Fix NPE when using AnonymousCredentials in a credential provider chain with S3 CRT client. (#6552)

alextwoods · web-flow · commit f3c3b2d59ec5 · 2025-11-10T19:07:41.000Z
diff --git a/.changes/next-release/bugfix-AmazonS3-c6497dc.json b/.changes/next-release/bugfix-AmazonS3-c6497dc.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "Amazon S3",
+    "contributor": "",
+    "description": "Fix NullPointerException when using AnonymousCredentials in a CredentialsChain with the S3 CRT Client."
+}
diff --git a/services/s3/src/main/java/software/amazon/awssdk/services/s3/internal/crt/CrtCredentialsProviderAdapter.java b/services/s3/src/main/java/software/amazon/awssdk/services/s3/internal/crt/CrtCredentialsProviderAdapter.java
@@ -48,6 +48,11 @@ public CrtCredentialsProviderAdapter(IdentityProvider<? extends AwsCredentialsId
 
                 AwsCredentialsIdentity sdkCredentials =
                     CompletableFutureUtils.joinLikeSync(credentialsProvider.resolveIdentity());
+
+                if (sdkCredentials.providerName().map("AnonymousCredentialsProvider"::equals).orElse(false)) {
+                    return Credentials.createAnonymousCredentials();
+                }
+
                 byte[] accessKey = sdkCredentials.accessKeyId().getBytes(StandardCharsets.UTF_8);
                 byte[] secreteKey = sdkCredentials.secretAccessKey().getBytes(StandardCharsets.UTF_8);
 
diff --git a/services/s3/src/test/java/software/amazon/awssdk/services/s3/internal/crt/CrtCredentialProviderAdapterTest.java b/services/s3/src/test/java/software/amazon/awssdk/services/s3/internal/crt/CrtCredentialProviderAdapterTest.java
@@ -25,6 +25,7 @@
 import org.mockito.Mockito;
 import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 import software.amazon.awssdk.auth.credentials.HttpCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -96,4 +97,21 @@ void crtCredentials_anonymousCredentialsProvider_shouldWork() {
         assertThat(crtCredentials.getAccessKeyId()).isNull();
         assertThat(crtCredentials.getSecretAccessKey()).isNull();
     }
+
+    @Test
+    void crtCredentials_anonymousCredentialsProviderFromChain_shouldWork() {
+        IdentityProvider<? extends AwsCredentialsIdentity> awsCredentialsProvider =
+            AwsCredentialsProviderChain
+                .builder()
+                .addCredentialsProvider(AnonymousCredentialsProvider.create())
+                .build();
+
+        CrtCredentialsProviderAdapter adapter = new CrtCredentialsProviderAdapter(awsCredentialsProvider);
+        CredentialsProvider crtCredentialsProvider = adapter.crtCredentials();
+
+        Credentials crtCredentials = crtCredentialsProvider.getCredentials().join();
+
+        assertThat(crtCredentials.getAccessKeyId()).isNull();
+        assertThat(crtCredentials.getSecretAccessKey()).isNull();
+    }
 }
