AmazonDynamoDBEndpointResolver throws NullReferenceException with AnonymousAWSCredentials

[martincostello]

Describe the bug

AmazonDynamoDBEndpointResolver.MapEndpointsParameters() (and possibly other implementations of BaseEndpointResolver) do not handle the case where the AWS credentials associated with the request are an instance of AnonymousAWSCredentials:

aws-sdk-net/sdk/src/Services/DynamoDBv2/Generated/Internal/AmazonDynamoDBEndpointResolver.cs

Line 57 in 1060dd1

result.AccountId = requestContext.Identity is AWSCredentials credentials ? credentials.GetCredentials().AccountId : null;

The GetCredentials() method returns null, so the attempt to get the AWS account ID fails:

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Credentials/AnonymousAWSCredentials.cs

Lines 31 to 34 in 1060dd1

	public override ImmutableCredentials GetCredentials()
	{
	return null;
	}

While using AnonymousAWSCredentials with a real services that require credentials is unlikely for production applications, this is a commonly used type within tests such as this one (which is how I found this).

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Either the code handles the case successfully, or throws a meaningful exception (preferably the former).

Current Behavior

A NullReferenceException is thrown.

Message: 
System.NullReferenceException : Object reference not set to an instance of an object.

Stack Trace: 
AmazonDynamoDBEndpointResolver.MapEndpointsParameters(IRequestContext requestContext)
BaseEndpointResolver.ProcessRequestHandlers(IExecutionContext executionContext)
BaseEndpointResolver.PreInvoke(IExecutionContext executionContext)
BaseEndpointResolver.InvokeSync(IExecutionContext executionContext)
AWSTracingPipelineHandler.InvokeSync(IExecutionContext executionContext) line 35
CallbackHandler.InvokeSync(IExecutionContext executionContext)
ErrorCallbackHandler.InvokeSync(IExecutionContext executionContext)
MetricsHandler.InvokeSync(IExecutionContext executionContext)
BindingRedirectCheckHandler.InvokeSync(IExecutionContext executionContext)
RuntimePipeline.InvokeSync(IExecutionContext executionContext)
AmazonServiceClient.Invoke[TResponse](AmazonWebServiceRequest request, InvokeOptionsBase options)
TestAWSClientInstrumentation.TestDDBScanSuccessful() line 58

Reproduction Steps

var credentials = new AnonymousAWSCredentials();
var ddb = new AmazonDynamoDBClient(credentials, RegionEndpoint.USEast1);
var request = new ScanRequest
{
    TableName = "SampleProduct",
    AttributesToGet = ["Id", "Name"],
};
await ddb.ScanAsync(request);

Possible Solution

- result.AccountId = requestContext.Identity is AWSCredentials credentials ? credentials.GetCredentials().AccountId : null;
+ result.AccountId = requestContext.Identity is AWSCredentials credentials ? credentials.GetCredentials()?.AccountId : null;

Additional Information/Context

Found while attempting to implement open-telemetry/opentelemetry-dotnet-contrib#2719.

AWS .NET SDK and/or Package version used

AWSSDK.DynamoDBv2 4.0.0.

Targeted .NET Platform

.NET 8

Operating System and version

Windows 11

[martincostello]

I can only find one instance of this pattern in the code. Looks like the fix needs to go here:

aws-sdk-net/generator/ServiceClientGeneratorLib/Generators/Endpoints/EndpointResolver.partial.cs

Line 28 in 1060dd1

case "AWS::Auth::AccountId": return "requestContext.Identity is AWSCredentials credentials ? credentials.GetCredentials().AccountId : null";

[dscpinheiro]

This is related to the support for Account-based endpoints we added in V4. It's only used by DynamoDB at the moment, but we missed this use case of anonymous credentials (since the actual service always requires SigV4).

I created a PR, it'll get included in today's release if I get the approvals soon.

[dscpinheiro]

We just released an updated DynamoDB package (https://github.com/aws/aws-sdk-net/releases/tag/4.0.1.0), could you try again and let us know if that works?

[martincostello]

So I went to try the fix over in the OTel instrumentation library, and ran into this compilation error (where I only updated DynamoDB in the tests, but left the SUT at 4.0.0):

CSC : error CS1705: Assembly 'AWSSDK.DynamoDBv2' with identity 'AWSSDK.DynamoDBv2, Version=4.0.0.1, Culture=neutral, PublicKeyToken=885c28607f98e604' uses 'AWSSDK.Core, Version=4.0.0.1, Culture=neutral, PublicKeyToken=885c28607f98e604' which has a higher version than referenced assembly 'AWSSDK.Core' with identity 'AWSSDK.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=885c28607f98e604'

Looks like the assembly version is being revisioned with all the other versions rather than being pinned to 4.0.0.0 as is recommended to keep assembly binding identities stable.