Fix credential_process failing when executable path contains spaces on Windows.

ashishdhingra · ashishdhingra · commit 91a75b965e16 · 2026-05-22T13:41:21.000-07:00
diff --git a/generator/.DevConfigs/a2e30a7f-6345-4090-95b9-4f8f09819413.json b/generator/.DevConfigs/a2e30a7f-6345-4090-95b9-4f8f09819413.json
@@ -0,0 +1,9 @@
+{
+  "core": {
+    "changeLogMessages": [
+      "Fix credential_process failing when executable path contains spaces on Windows."
+    ],
+    "type": "patch",
+    "updateMinimum": false
+  }
+}
diff --git a/sdk/src/Core/Amazon.Runtime/Credentials/ProcessAWSCredentials.cs b/sdk/src/Core/Amazon.Runtime/Credentials/ProcessAWSCredentials.cs
@@ -74,19 +74,24 @@ public ProcessAWSCredentials(string processCredentialInfo) : this(processCredent
         public ProcessAWSCredentials(string processCredentialInfo, string accountId)
         {
             processCredentialInfo = processCredentialInfo.Trim();
-
-            //Default to cmd on Windows since that is the only thing BCL runs on.
-            var fileName = "cmd.exe";
-            var arguments = $@"/c {processCredentialInfo}";
             _accountId = accountId;
+
+            string fileName;
+            string arguments;
+
 #if NETSTANDARD
-            //If it is netstandard and not running on Windows use sh.
-            if(!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))            
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
                 fileName = "sh";
-                var escapedArgs = processCredentialInfo.Replace("\\", "\\\\").Replace("\"", "\\\"");    
+                var escapedArgs = processCredentialInfo.Replace("\\", "\\\\").Replace("\"", "\\\"");
                 arguments = $"-c \"{escapedArgs}\"";
             }
+            else
+            {
+                (fileName, arguments) = ParseCredentialProcessCommand(processCredentialInfo);
+            }
+#else
+            (fileName, arguments) = ParseCredentialProcessCommand(processCredentialInfo);
 #endif
             _processStartInfo = new ProcessStartInfo
             {
@@ -164,6 +169,57 @@ public async Task<CredentialsRefreshState> DetermineProcessCredentialAsync()
         #endregion
 
         #region Private methods
+
+        /// <summary>
+        /// Parses the credential_process command string into an executable path and arguments,
+        /// correctly handling double-quoted paths that contain spaces per the AWS SDK specification
+        /// (https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html).
+        /// This avoids using cmd.exe, which has issues with quoted paths
+        /// and hangs when cmd.exe is disabled via Group Policy.
+        /// </summary>
+        private static (string FileName, string Arguments) ParseCredentialProcessCommand(string command)
+        {
+            if (string.IsNullOrEmpty(command))
+            {
+                return (string.Empty, string.Empty);
+            }
+
+            string fileName;
+            string arguments;
+
+            if (command[0] == '"')
+            {
+                var closingQuote = command.IndexOf('"', 1);
+                if (closingQuote == -1)
+                {
+                    // Fail fast on malformed input, consistent with botocore's _windows_shell_split().
+                    throw new ProcessAWSCredentialException(
+                        "No closing quotation mark found in credential_process command.");
+                }
+
+                fileName = command.Substring(1, closingQuote - 1);
+                arguments = closingQuote + 1 < command.Length
+                    ? command.Substring(closingQuote + 1).TrimStart()
+                    : string.Empty;
+            }
+            else
+            {
+                var spaceIndex = command.IndexOfAny(new[] { ' ', '\t' });
+                if (spaceIndex == -1)
+                {
+                    fileName = command;
+                    arguments = string.Empty;
+                }
+                else
+                {
+                    fileName = command.Substring(0, spaceIndex);
+                    arguments = command.Substring(spaceIndex + 1).TrimStart();
+                }
+            }
+
+            return (fileName, arguments);
+        }
+
         [SuppressMessage("Microsoft.Security", "CA2122:DoNotIndirectlyExposeMethodsWithLinkDemands")]
         private CredentialsRefreshState SetCredentialsRefreshState(ProcessExecutionResult processInfo)
         {    
diff --git a/sdk/test/UnitTests/Custom/Runtime/Credentials/ProcessAWSCredentialsTest.cs b/sdk/test/UnitTests/Custom/Runtime/Credentials/ProcessAWSCredentialsTest.cs
@@ -149,5 +149,81 @@ public void ValidateRequiredFieldsCheck()
             }
         }
 #endif
+
+        [TestMethod]
+        public void QuotedExecutablePathWithSpaces()
+        {
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return;
+            }
+
+            var dirWithSpace = Path.Combine(Path.GetTempPath(), $"aws sdk test {Guid.NewGuid():N}");
+            Directory.CreateDirectory(dirWithSpace);
+
+            try
+            {
+                var scriptCopy = Path.Combine(dirWithSpace, "windows-credentials-script.bat");
+                File.Copy(Executable, scriptCopy, overwrite: true);
+
+                var processCredential = new ProcessAWSCredentials(
+                    $"\"{scriptCopy}\" {ArgumentsBasic} {ValidVersionNumber}");
+                var credentialsRefreshState = processCredential.DetermineProcessCredential();
+                Assert.AreEqual(ActualAccessKey, credentialsRefreshState.Credentials.AccessKey);
+                Assert.AreEqual(ActualSecretKey, credentialsRefreshState.Credentials.SecretKey);
+            }
+            finally
+            {
+                Directory.Delete(dirWithSpace, recursive: true);
+            }
+        }
+
+        [TestMethod]
+        public void UnquotedExecutablePathWithoutSpaces()
+        {
+            var processCredential = new ProcessAWSCredentials(
+                $"{Executable} {ArgumentsBasic} {ValidVersionNumber}");
+            var credentialsRefreshState = processCredential.DetermineProcessCredential();
+            Assert.AreEqual(ActualAccessKey, credentialsRefreshState.Credentials.AccessKey);
+            Assert.AreEqual(ActualSecretKey, credentialsRefreshState.Credentials.SecretKey);
+        }
+
+
+        [TestMethod]
+        public void QuotedExecutablePathWithMultipleArguments()
+        {
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return;
+            }
+
+            var dirWithSpace = Path.Combine(Path.GetTempPath(), $"aws sdk test {Guid.NewGuid():N}");
+            Directory.CreateDirectory(dirWithSpace);
+
+            try
+            {
+                var scriptCopy = Path.Combine(dirWithSpace, "windows-credentials-script.bat");
+                File.Copy(Executable, scriptCopy, overwrite: true);
+
+                var processCredential = new ProcessAWSCredentials(
+                    $"\"{scriptCopy}\" {ArgumentsSession} {ValidVersionNumber}");
+                var credentialsRefreshState = processCredential.DetermineProcessCredential();
+                Assert.AreEqual(ActualAccessKey, credentialsRefreshState.Credentials.AccessKey);
+                Assert.AreEqual(ActualSecretKey, credentialsRefreshState.Credentials.SecretKey);
+                Assert.IsNotNull(credentialsRefreshState.Credentials.Token);
+            }
+            finally
+            {
+                Directory.Delete(dirWithSpace, recursive: true);
+            }
+        }
+
+        [TestMethod]
+        public void UnmatchedDoubleQuoteThrows()
+        {
+            Assert.ThrowsException<ProcessAWSCredentialException>(() =>
+                new ProcessAWSCredentials("\"C:\\Program Files\\foo.exe").DetermineProcessCredential());
+        }
+
     }
 }
