Module validation 

Profile validation — sts:GetCallerIdentity for AWS, list_buckets probe for compat providers.

Design

• AWS profiles (no endpoint_url): call sts:GetCallerIdentity via aws-sdk-sts. This surfaces the account and arn of the caller.
• Compat providers (has endpoint_url): call s3:ListBuckets as the probe because STS may not be supported at those endpoints.

Error mapping

SDK errors are centralized in map_sts_error / map_s3_list_error. Adding a new SDK error code means adding one arm to those functions — no other code changes.

OCP

• ProviderKind enum is open for new variants (Sso, FederatedEnterprise).
• validate_profile accepts an injected &ClientPool — testable with real LocalStack or a mock.
• The validate_with_caller<F> helper exposes pure error-mapping logic to unit tests without making any AWS SDK call.

Structs

CallerIdentity

Result type for the STS caller identity response.

ValidationReport

Result of a profile_validate call.

Enums

ProviderKind

The category of S3 provider a profile targets.

Functions

build_s3_client_for_compat 🔒

Build an aws_sdk_s3::Client for a compat provider validation probe.

build_sts_client 🔒

Build an aws_sdk_sts::Client for the given profile.

extract_s3_error_parts 🔒

extract_sts_error_parts 🔒

map_s3_list_error 🔒

Categorize a raw S3 ListBuckets SDK error into the canonical AppError.

map_sts_error 🔒

Categorize a raw STS SDK error string into the canonical AppError.

now_unix_ms 🔒

validate_aws 🔒

Inner: AWS path using sts:GetCallerIdentity.

validate_compat 🔒

Inner: compat provider path using s3:ListBuckets.

validate_profile

Validate a profile by running the appropriate probe.

validate_with_caller

Pure validation logic for AWS profiles.