config = Arc::clone(config);
     let aws_config = Arc::clone(aws_config);
+    let client = client.clone();
     let api_key_secret_reload_interval = config.api_key_secret_reload_interval;
 
     Arc::new(ApiKeyFactory::new_from_resolver(
         Arc::new(move || {
             let config = Arc::clone(&config);
             let aws_config = Arc::clone(&aws_config);
+            let client = client.clone();
 
-            Box::pin(async move { resolve_secrets(config, aws_config).await })
+            Box::pin(async move { resolve_secrets(config, aws_config, client).await })
         }),
         api_key_secret_reload_interval,
     ))
@@ -285,6 +293,7 @@ async fn extension_loop_active(
     aws_config: Arc<AwsConfig>,
     config: &Arc<Config>,
     client: &Client,
+    shared_client: reqwest::Client,
     r: &RegisterResponse,
     api_key_factory: Arc<ApiKeyFactory>,
     start_time: Instant,
@@ -294,11 +303,6 @@ async fn extension_loop_active(
     let account_id = r.account_id.as_ref().unwrap_or(&"none".to_string()).clone();
     let tags_provider = setup_tag_provider(&Arc::clone(&aws_config), config, &account_id);
 
-    // Build one shared reqwest::Client for metrics, logs, and trace proxy flushing.
-    // reqwest::Client is Arc-based internally, so cloning just increments a refcount
-    // and shares the connection pool.
-    let shared_client = bottlecap::http::get_client(config);
-
     let (
         logs_agent_channel,
         logs_flusher,

bottlecap/src/secrets/decrypt.rs

@@ -18,17 +18,15 @@ use tracing::{debug, error, info, warn};
 
 use crate::secrets::delegated_auth;
 
-pub async fn resolve_secrets(config: Arc<Config>, aws_config: Arc<AwsConfig>) -> Option<String> {
-    if !config.dd_org_uuid.is_empty() {
-        match delegated_auth::get_delegated_api_key(&config, &aws_config).await {
-            Ok(api_key) => {
-                info!("Delegated auth API key obtained successfully");
-                return clean_api_key(Some(api_key));
-            }
-            Err(e) => {
-                warn!("Delegated auth failed, falling back to other methods: {e}");
-            }
-        }
+pub async fn resolve_secrets(
+    config: Arc<Config>,
+    aws_config: Arc<AwsConfig>,
+    client: Client,
+) -> Option<String> {
+    if !config.dd_org_uuid.is_empty()
+        && let Some(api_key) = try_delegated_auth(&config, &aws_config, &client).await
+    {
+        return Some(api_key);
     }
 
     let api_key_candidate = if !config.api_key_secret_arn.is_empty()
@@ -126,6 +124,58 @@ pub async fn resolve_secrets(config: Arc<Config>, aws_config: Arc<AwsConfig>) ->
     clean_api_key(api_key_candidate)
 }
 
+async fn try_delegated_auth(
+    config: &Arc<Config>,
+    aws_config: &Arc<AwsConfig>,
+    client: &Client,
+) -> Option<String> {
+    let mut aws_credentials = AwsCredentials::from_env();
+
+    if aws_credentials.aws_secret_access_key.is_empty()
+        && aws_credentials.aws_access_key_id.is_empty()
+        && !aws_credentials
+            .aws_container_credentials_full_uri
+            .is_empty()
+        && !aws_credentials.aws_container_authorization_token.is_empty()
+    {
+        // We're in Snap Start
+        let credentials = match get_snapstart_credentials(&aws_credentials, &client).await {
+            Ok(credentials) => credentials,
+            Err(err) => {
+                error!(
+                    "Error getting Snap Start credentials for delegated auth: {}",
+                    err
+                );
+                return None;
+            }
+        };
+        aws_credentials.aws_access_key_id = credentials["AccessKeyId"]
+            .as_str()
+            .unwrap_or_default()
+            .to_string();
+        aws_credentials.aws_secret_access_key = credentials["SecretAccessKey"]
+            .as_str()
+            .unwrap_or_default()
+            .to_string();
+        aws_credentials.aws_session_token = credentials["Token"]
+            .as_str()
+            .unwrap_or_default()
+            .to_string();
+    }
+
+    match delegated_auth::get_delegated_api_key(config, aws_config, client, &aws_credentials).await
+    {
+        Ok(api_key) => {
+            info!("Delegated auth API key obtained successfully");
+            clean_api_key(Some(api_key))
+        }
+        Err(e) => {
+            warn!("Delegated auth failed, falling back to other methods: {e}");
+            None
+        }
+    }
+}
+
 fn clean_api_key(maybe_key: Option<String>) -> Option<String> {
     if let Some(key) = maybe_key {
         let clean_key = key.trim_end_matches('\n').replace(' ', "").clone();

bottlecap/src/secrets/delegated_auth/auth_proof.rs

@@ -8,9 +8,13 @@ use tracing::debug;
 
 use crate::config::aws::AwsCredentials;
 
+/// The STS `GetCallerIdentity` request body (form-encoded)
 const GET_CALLER_IDENTITY_BODY: &str = "Action=GetCallerIdentity&Version=2011-06-15";
+/// Content-Type for the STS request (required by `SigV4`)
 const CONTENT_TYPE: &str = "application/x-www-form-urlencoded; charset=utf-8";
+/// Datadog organization ID header included in the signed headers for backend verification
 const ORG_ID_HEADER: &str = "x-ddog-org-id";
+/// AWS service name used in `SigV4` credential scope
 const STS_SERVICE: &str = "sts";
 
 /// Generates an authentication proof from AWS credentials.
@@ -34,6 +38,8 @@ pub fn generate_auth_proof(
 ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
     debug!("Generating delegated auth proof for region: {}", region);
 
+    // By the time this function is called, the caller has already resolved SnapStart
+    // credentials from the container credentials endpoint if needed.
     if aws_credentials.aws_access_key_id.is_empty()
         || aws_credentials.aws_secret_access_key.is_empty()
     {
@@ -44,11 +50,7 @@ pub fn generate_auth_proof(
         return Err("Missing org UUID for delegated auth".into());
     }
 
-    let sts_host = if region.is_empty() {
-        "sts.amazonaws.com".to_string()
-    } else {
-        format!("sts.{region}.amazonaws.com")
-    };
+    let sts_host = format!("sts.{region}.amazonaws.com");
     let sts_url = format!("https://{sts_host}");
 
     let now = Utc::now();
@@ -87,12 +89,7 @@ pub fn generate_auth_proof(
     );
 
     let algorithm = "AWS4-HMAC-SHA256";
-    let effective_region = if region.is_empty() {
-        "us-east-1"
-    } else {
-        region
-    };
-    let credential_scope = format!("{date_stamp}/{effective_region}/{STS_SERVICE}/aws4_request");
+    let credential_scope = format!("{date_stamp}/{region}/{STS_SERVICE}/aws4_request");
     let string_to_sign = format!(
         "{algorithm}\n{amz_date}\n{credential_scope}\n{}",
         hex::encode(Sha256::digest(canonical_request.as_bytes()))
@@ -101,7 +98,7 @@ pub fn generate_auth_proof(
     let signing_key = get_aws4_signature_key(
         &aws_credentials.aws_secret_access_key,
         &date_stamp,
-        effective_region,
+        region,
         STS_SERVICE,
     )?;
 
@@ -292,28 +289,4 @@ mod tests {
         );
     }
 
-    #[test]
-    fn test_generate_auth_proof_default_region() {
-        let creds = AwsCredentials {
-            aws_access_key_id: "AKIDEXAMPLE".to_string(),
-            aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY".to_string(),
-            aws_session_token: String::new(),
-            aws_container_credentials_full_uri: String::new(),
-            aws_container_authorization_token: String::new(),
-        };
-
-        // Empty region should use global STS endpoint
-        let result = generate_auth_proof(&creds, "", "test-org-uuid");
-        assert!(result.is_ok());
-
-        let proof = result.expect("Failed to generate auth proof");
-        let parts: Vec<&str> = proof.split('|').collect();
-        let url = String::from_utf8(
-            BASE64_STANDARD
-                .decode(parts[3])
-                .expect("Failed to decode base64 URL"),
-        )
-        .expect("Failed to convert URL to UTF-8");
-        assert!(url.contains("sts.amazonaws.com"));
-    }
 }