bind out proxy settings for profile and web identity creds provider

sbiscigl · sbiscigl · commit b04afad4bf21 · 2026-03-30T12:01:20.000-04:00
diff --git a/include/aws/crt/auth/Credentials.h b/include/aws/crt/auth/Credentials.h
@@ -209,6 +209,11 @@ namespace Aws
                  * If using BYO_CRYPTO, you must provide the TLS context since it cannot be created automatically.
                  */
                 Io::TlsContext *TlsContext;
+
+                /**
+                 * (Optional) Http proxy configuration for the http request that fetches credentials.
+                 */
+                Optional<Http::ProxyEnvVarOptions> ProxyEnvVarOptions;
             };
 
             /**
@@ -492,6 +497,11 @@ namespace Aws
                  * TLS configuration for secure socket connections.
                  */
                 Io::TlsConnectionOptions TlsConnectionOptions;
+
+                /**
+                 * (Optional) Http proxy configuration for the http request that fetches credentials.
+                 */
+                Optional<Http::ProxyEnvVarOptions> ProxyEnvVarOptions;
             };
 
             /**
diff --git a/include/aws/crt/http/HttpConnection.h b/include/aws/crt/http/HttpConnection.h
@@ -340,6 +340,72 @@ namespace Aws
                 String BasicAuthPassword;
             };
 
+            /**
+             * Configuration to enable or disable environment variable based proxy lookup.
+             */
+            enum class ProxyEnvVarType
+            {
+                /**
+                 * Default.
+                 * Disable reading from environment variable for proxy.
+                 */
+                Disabled = AWS_HPEV_DISABLE,
+                /**
+                 * Enable get proxy URL from environment variable, when the manual proxy options of connection manager
+                 * is not set. env HTTPS_PROXY/https_proxy will be checked when the main connection use tls. env
+                 * HTTP_PROXY/http_proxy will be checked when the main connection NOT use tls. env NO_PROXY/no_proxy
+                 * will be checked to bypass proxy if the host match the pattern. Check `aws_http_host_matches_no_proxy`
+                 * for detail. This function can also be used with a direct no_proxy parameter. The lower case version
+                 * has precedence.
+                 */
+                Enabled = AWS_HPEV_ENABLE,
+            };
+
+            /**
+             * Configuration structure that holds all proxy-related http connection options
+             */
+            class AWS_CRT_CPP_API ProxyEnvVarOptions
+            {
+              public:
+                ProxyEnvVarOptions();
+                ProxyEnvVarOptions(const ProxyEnvVarOptions &rhs) = default;
+                ProxyEnvVarOptions(ProxyEnvVarOptions &&rhs) = default;
+
+                ProxyEnvVarOptions &operator=(const ProxyEnvVarOptions &rhs) = default;
+                ProxyEnvVarOptions &operator=(ProxyEnvVarOptions &&rhs) = default;
+
+                ~ProxyEnvVarOptions() = default;
+
+                /**
+                 * Intended for internal use only.  Initializes the C proxy configuration structure,
+                 * aws_http_proxy_options, from an HttpClientConnectionProxyOptions instance.
+                 *
+                 * @param raw_options - output parameter containing low level proxy options to be passed to the C
+                 * interface
+                 *
+                 */
+                void InitializeRawProxyOptions(struct proxy_env_var_settings &raw_options) const;
+
+                /**
+                 * Enables or disables env var lookup for proxy variables.
+                 */
+                ProxyEnvVarType proxyEnvVarType;
+
+                /**
+                 * Optional.
+                 * If not set:
+                 * If tls options are provided (for the main connection) use tunnel proxy type
+                 * If tls options are not provided (for the main connection) use forward proxy type
+                 */
+                AwsHttpProxyConnectionType connectionType;
+
+                /**
+                 * Sets the TLS options for the connection to the proxy.
+                 * Optional.
+                 */
+                Optional<Io::TlsConnectionOptions> TlsOptions;
+            };
+
             /**
              * Configuration structure holding all options relating to http connection establishment
              */
diff --git a/source/auth/Credentials.cpp b/source/auth/Credentials.cpp
@@ -238,6 +238,15 @@ namespace Aws
                 raw_config.profile_name_override = config.ProfileNameOverride;
                 raw_config.bootstrap = config.Bootstrap ? config.Bootstrap->GetUnderlyingHandle() : nullptr;
                 raw_config.tls_ctx = config.TlsContext ? config.TlsContext->GetUnderlyingHandle() : nullptr;
+                struct proxy_env_var_settings proxy_options;
+                AWS_ZERO_STRUCT(proxy_options);
+                if (config.ProxyEnvVarOptions.has_value())
+                {
+                    const Http::ProxyEnvVarOptions &proxy_config = config.ProxyEnvVarOptions.value();
+                    proxy_config.InitializeRawProxyOptions(proxy_options);
+
+                    raw_config.proxy_ev_settings = &proxy_options;
+                }
 
                 return s_CreateWrappedProvider(aws_credentials_provider_new_profile(allocator, &raw_config), allocator);
             }
@@ -511,6 +520,17 @@ namespace Aws
                 {
                     raw_config.tls_ctx = connectionOptions->ctx;
                 }
+
+                struct proxy_env_var_settings proxy_options;
+                AWS_ZERO_STRUCT(proxy_options);
+                if (config.ProxyEnvVarOptions.has_value())
+                {
+                    const Http::ProxyEnvVarOptions &proxy_config = config.ProxyEnvVarOptions.value();
+                    proxy_config.InitializeRawProxyOptions(proxy_options);
+
+                    raw_config.proxy_ev_settings = &proxy_options;
+                }
+
                 return s_CreateWrappedProvider(
                     aws_credentials_provider_new_sts_web_identity(allocator, &raw_config), allocator);
             }
diff --git a/source/http/HttpConnection.cpp b/source/http/HttpConnection.cpp
@@ -398,6 +398,18 @@ namespace Aws
                 }
             }
 
+            void ProxyEnvVarOptions::InitializeRawProxyOptions(struct proxy_env_var_settings &rawOptions) const
+            {
+                AWS_ZERO_STRUCT(rawOptions);
+                rawOptions.env_var_type = (enum aws_http_proxy_env_var_type)proxyEnvVarType;
+                rawOptions.connection_type = (enum aws_http_proxy_connection_type)connectionType;
+
+                if (TlsOptions.has_value())
+                {
+                    rawOptions.tls_options = TlsOptions->GetUnderlyingHandle();
+                }
+            }
+
             HttpClientConnectionOptions::HttpClientConnectionOptions()
                 : Bootstrap(nullptr), InitialWindowSize(SIZE_MAX), OnConnectionSetupCallback(),
                   OnConnectionShutdownCallback(), HostName(), Port(0), SocketOptions(), TlsOptions(), ProxyOptions(),
