Allow selecting AWS SDK TLS features#197
Conversation
|
This looks ok to me at first glance. Can you elaborate on your use case? |
Signed-off-by: Simon Marty <martysi@amazon.com>
Signed-off-by: Simon Marty <simon.marty@protonmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #197 +/- ##
=======================================
Coverage 86.27% 86.27%
=======================================
Files 34 34
Lines 9331 9331
Branches 9331 9331
=======================================
Hits 8050 8050
Misses 1148 1148
Partials 133 133 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Hi @simonmarty, thanks for asking. My main use case is dependency-tree control for applications that explicitly manage the AWS SDK HTTP/TLS stack. In our application, we want to use the SDK This matters because enabling At the moment, we need to keep temporary With this PR, existing users keep the current default behavior, while downstream applications can opt out explicitly by using For this TLS-selection use case, the following example should be enough: aws_secretsmanager_caching = { version = "2", default-features = false, features = [
"default-https-client",
"rt-tokio",
] }If an application relies on AWS profiles that use SSO or |
|
Hi @simonmarty, just checking in on this. Have you had a chance to take another look? Let me know if there’s anything else you’d like me to adjust. |
|
Claude finished @simonmarty's task in 4m 36s —— View job Review: PR #197 — Allow selecting AWS SDK TLS features
Thanks @dertin — the motivation is well-explained and the approach (forwarding crate features to the SDK features, keeping Findings1. 2. Feature/crate name collision — inline 3. Version pinning in the README example + missing version bump — inline Things that look good
Suggested follow-ups
Overall a clean, backward-compatible change; the main item to resolve before merge is the |
| rt-tokio = ["aws-config/rt-tokio", "aws-sdk-secretsmanager/rt-tokio"] | ||
| rustls = ["aws-sdk-secretsmanager/rustls"] | ||
| sso = ["aws-config/sso"] | ||
| fips = ["rustls/fips"] |
There was a problem hiding this comment.
fips no longer pulls an HTTP/TLS client on its own.
Before this PR, aws-sdk-secretsmanager/aws-config carried their default features (which included a TLS transport), so a build that only enabled fips still had a working HTTP client. Now that both SDK deps are default-features = false, fips = ["rustls/fips"] only turns on the fips feature of the standalone rustls 0.23 crate — it does not enable default-https-client, rt-tokio, or the SDK rustls feature.
So a downstream build like:
aws_secretsmanager_caching = { version = "2", default-features = false, features = ["fips"] }compiles but has no SDK HTTP client and will fail at runtime when it tries to make a call. Two questions worth confirming:
- Does the standalone
rustls0.23 crate's FIPS provider actually get wired into the SDK's TLS path? Per the PR description the SDKrustlsfeature resolves the legacyaws-smithy-runtime/tls-rustls(rustls 0.21) stack — a different major version — so it's not obviousrustls/fipson 0.23 affects the transport the SDK uses. - If
fipsis meant to be usable standalone, consider making it self-sufficient, e.g.fips = ["rustls/fips", "rustls"](and/or"default-https-client"), plus a README note that FIPS requires the legacyrustlsfeature.
| "aws-sdk-secretsmanager/default-https-client", | ||
| ] | ||
| rt-tokio = ["aws-config/rt-tokio", "aws-sdk-secretsmanager/rt-tokio"] | ||
| rustls = ["aws-sdk-secretsmanager/rustls"] |
There was a problem hiding this comment.
Naming nit: this feature (rustls) shares its name with the non-optional rustls crate dependency below (rustls = "0.23"). Cargo tolerates this, but it makes fips = ["rustls/fips"] (which targets the crate) and rustls = ["aws-sdk-secretsmanager/rustls"] (the feature) read as if they're related when they're not. A distinct name such as sdk-rustls or legacy-tls would make intent clearer and avoid the collision. Non-blocking.
|
|
||
| ```toml | ||
| aws_secretsmanager_caching = { version = "2", default-features = false, features = [ | ||
| "default-https-client", | ||
| "rt-tokio", | ||
| "credentials-process", | ||
| "sso", | ||
| ] } |
There was a problem hiding this comment.
The documented opt-out example uses version = "2", but the crate is currently at 2.1.0 and this new feature wiring only exists from the release that ships this PR. A caret "2" requirement will happily resolve to an older 2.x that lacks these features, and default-features = false there would leave the user with no SDK features at all. Consider pinning the example to the minimum version that introduces these features (e.g. "2.2"), matching whatever version you bump to for this change.
Also, version in the [package] section (line 3) is still 2.1.0 — a feature-adding change like this should bump the minor version so downstreams can require it.
Description
Why is this change being made?
What is changing?
default-https-client,rt-tokio,credentials-process,sso, andrustlsfeatures.aws_secretsmanager_cachingwithdefault-features = falseand the modern HTTPS client feature set.Related Links
Testing
How was this tested?
cargo check -p aws_secretsmanager_cachingcargo check -p aws_secretsmanager_caching --all-featurescargo check -p aws_secretsmanager_caching --no-default-features --features default-https-client,rt-tokio,credentials-process,ssocargo test -p aws_secretsmanager_caching --no-fail-fastcargo test -p aws_secretsmanager_caching --no-default-features --features default-https-client,rt-tokio,credentials-process,sso --no-fail-fastWhen testing locally, provide testing artifact(s):
unused_parenswarnings in tests are still present.Reviewee Checklist
Update the checklist after submitting the PR
If not, why:
If not, why:
If not, why:
If not, why: Not run locally.
If not, why: Not run locally.
If not, why: Not needed; this only changes Cargo feature wiring and README docs.
If not, why:
If not, why: Not needed; no runtime logic was added.
If not, why:
If not, why: No breaking changes. Default features are kept unchanged.
Reviewer Checklist
All reviewers please ensure the following are true before reviewing: