aws · sbaluja · Nov 4, 2025 · Nov 4, 2025 · Nov 5, 2025 · Nov 6, 2025
diff --git a/generated/src/aws-cpp-sdk-dynamodb/include/aws/dynamodb/DynamoDBClient.h b/generated/src/aws-cpp-sdk-dynamodb/include/aws/dynamodb/DynamoDBClient.h
@@ -11,8 +11,8 @@
 #include <aws/dynamodb/DynamoDB_EXPORTS.h>
 #include <smithy/client/AwsSmithyClient.h>
 #include <smithy/client/serializer/JsonOutcomeSerializer.h>
+#include <smithy/identity/auth/built-in/GenericAuthSchemeResolver.h>
 #include <smithy/identity/auth/built-in/SigV4AuthScheme.h>
-#include <smithy/identity/auth/built-in/SigV4AuthSchemeResolver.h>
 
 namespace Aws {
 namespace DynamoDB {
@@ -38,7 +38,7 @@ AWS_DYNAMODB_API extern const char SERVICE_NAME[];
 class AWS_DYNAMODB_API DynamoDBClient
     : Aws::Client::ClientWithAsyncTemplateMethods<DynamoDBClient>,
       smithy::client::AwsSmithyClientT<Aws::DynamoDB::SERVICE_NAME, Aws::DynamoDB::DynamoDBClientConfiguration,
-                                       smithy::SigV4AuthSchemeResolver<>, Aws::Crt::Variant<smithy::SigV4AuthScheme>,
+                                       smithy::AuthSchemeResolverBase<>, Aws::Crt::Variant<smithy::SigV4AuthScheme>,
                                        DynamoDBEndpointProviderBase, smithy::client::JsonOutcomeSerializer, smithy::client::JsonOutcome,
                                        Aws::Client::DynamoDBErrorMarshaller> {
  public:

diff --git a/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp b/generated/src/aws-cpp-sdk-dynamodb/source/DynamoDBClient.cpp
@@ -104,7 +104,8 @@ DynamoDBClient::DynamoDBClient(const DynamoDB::DynamoDBClientConfiguration& clie
     : AwsSmithyClientT(clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
                        Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG),
                        endpointProvider ? endpointProvider : Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-                       Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
+                       Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+                           ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
                        {
                            {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
                             smithy::SigV4AuthScheme{GetServiceName(), clientConfiguration.region}},
@@ -116,7 +117,8 @@ DynamoDBClient::DynamoDBClient(const AWSCredentials& credentials, std::shared_pt
           clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
           Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG),
           endpointProvider ? endpointProvider : Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-          Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
+          Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+              ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
           {
               {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
                smithy::SigV4AuthScheme{Aws::MakeShared<smithy::SimpleAwsCredentialIdentityResolver>(ALLOCATION_TAG, credentials),
@@ -130,37 +132,50 @@ DynamoDBClient::DynamoDBClient(const std::shared_ptr<AWSCredentialsProvider>& cr
           clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
           Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG),
           endpointProvider ? endpointProvider : Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-          Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
-          {{smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-            smithy::SigV4AuthScheme{Aws::MakeShared<smithy::AwsCredentialsProviderIdentityResolver>(ALLOCATION_TAG, credentialsProvider),
-                                    GetServiceName(), clientConfiguration.region}}}) {}
+          Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+              ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
+          {
+              {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
+               smithy::SigV4AuthScheme{Aws::MakeShared<smithy::AwsCredentialsProviderIdentityResolver>(ALLOCATION_TAG, credentialsProvider),
+                                       GetServiceName(), clientConfiguration.region}},
+          }) {}
 
 /* Legacy constructors due deprecation */
 DynamoDBClient::DynamoDBClient(const Client::ClientConfiguration& clientConfiguration)
     : AwsSmithyClientT(clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
                        Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG), Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-                       Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
-                       {{smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-                         smithy::SigV4AuthScheme{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG),
-                                                 GetServiceName(), clientConfiguration.region}}}) {}
+                       Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+                           ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
+                       {
+                           {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
+                            smithy::SigV4AuthScheme{Aws::MakeShared<smithy::DefaultAwsCredentialIdentityResolver>(ALLOCATION_TAG),
+                                                    GetServiceName(), clientConfiguration.region}},
+                       }) {}
 
 DynamoDBClient::DynamoDBClient(const AWSCredentials& credentials, const Client::ClientConfiguration& clientConfiguration)
-    : AwsSmithyClientT(clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
-                       Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG), Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-                       Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
-                       {{smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-                         smithy::SigV4AuthScheme{Aws::MakeShared<smithy::SimpleAwsCredentialIdentityResolver>(ALLOCATION_TAG, credentials),
-                                                 GetServiceName(), clientConfiguration.region}}}) {}
+    : AwsSmithyClientT(
+          clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
+          Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG), Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
+          Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+              ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
+          {
+              {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
+               smithy::SigV4AuthScheme{Aws::MakeShared<smithy::SimpleAwsCredentialIdentityResolver>(ALLOCATION_TAG, credentials),
+                                       GetServiceName(), clientConfiguration.region}},
+          }) {}
 
 DynamoDBClient::DynamoDBClient(const std::shared_ptr<AWSCredentialsProvider>& credentialsProvider,
                                const Client::ClientConfiguration& clientConfiguration)
     : AwsSmithyClientT(
           clientConfiguration, GetServiceName(), "DynamoDB", Aws::Http::CreateHttpClient(clientConfiguration),
           Aws::MakeShared<DynamoDBErrorMarshaller>(ALLOCATION_TAG), Aws::MakeShared<DynamoDBEndpointProvider>(ALLOCATION_TAG),
-          Aws::MakeShared<smithy::SigV4AuthSchemeResolver<>>(ALLOCATION_TAG),
-          {{smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
-            smithy::SigV4AuthScheme{Aws::MakeShared<smithy::AwsCredentialsProviderIdentityResolver>(ALLOCATION_TAG, credentialsProvider),
-                                    GetServiceName(), clientConfiguration.region}}}) {}
+          Aws::MakeShared<smithy::GenericAuthSchemeResolver<>>(
+              ALLOCATION_TAG, Aws::Vector<smithy::AuthSchemeOption>({smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption})),
+          {
+              {smithy::SigV4AuthSchemeOption::sigV4AuthSchemeOption.schemeId,
+               smithy::SigV4AuthScheme{Aws::MakeShared<smithy::AwsCredentialsProviderIdentityResolver>(ALLOCATION_TAG, credentialsProvider),
+                                       GetServiceName(), clientConfiguration.region}},
+          }) {}
 /* End of legacy constructors due deprecation */
 
 DynamoDBClient::~DynamoDBClient() { ShutdownSdkClient(this, -1); }

diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -563,6 +563,12 @@ namespace Aws
               std::chrono::milliseconds credentialCacheCacheTTL = std::chrono::minutes(50);
             } stsCredentialsProviderConfig;
           } credentialProviderConfig;
+
+          /**
+           * Authentication scheme preferences in order of preference.
+           * First available auth scheme will be used for each operation.
+           */
+          Aws::Vector<Aws::String> authPreferences;
         };
 
         /**

diff --git a/src/aws-cpp-sdk-core/include/smithy/client/AwsSmithyClient.h b/src/aws-cpp-sdk-core/include/smithy/client/AwsSmithyClient.h
@@ -163,6 +163,7 @@ namespace client
             identityParams.serviceName = m_serviceName;
             identityParams.operation = ctx.m_requestName;
             identityParams.region = m_clientConfiguration.region;
+            identityParams.authPreferences = m_clientConfiguration.authPreferences;
 
             if (ctx.m_pRequest) {
                 // refactor once auth scheme resolver will use it's own rule set

diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/AuthSchemeResolverBase.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/AuthSchemeResolverBase.h
@@ -8,10 +8,23 @@
 #include <smithy/identity/signer/AwsSignerBase.h>
 
 #include <aws/crt/Variant.h>
-#include <aws/core/utils/memory/stl/AWSMap.h>
-
+#include <aws/core/utils/memory/stl/AWSVector.h>
 
 namespace smithy {
+
+static const char SIGV4_PREFERENCE[] = "sigv4";
+static const char SIGV4A_PREFERENCE[] = "sigv4a";
+static const char BEARER_PREFERENCE[] = "bearer";
+static const char NO_AUTH_PREFERENCE[] = "noauth";
+
+// Global map from auth scheme name (trimmed ID) to full ID for case insensitive lookup
+static const Aws::Array<std::pair<const char*, const char*>, 4> AUTH_SCHEME_NAME_TO_ID = {
+    std::make_pair(SIGV4_PREFERENCE, "aws.auth#sigv4"),
+    std::make_pair(SIGV4A_PREFERENCE, "aws.auth#sigv4a"),
+    std::make_pair(BEARER_PREFERENCE, "smithy.api#HTTPBearerAuth"),
+    std::make_pair(NO_AUTH_PREFERENCE, "smithy.api#noAuth")
+};
+
 /**
 * A base interface for code-generated interfaces for passing in the data required for determining the
 * authentication scheme. By default, this only includes the operation name.
@@ -22,6 +35,7 @@ class DefaultAuthSchemeResolverParameters
   Aws::String serviceName;
   Aws::String operation;
   Aws::Crt::Optional<Aws::String> region;
+  Aws::Vector<Aws::String> authPreferences;
 
   Aws::UnorderedMap<Aws::String, Aws::Crt::Variant<Aws::String,
           bool,
@@ -43,7 +57,31 @@ class AuthSchemeResolverBase
   using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
 
   virtual ~AuthSchemeResolverBase() = default;
-  // AuthScheme Resolver returns a list of AuthSchemeOptions for some reason, according to the SRA...
-  virtual Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) = 0;
+
+  virtual Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) {
+    auto options = resolveAuthSchemeImpl(identityProperties);
+    return filterByPreferences(options, identityProperties.authPreferences);
+  }
+
+protected:
+  virtual Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) = 0;
+
+  virtual Aws::Vector<AuthSchemeOption> filterByPreferences(const Aws::Vector<AuthSchemeOption>& options, 
+                                                           const Aws::Vector<Aws::String>& preferences) {
+    if (preferences.empty()) return options;
+
+    Aws::Vector<AuthSchemeOption> filtered;
+    for (const auto& pref : preferences) {
+      auto prefSchemeIt = find_if(AUTH_SCHEME_NAME_TO_ID.begin(), AUTH_SCHEME_NAME_TO_ID.end(), [&](const std::pair<const char*, const char*> &pair) { return Aws::Utils::StringUtils::ToLower(pref.c_str()) == pair.first; });
+      if (prefSchemeIt == AUTH_SCHEME_NAME_TO_ID.end()) continue;
+      for (const auto& option : options) {
+        if (strcmp(option.schemeId, prefSchemeIt->second) == 0) {
+          filtered.push_back(option);
+          break;
+        }
+      }
+    }
+    return filtered.empty() ? options : filtered;
+  }
 };
 }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/BearerTokenAuthScheme.h
@@ -11,6 +11,8 @@
 #include <smithy/identity/signer/built-in/BearerTokenSigner.h>
 namespace smithy
 {
+constexpr char BEARER[] = "smithy.api#HTTPBearerAuth";
+
 class BearerTokenAuthScheme : public AuthScheme<AwsBearerTokenIdentityBase>
 {
   public:
@@ -22,7 +24,7 @@ class BearerTokenAuthScheme : public AuthScheme<AwsBearerTokenIdentityBase>
     explicit BearerTokenAuthScheme(
         std::shared_ptr<AwsCredentialIdentityResolverT> identityResolver,
         const Aws::String &serviceName, const Aws::String &region)
-        : AuthScheme("smithy.api#HTTPBearerAuth"),
+        : AuthScheme(BEARER),
           m_identityResolver{identityResolver},
           m_signer{Aws::MakeShared<smithy::BearerTokenSigner>(
               "BearerTokenAuthScheme", serviceName, region)}

diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/GenericAuthSchemeResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/GenericAuthSchemeResolver.h
@@ -0,0 +1,30 @@
+/**
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#pragma once
+
+#include <smithy/identity/auth/AuthSchemeResolverBase.h>
+
+
+namespace smithy {
+    template<typename ServiceAuthSchemeParametersT = DefaultAuthSchemeResolverParameters>
+    class GenericAuthSchemeResolver : public AuthSchemeResolverBase<ServiceAuthSchemeParametersT>
+    {
+    public:
+        using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
+        GenericAuthSchemeResolver(const Aws::Vector<AuthSchemeOption>& allowedAuth) : m_allowedAuth(allowedAuth) {}
+        GenericAuthSchemeResolver() = default;
+        virtual ~GenericAuthSchemeResolver() = default;
+
+    private:
+      Aws::Vector<AuthSchemeOption> m_allowedAuth;
+
+    protected:
+        Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) override
+        {
+          AWS_UNREFERENCED_PARAM(identityProperties);
+          return m_allowedAuth;
+        }
+    };
+}
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4MultiAuthResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/auth/built-in/SigV4MultiAuthResolver.h
@@ -12,12 +12,18 @@
 #include <smithy/identity/auth/built-in/SigV4aAuthSchemeOption.h>
 #include <smithy/identity/auth/built-in/SigV4AuthScheme.h>
 
+/**
+ * This is an auth scheme resolver prioritizing endpoints2.0 auth resolution
+ * used for s3 which supersedes the model based auth resolution we do in GenericAuthResolver.
+ */
+
 namespace smithy {
     template<typename EndPointProviderType, typename ClientConfigType,typename ServiceAuthSchemeParametersT = DefaultAuthSchemeResolverParameters>
     class SigV4MultiAuthSchemeResolver : public AuthSchemeResolverBase<ServiceAuthSchemeParametersT, ClientConfigType>
     {
-    private:
     public:
+        SigV4MultiAuthSchemeResolver(const Aws::Vector<AuthSchemeOption>& allowedAuth) : m_allowedAuth(allowedAuth) {}
+        SigV4MultiAuthSchemeResolver() = default;
 
         void Init(const ClientConfigType& config) override{
             m_endpointProviderForAuth = Aws::MakeShared<EndPointProviderType>("SigV4MultiAuthSchemeResolver");
@@ -27,8 +33,12 @@ namespace smithy {
         using ServiceAuthSchemeParameters = ServiceAuthSchemeParametersT;
         virtual ~SigV4MultiAuthSchemeResolver() = default;
 
-        Aws::Vector<AuthSchemeOption> resolveAuthScheme(const ServiceAuthSchemeParameters& identityProperties) override
+        Aws::Vector<AuthSchemeOption> resolveAuthSchemeImpl(const ServiceAuthSchemeParameters& identityProperties) override
         {
+            if (!m_allowedAuth.empty()) {
+              // This code path will not currently be taken, but we should enable a way for the user to disable preference for endpoints2.0 resolution and use the preference list
+              return m_allowedAuth;
+            }
             //pack endpoint params from identityProperties
             Aws::Endpoint::EndpointParameters epParams;
 
@@ -66,6 +76,10 @@ namespace smithy {
 
             return {SigV4AuthSchemeOption::sigV4AuthSchemeOption};
         }
+
+    private:
+      Aws::Vector<AuthSchemeOption> m_allowedAuth;
+
     protected:
         std::shared_ptr<EndPointProviderType> m_endpointProviderForAuth;
     };

diff --git a/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp b/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp
@@ -188,6 +188,18 @@ Aws::String calculateRegion() {
   return "";
 }
 
+
+Aws::Vector<Aws::String> calculateAuthPreferences() {
+  // Automatically determine the AWS region from environment variables, configuration file and EC2 metadata.
+  Aws::Vector<Aws::String> res;
+  auto prefs = Aws::Environment::GetEnv("AWS_AUTH_SCHEME_PREFERENCE");
+  Aws::Vector<Aws::String> prefsList  = Aws::Utils::StringUtils::Split(prefs, ',');
+  for (auto& pref : prefsList) {
+    res.push_back(Aws::Utils::StringUtils::Trim(pref.c_str()));
+  }
+  return res;
+}
+
 void setLegacyClientConfigurationParameters(ClientConfiguration& clientConfig)
 {
     clientConfig.scheme = Aws::Http::Scheme::HTTPS;
@@ -251,6 +263,7 @@ void setLegacyClientConfigurationParameters(ClientConfiguration& clientConfig)
 
     clientConfig.region = calculateRegion();
     clientConfig.credentialProviderConfig.region = clientConfig.region;
+    clientConfig.authPreferences = calculateAuthPreferences();
 
     // Set the endpoint to interact with EC2 instance's metadata service
     Aws::String ec2MetadataServiceEndpoint = Aws::Environment::GetEnv("AWS_EC2_METADATA_SERVICE_ENDPOINT");