From 280003fb5ea82f5749133f786d2658eff8eee442 Mon Sep 17 00:00:00 2001
From: Khalid Shakir <kshakir@broadinstitute.org>
Date: Mon, 28 Jan 2019 21:06:06 -0500
Subject: [PATCH] Bump libraries and run centaur bcs.

---
 .gitignore                                    |   1 +
 .../labels_bad_workflow.test                  |   2 +-
 .../resources/standardTestCases/prefix.test   |   2 +
 .../standardTestCases/prefix/prefix.options   |   3 +
 .../standardTestCases/valid_labels.test       |   2 +-
 .../src/main/resources/application.conf       |   9 +
 .../src/main/resources/logback.xml            |  18 +
 .../cloud/nio/impl/drs/DrsPathResolver.scala  |   4 -
 .../cloudsupport/aws/AwsConfiguration.scala   |   7 +-
 .../cloudsupport/aws/auth/AwsAuthMode.scala   |  30 +-
 .../cloudsupport/aws/s3/S3Storage.scala       |  27 +-
 .../cloudsupport/aws/s3/S3StorageSpec.scala   |  11 +-
 .../cromwell/docker/DockerInfoActor.scala     |   7 +-
 docs/api/RESTAPI.md                           |  98 +++--
 .../src/main/resources/swagger/cromwell.yaml  |   8 +-
 .../cromwell/jobstore/JobResultSpec.scala     |   6 +-
 .../webservice/SwaggerServiceSpec.scala       |  15 +-
 .../routes/CromwellApiServiceSpec.scala       |  16 +-
 .../java/org/lerch/s3fs/AmazonS3Factory.java  |  35 +-
 .../s3/src/main/java/org/lerch/s3fs/LICENSE   |  22 ++
 .../s3/src/main/java/org/lerch/s3fs/README.md |   9 +
 .../java/org/lerch/s3fs/S3FileChannel.java    |   6 +-
 .../org/lerch/s3fs/S3FileSystemProvider.java  |   8 +-
 .../org/lerch/s3fs/S3SeekableByteChannel.java |   4 +-
 .../java/org/lerch/s3fs/util/S3Utils.java     |   6 +-
 .../filesystems/s3/S3PathBuilder.scala        |  20 +-
 .../filesystems/s3/S3PathBuilderFactory.scala |   2 +-
 .../filesystems/s3/S3PathBuilderSpec.scala    |  12 +-
 project/Dependencies.scala                    | 371 ++++++++++--------
 project/Merging.scala                         |   2 +-
 .../main/scala/statsdproxy/StatsDProxy.scala  |   2 +-
 ...terializeWorkflowDescriptorActorSpec.scala |   3 +-
 src/ci/bin/test.inc.sh                        | 156 +++++---
 src/ci/bin/testCentaurAws.sh                  |   2 +-
 src/ci/bin/testCentaurBcs.sh                  | 166 +++++---
 src/ci/bin/testCentaurTes.sh                  |   6 +-
 src/ci/bin/testConformanceLocal.sh            |   4 +-
 src/ci/bin/testConformancePapiV2.sh           |   4 +-
 src/ci/bin/testConformanceTesk.sh             |   4 +-
 src/ci/bin/test_bcs.inc.sh                    | 130 ++++++
 src/ci/resources/bcs.jq                       |  31 ++
 src/ci/resources/bcs_application.conf.ctmpl   |  13 +-
 src/ci/resources/bcs_login.inc.sh.ctmpl       |  17 +
 src/ci/resources/dockerhub_auth.inc.sh.ctmpl  |   3 -
 .../AwsBatchBackendInitializationData.scala   |   2 +-
 .../aws/AwsBatchInitializationActor.scala     |   2 +-
 .../backend/impl/aws/AwsBatchJob.scala        |  22 +-
 .../impl/aws/AwsBatchWorkflowPaths.scala      |   2 +-
 ...tchAsyncBackendJobExecutionActorSpec.scala |  18 +-
 .../impl/aws/AwsBatchCallPathsSpec.scala      |  20 +-
 .../backend/impl/aws/AwsBatchJobSpec.scala    |  34 +-
 .../impl/aws/AwsBatchWorkflowPathsSpec.scala  |   8 +-
 .../PipelinesApiInitializationActorSpec.scala |   4 +-
 53 files changed, 928 insertions(+), 488 deletions(-)
 create mode 100644 centaur/src/main/resources/standardTestCases/prefix/prefix.options
 create mode 100644 filesystems/s3/src/main/java/org/lerch/s3fs/LICENSE
 create mode 100644 filesystems/s3/src/main/java/org/lerch/s3fs/README.md
 create mode 100644 src/ci/bin/test_bcs.inc.sh
 create mode 100644 src/ci/resources/bcs.jq
 create mode 100644 src/ci/resources/bcs_login.inc.sh.ctmpl

diff --git a/.gitignore b/.gitignore
index 1f20691f99e..42680886bf9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,7 @@ scripts/docker-compose-mysql/compose/mysql/data
 artifactory_credentials.properties
 aws_credentials
 bcs_application.conf
+bcs_login.inc.sh
 centaur_secure.inc.conf
 cromwell-centaur-requester-pays-service-account.json
 cromwell-centaur-service-account.json
diff --git a/centaur/src/main/resources/standardTestCases/labels_bad_workflow.test b/centaur/src/main/resources/standardTestCases/labels_bad_workflow.test
index 426be8c4e73..9413985f25f 100644
--- a/centaur/src/main/resources/standardTestCases/labels_bad_workflow.test
+++ b/centaur/src/main/resources/standardTestCases/labels_bad_workflow.test
@@ -12,7 +12,7 @@ files {
 
 metadata {
   status: Failed
-  "submittedFiles.labels": "{\"label-key-1\":\"label-value-1\",\"label-key-2\":\"label-value-2\",\"only-key\":\"\",\"fc-id\":\"0123-abcd-4567-efgh\"}"
+  "submittedFiles.labels": "{\"fc-id\":\"0123-abcd-4567-efgh\",\"label-key-1\":\"label-value-1\",\"label-key-2\":\"label-value-2\",\"only-key\":\"\"}"
   "labels.label-key-1": "label-value-1"
   "labels.label-key-2": "label-value-2"
   "labels.only-key": ""
diff --git a/centaur/src/main/resources/standardTestCases/prefix.test b/centaur/src/main/resources/standardTestCases/prefix.test
index 457e01b8b35..a836843066e 100644
--- a/centaur/src/main/resources/standardTestCases/prefix.test
+++ b/centaur/src/main/resources/standardTestCases/prefix.test
@@ -3,6 +3,8 @@ testFormat: workflowsuccess
 
 files {
   workflow: prefix/prefix.wdl
+  # https://github.com/broadinstitute/cromwell/issues/4590
+  options: prefix/prefix.options
 }
 
 metadata {
diff --git a/centaur/src/main/resources/standardTestCases/prefix/prefix.options b/centaur/src/main/resources/standardTestCases/prefix/prefix.options
new file mode 100644
index 00000000000..1840c33cd39
--- /dev/null
+++ b/centaur/src/main/resources/standardTestCases/prefix/prefix.options
@@ -0,0 +1,3 @@
+{
+  "read_from_cache": false
+}
diff --git a/centaur/src/main/resources/standardTestCases/valid_labels.test b/centaur/src/main/resources/standardTestCases/valid_labels.test
index 36010acd6de..1ab748f8a86 100644
--- a/centaur/src/main/resources/standardTestCases/valid_labels.test
+++ b/centaur/src/main/resources/standardTestCases/valid_labels.test
@@ -11,7 +11,7 @@ files {
 metadata {
   workflowName: wf_hello
   status: Succeeded
-  "submittedFiles.labels": "{\"label-key-1\":\"label-value-1\",\"label-key-2\":\"label-value-2\",\"only-key\":\"\",\"fc-id\":\"0123-abcd-4567-efgh\"}"
+  "submittedFiles.labels": "{\"fc-id\":\"0123-abcd-4567-efgh\",\"label-key-1\":\"label-value-1\",\"label-key-2\":\"label-value-2\",\"only-key\":\"\"}"
   "labels.label-key-1": "label-value-1"
   "labels.label-key-2": "label-value-2"
   "labels.only-key": ""
diff --git a/centaurCwlRunner/src/main/resources/application.conf b/centaurCwlRunner/src/main/resources/application.conf
index c6a5039833e..fcdd3da9c57 100644
--- a/centaurCwlRunner/src/main/resources/application.conf
+++ b/centaurCwlRunner/src/main/resources/application.conf
@@ -1,6 +1,15 @@
 akka {
   loggers = ["akka.event.slf4j.Slf4jLogger"]
   logging-filter = "akka.event.slf4j.Slf4jLoggingFilter"
+
+  # Silence Akka-Http warning logging of:
+  # [WARN] [01/28/2019 06:50:04.293] [centaur-acting-like-a-system-akka.actor.default-dispatcher-3] [centaur-acting-like-a-system/Pool(shared->http://localhost:8000)] Connection attempt failed. Backing off new connection attempts for at least 100 milliseconds.
+  #
+  # via:
+  # https://github.com/akka/akka/blob/v2.5.19/akka-actor/src/main/resources/reference.conf#L41-L44
+  # https://github.com/akka/akka/blob/v2.5.19/akka-actor/src/main/scala/akka/event/Logging.scala#L377
+  # https://github.com/akka/akka-http/blob/v10.1.7/akka-http-core/src/main/scala/akka/http/impl/engine/client/pool/NewHostConnectionPool.scala#L134
+  stdout-loglevel = "ERROR"
 }
 
 centaur {
diff --git a/centaurCwlRunner/src/main/resources/logback.xml b/centaurCwlRunner/src/main/resources/logback.xml
index c21755aa774..d92bac61949 100644
--- a/centaurCwlRunner/src/main/resources/logback.xml
+++ b/centaurCwlRunner/src/main/resources/logback.xml
@@ -27,4 +27,22 @@
     https://github.com/owlcs/owlapi/blob/owlapi-parent-5.1.7/api/src/main/java/org/semanticweb/owlapi/utilities/Injector.java#L383
     -->
     <logger name="org.semanticweb.owlapi.utilities.Injector" level="error" additivity="false"/>
+
+    <!--
+    Silence Akka warning logging of:
+    10:18:20.629 [centaur-acting-like-a-system-akka.actor.default-dispatcher-8] WARN  akka.io.InetAddressDnsResolver - No caching TTL defined. Using default value Ttl(30 seconds).
+
+    via:
+    https://github.com/akka/akka/blob/v2.5.19/akka-actor/src/main/scala/akka/io/InetAddressDnsResolver.scala#L40
+    -->
+    <logger name="akka.io.InetAddressDnsResolver" level="error" additivity="false"/>
+
+    <!--
+    Silence Akka-Http warning logging of:
+    00:53:57.537 [centaur-acting-like-a-system-akka.actor.default-dispatcher-10] WARN  akka.http.impl.engine.client.PoolGateway - Connection attempt failed. Backing off new connection attempts for at least 100 milliseconds.
+
+    via:
+    https://github.com/akka/akka-http/blob/v10.1.7/akka-http-core/src/main/scala/akka/http/impl/engine/client/pool/NewHostConnectionPool.scala#L134
+    -->
+    <logger name="akka.http.impl.engine.client.PoolGateway" level="error" additivity="false"/>
 </configuration>
diff --git a/cloud-nio/cloud-nio-impl-drs/src/main/scala/cloud/nio/impl/drs/DrsPathResolver.scala b/cloud-nio/cloud-nio-impl-drs/src/main/scala/cloud/nio/impl/drs/DrsPathResolver.scala
index e56ecdf85cf..cc8bbf7dd26 100644
--- a/cloud-nio/cloud-nio-impl-drs/src/main/scala/cloud/nio/impl/drs/DrsPathResolver.scala
+++ b/cloud-nio/cloud-nio-impl-drs/src/main/scala/cloud/nio/impl/drs/DrsPathResolver.scala
@@ -15,10 +15,6 @@ import org.apache.http.impl.client.HttpClientBuilder
 import org.apache.http.util.EntityUtils
 import org.apache.http.{HttpResponse, HttpStatus}
 
-//Do not remove this import. This import is required to compile, but IntelliJ doesn't correctly recognize that.
-import cats.syntax.functor._
-
-
 case class DrsPathResolver(drsConfig: DrsConfig, httpClientBuilder: HttpClientBuilder) {
 
   implicit lazy val urlDecoder: Decoder[Url] = deriveDecoder
diff --git a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/AwsConfiguration.scala b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/AwsConfiguration.scala
index 1e332eaf07d..396504afeff 100644
--- a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/AwsConfiguration.scala
+++ b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/AwsConfiguration.scala
@@ -42,7 +42,7 @@ import common.validation.Validation._
 import cromwell.cloudsupport.aws.auth.{AssumeRoleMode, AwsAuthMode, CustomKeyMode, DefaultMode}
 import net.ceedubs.ficus.Ficus._
 import org.slf4j.LoggerFactory
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.regions.Region
 
 final case class AwsConfiguration private (applicationName: String,
                                            authsByName: Map[String, AwsAuthMode],
@@ -99,10 +99,7 @@ object AwsConfiguration {
       }
 
       def assumeRoleAuth(authConfig: Config, name: String, region: Option[String]): ErrorOr[AwsAuthMode] = validate {
-        val externalId = authConfig.hasPath("external-id") match {
-          case true => authConfig.getString("external-id")
-          case _ => ""
-        }
+        val externalId = authConfig.getOrElse("external-id", "")
         AssumeRoleMode(
           name,
           // We won't do anything with this now, but it is required for
diff --git a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/auth/AwsAuthMode.scala b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/auth/AwsAuthMode.scala
index f2338e98a00..43fb8844eb1 100644
--- a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/auth/AwsAuthMode.scala
+++ b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/auth/AwsAuthMode.scala
@@ -30,20 +30,14 @@
  */
 package cromwell.cloudsupport.aws.auth
 
-import software.amazon.awssdk.core.auth.{AwsCredentials,
-                                         AwsSessionCredentials,
-                                         AnonymousCredentialsProvider,
-                                         DefaultCredentialsProvider,
-                                         StaticCredentialsProvider}
-import software.amazon.awssdk.core.regions.Region
-import software.amazon.awssdk.services.sts.{STSClient}
-import software.amazon.awssdk.services.sts.model.{GetCallerIdentityRequest,
-                                                  AssumeRoleRequest}
-
+import com.google.api.client.json.jackson2.JacksonFactory
 import cromwell.cloudsupport.aws.auth.AwsAuthMode.OptionLookup
-
 import org.slf4j.LoggerFactory
-import com.google.api.client.json.jackson2.JacksonFactory
+import software.amazon.awssdk.auth.credentials._
+import software.amazon.awssdk.regions.Region
+import software.amazon.awssdk.services.sts.StsClient
+import software.amazon.awssdk.services.sts.model.{AssumeRoleRequest, GetCallerIdentityRequest}
+
 import scala.util.{Failure, Success, Try}
 
 object AwsAuthMode {
@@ -71,9 +65,9 @@ sealed trait AwsAuthMode {
     * All traits in this file are sealed, all classes final, meaning things
     * like Mockito or other java/scala overrides cannot work.
     */
-   private[auth] var credentialValidation: ((AwsCredentials, Option[String]) => Unit) =
+   private[auth] var credentialValidation: (AwsCredentials, Option[String]) => Unit =
      (credentials: AwsCredentials, region: Option[String]) => {
-       val builder = STSClient.builder
+       val builder = StsClient.builder
 
        //If the region argument exists in config, set it in the builder.
        //Otherwise it is left unset and the AwsCredential builder will look in various places to supply,
@@ -97,7 +91,7 @@ sealed trait AwsAuthMode {
 case object MockAuthMode extends AwsAuthMode {
   override val name = "no_auth"
 
-  lazy val _credential = AnonymousCredentialsProvider.create.getCredentials
+  lazy val _credential = AnonymousCredentialsProvider.create.resolveCredentials()
 
   override def credential(options: OptionLookup): AwsCredentials = _credential
 }
@@ -113,7 +107,7 @@ final case class CustomKeyMode(override val name: String,
     // Validate credentials synchronously here, without retry.
     // It's very unlikely to fail as it should not happen more than a few times
     // (one for the engine and for each backend using it) per Cromwell instance.
-    validateCredential(AwsCredentials.create(accessKey, secretKey), region)
+    validateCredential(AwsBasicCredentials.create(accessKey, secretKey), region)
   }
 
   override def credential(options: OptionLookup): AwsCredentials = _credential
@@ -130,7 +124,7 @@ final case class DefaultMode(override val name: String, region: Option[String])
     // Validate credentials synchronously here, without retry.
     // It's very unlikely to fail as it should not happen more than a few times
     // (one for the engine and for each backend using it) per Cromwell instance.
-    validateCredential(DefaultCredentialsProvider.create.getCredentials, region)
+    validateCredential(DefaultCredentialsProvider.create.resolveCredentials(), region)
   }
 
   override def credential(options: OptionLookup): AwsCredentials = _credential
@@ -157,7 +151,7 @@ final case class AssumeRoleMode(override val name: String,
     if (! externalId.isEmpty) requestBuilder.externalId(externalId)
     val request = requestBuilder.build
 
-    val builder = STSClient.builder
+    val builder = StsClient.builder
     region.foreach(str => builder.region(Region.of(str)))
     // See comment above regarding builder
     baseAuthObj match{
diff --git a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/s3/S3Storage.scala b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/s3/S3Storage.scala
index ab0db7b1517..6a16a0c557c 100644
--- a/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/s3/S3Storage.scala
+++ b/cloudSupport/src/main/scala/cromwell/cloudsupport/aws/s3/S3Storage.scala
@@ -30,12 +30,11 @@
  */
 package cromwell.cloudsupport.aws.s3
 
-import software.amazon.awssdk.services.s3.S3AdvancedConfiguration
-import software.amazon.awssdk.services.s3.S3Client
-import software.amazon.awssdk.core.auth.{AwsCredentials, StaticCredentialsProvider}
 import com.typesafe.config.ConfigFactory
 import net.ceedubs.ficus.Ficus._
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.auth.credentials.{AwsCredentials, StaticCredentialsProvider}
+import software.amazon.awssdk.regions.Region
+import software.amazon.awssdk.services.s3.{S3Client, S3Configuration}
 
 object S3Storage {
   val DefaultConfiguration = {
@@ -43,30 +42,30 @@ object S3Storage {
     val dualstackEnabled = ConfigFactory.load().as[Option[Boolean]]("s3.dual-stack").getOrElse(false)
     val pathStyleAccessEnabled = ConfigFactory.load().as[Option[Boolean]]("s3.path-style-access").getOrElse(false)
 
-    S3AdvancedConfiguration.builder
+    S3Configuration.builder
       .accelerateModeEnabled(accelerateModeEnabled)
       .dualstackEnabled(dualstackEnabled)
       .pathStyleAccessEnabled(pathStyleAccessEnabled)
       .build
   }
 
-  def s3Client(configuration: S3AdvancedConfiguration, credentials: AwsCredentials, region: Option[Region]): S3Client = {
+  def s3Client(configuration: S3Configuration, credentials: AwsCredentials, region: Option[Region]): S3Client = {
     val builder = S3Client.builder
-      .advancedConfiguration(configuration)
+      .serviceConfiguration(configuration)
       .credentialsProvider(StaticCredentialsProvider.create(credentials))
-      region.foreach(builder.region)
-      builder.build
+    region.foreach(builder.region)
+    builder.build
   }
 
   def s3Client(credentials: AwsCredentials, region: Option[Region]): S3Client = {
-    s3Client(s3AdvancedConfiguration(), credentials, region)
+    s3Client(s3Configuration(), credentials, region)
   }
 
-  def s3AdvancedConfiguration(accelerateModeEnabled: Boolean = false,
-                              dualstackEnabled: Boolean = false,
-                              pathStyleAccessEnabled: Boolean = false): S3AdvancedConfiguration = {
+  def s3Configuration(accelerateModeEnabled: Boolean = false,
+                      dualstackEnabled: Boolean = false,
+                      pathStyleAccessEnabled: Boolean = false): S3Configuration = {
 
-    S3AdvancedConfiguration.builder
+    S3Configuration.builder
       .accelerateModeEnabled(accelerateModeEnabled)
       .dualstackEnabled(dualstackEnabled)
       .pathStyleAccessEnabled(pathStyleAccessEnabled)
diff --git a/cloudSupport/src/test/scala/cromwell/cloudsupport/aws/s3/S3StorageSpec.scala b/cloudSupport/src/test/scala/cromwell/cloudsupport/aws/s3/S3StorageSpec.scala
index 87b3091bc2d..4b23916e09d 100644
--- a/cloudSupport/src/test/scala/cromwell/cloudsupport/aws/s3/S3StorageSpec.scala
+++ b/cloudSupport/src/test/scala/cromwell/cloudsupport/aws/s3/S3StorageSpec.scala
@@ -29,9 +29,9 @@
  *  POSSIBILITY OF SUCH DAMAGE.
  */
 package cromwell.cloudsupport.aws.s3
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
 import org.scalatest.{FlatSpec, Matchers, Tag}
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.regions.Region
 
 class S3StorageSpec extends FlatSpec with Matchers {
 
@@ -45,14 +45,17 @@ class S3StorageSpec extends FlatSpec with Matchers {
   }
 
   it should "build s3 storage" taggedAs S3StorageSpecUtils.AwsTest in {
-    val configuration = S3Storage.s3AdvancedConfiguration(false, true)
+    val configuration = S3Storage.s3Configuration(dualstackEnabled = true)
     configuration.accelerateModeEnabled should be(false)
     configuration.dualstackEnabled should be(true)
     configuration.pathStyleAccessEnabled should be(false)
   }
 
   it should "build s3 client with credentials" taggedAs S3StorageSpecUtils.AwsTest in {
-    S3Storage.s3Client(AnonymousCredentialsProvider.create.getCredentials, Option(Region.US_EAST_1))
+    S3Storage.s3Client(
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      Option(Region.US_EAST_1)
+    )
   }
 
 }
diff --git a/dockerHashing/src/main/scala/cromwell/docker/DockerInfoActor.scala b/dockerHashing/src/main/scala/cromwell/docker/DockerInfoActor.scala
index 60745e8c460..fda13b4a135 100644
--- a/dockerHashing/src/main/scala/cromwell/docker/DockerInfoActor.scala
+++ b/dockerHashing/src/main/scala/cromwell/docker/DockerInfoActor.scala
@@ -9,14 +9,15 @@ import com.google.common.cache.CacheBuilder
 import com.typesafe.config.Config
 import common.validation.ErrorOr.ErrorOr
 import common.validation.Validation._
-import cromwell.core.{Dispatcher, DockerConfiguration}
 import cromwell.core.actor.StreamIntegration.{BackPressure, StreamContext}
+import cromwell.core.{Dispatcher, DockerConfiguration}
 import cromwell.docker.DockerInfoActor._
 import cromwell.docker.registryv2.DockerRegistryV2Abstract
 import cromwell.docker.registryv2.flows.dockerhub.DockerHubRegistry
 import cromwell.docker.registryv2.flows.gcr.GcrRegistry
 import cromwell.docker.registryv2.flows.quay.QuayRegistry
 import cromwell.util.GracefulShutdownHelper.ShutdownCommand
+import fs2.Pipe
 import fs2.concurrent.{NoneTerminatedQueue, Queue}
 import net.ceedubs.ficus.Ficus._
 import org.http4s.client.blaze.BlazeClientBuilder
@@ -112,7 +113,7 @@ final class DockerInfoActor(
   /*
    * Sends back responses and adds to cache in case of success. Used as the sink for each registry stream.
    */
-  val streamSink = fs2.Sink[IO, (DockerInfoResponse, DockerInfoContext)] {
+  val streamSink: Pipe[IO, (DockerInfoResponse, DockerInfoContext), Unit] = _ evalMap {
     case (response: DockerInfoSuccessResponse, dockerInfoContext) =>
       dockerInfoContext.replyTo ! response
       IO.pure(cache.put(dockerInfoContext.dockerImageID, response.dockerInformation))
@@ -148,7 +149,7 @@ final class DockerInfoActor(
           // Run requests in parallel - allow nbThreads max concurrent requests - order doesn't matter
           .parEvalMapUnordered(registry.config.nbThreads)({ request => registry.run(request)(client) })
           // Send to the sink for finalization of the result
-          .to(streamSink)
+          .through(streamSink)
       })
 
       // Start the stream now asynchronously. It will keep running until we terminate the queue by sending None to it
diff --git a/docs/api/RESTAPI.md b/docs/api/RESTAPI.md
index ff40bf28615..45879915e31 100644
--- a/docs/api/RESTAPI.md
+++ b/docs/api/RESTAPI.md
@@ -1,5 +1,5 @@
 <!--
-This file was generated by `sbt generateRestApiDocs` on Wed, 1 Aug 2018 11:05:04 -0400
+This file was generated by `sbt generateRestApiDocs` on Sun, 27 Jan 2019 19:15:30 -0500
 
 !!! DO NOT CHANGE THIS FILE DIRECTLY !!!
 
@@ -32,6 +32,46 @@ Describes the REST API provided by a Cromwell server
 
 
 
+<a name="describe"></a>
+## Machine-readable description of a workflow, including inputs and outputs
+```
+POST /api/womtool/{version}/describe
+```
+
+
+#### Description
+This endpoint is undergoing active development. Its performance has not been validated and it **should not be called on a production instance of Cromwell**.
+
+
+#### Parameters
+
+|Type|Name|Description|Schema|Default|
+|---|---|---|---|---|
+|**Path**|**version**  <br>*required*|Cromwell API Version|string|`"v1"`|
+|**FormData**|**workflowInputs**  <br>*optional*|JSON or YAML file containing the inputs as an object.|file||
+|**FormData**|**workflowSource**  <br>*optional*|The workflow source file to submit for execution. Either workflow source or workflow url is required.|file||
+|**FormData**|**workflowType**  <br>*optional*|The workflow language for the file you submitted. Cromwell currently supports WDL and CWL.|enum (WDL, CWL)||
+|**FormData**|**workflowTypeVersion**  <br>*optional*|The specification version for the workflow language being used. For WDL, Cromwell currently supports draft-2 and 1.0. For CWL, Cromwell currently supports v1.0.|enum (draft-2, 1.0, v1.0)||
+|**FormData**|**workflowUrl**  <br>*optional*|URL which points to the workflow. Either workflow source or workflow url is required.|string||
+
+
+#### Responses
+
+|HTTP Code|Description|Schema|
+|---|---|---|
+|**200**|Workflow description.|[WorkflowDescription](#workflowdescription)|
+
+
+#### Consumes
+
+* `multipart/form-data`
+
+
+#### Tags
+
+* Womtool (beta)
+
+
 <a name="submit"></a>
 ## Submit a workflow for execution
 ```
@@ -198,7 +238,7 @@ This endpoint returns the hash differences between 2 completed (successfully or
 * Workflows
 
 
-<a name="query"></a>
+<a name="querypost"></a>
 ## Get workflows matching some criteria
 ```
 POST /api/workflows/{version}/query
@@ -231,7 +271,7 @@ Query workflows by start dates, end dates, names, ids, labels, or statuses.
 * Workflows
 
 
-<a name="query"></a>
+<a name="queryget"></a>
 ## Get workflows matching some criteria
 ```
 GET /api/workflows/{version}/query
@@ -284,7 +324,7 @@ POST /api/workflows/{version}/{id}/abort
 
 
 #### Description
-Request Cromwell to abort a running workflow. For instance this might be necessary in cases where you have submitted a workflow with incorrect inputs or no longer need the results. Cromwell will make a best effort attempt to immediately halt any currently running jobs from this workflow.
+Request Cromwell to abort a running workflow. For instance this might be necessary in cases where you have submitted a workflow with incorrect inputs or no longer need the results. Cromwell will schedule a halt of all currently running jobs from this workflow.
 
 
 #### Parameters
@@ -577,33 +617,7 @@ Returns a javascript file which will render a Gantt chart for the requested work
 * Workflows
 
 
-<a name="stats"></a>
-## Returns basic statistics from this Cromwell server.
-```
-GET /engine/{version}/stats
-```
-
-
-#### Parameters
-
-|Type|Name|Description|Schema|Default|
-|---|---|---|---|---|
-|**Path**|**version**  <br>*required*|Cromwell API Version|string|`"v1"`|
-
-
-#### Responses
-
-|HTTP Code|Description|Schema|
-|---|---|---|
-|**200**|Successful Request|[StatsResponse](#statsresponse)|
-
-
-#### Tags
-
-* Engine
-
-
-<a name="status"></a>
+<a name="enginestatus"></a>
 ## Return the current health status of any monitored subsystems
 ```
 GET /engine/{version}/status
@@ -630,7 +644,7 @@ GET /engine/{version}/status
 * Engine
 
 
-<a name="version"></a>
+<a name="engineversion"></a>
 ## Return the version of this Cromwell server
 ```
 GET /engine/{version}/version
@@ -709,17 +723,6 @@ Failure messages
 |**labels**  <br>*required*|The labels which have been updated  <br>**Example** : `"label-value-1"`|string|
 
 
-<a name="statsresponse"></a>
-### StatsResponse
-Provides engine level statistics for things running inside the system
-
-
-|Name|Description|Schema|
-|---|---|---|
-|**jobs**  <br>*required*|The number of currently running jobs|integer|
-|**workflows**  <br>*required*|The number of currently running workflows|integer|
-
-
 <a name="statusresponse"></a>
 ### StatusResponse
 Returns the status of monitored subsystems.
@@ -748,6 +751,15 @@ Returns the version of Cromwell
 |**cromwell**  <br>*optional*|The version of the Cromwell Engine  <br>**Example** : `"30"`|string|
 
 
+<a name="workflowdescription"></a>
+### WorkflowDescription
+
+|Name|Description|Schema|
+|---|---|---|
+|**errors**  <br>*required*|The set of validation failure messages  <br>**Example** : `[ "The 'errors' field will be filled if 'valid' is false", "We might also provide warnings to a 'valid' workflow here", "Otherwise, 'errors' will be the empty array" ]`|< string > array|
+|**valid**  <br>*required*|Whether the workflow and inputs as submitted passed validation|boolean|
+
+
 <a name="workflowidandstatus"></a>
 ### WorkflowIdAndStatus
 
diff --git a/engine/src/main/resources/swagger/cromwell.yaml b/engine/src/main/resources/swagger/cromwell.yaml
index 158d17778be..81a9762d1ad 100644
--- a/engine/src/main/resources/swagger/cromwell.yaml
+++ b/engine/src/main/resources/swagger/cromwell.yaml
@@ -308,7 +308,7 @@ paths:
           $ref: '#/responses/ServerError'
   '/api/workflows/{version}/query':
     get:
-      operationId: query
+      operationId: queryGet
       summary: Get workflows matching some criteria
       description: Query for workflows which match various criteria. When a combination of criteria are applied the endpoint will return
       parameters:
@@ -457,7 +457,7 @@ paths:
         '500':
           $ref: '#/responses/ServerError'
     post:
-      operationId: query
+      operationId: queryPost
       summary: Get workflows matching some criteria
       description: Query workflows by start dates, end dates, names, ids, labels, or statuses.
       parameters:
@@ -646,7 +646,7 @@ paths:
         - "Womtool (beta)"
   '/engine/{version}/version':
     get:
-      operationId: version
+      operationId: engineVersion
       summary: Return the version of this Cromwell server
       parameters:
         - $ref: '#/parameters/versionParam'
@@ -659,7 +659,7 @@ paths:
             $ref: '#/definitions/VersionResponse'
   '/engine/{version}/status':
     get:
-      operationId: status
+      operationId: engineStatus
       summary: Return the current health status of any monitored subsystems
       parameters:
         - $ref: '#/parameters/versionParam'
diff --git a/engine/src/test/scala/cromwell/jobstore/JobResultSpec.scala b/engine/src/test/scala/cromwell/jobstore/JobResultSpec.scala
index 8d64cb0fbfd..bfcfa3178ac 100644
--- a/engine/src/test/scala/cromwell/jobstore/JobResultSpec.scala
+++ b/engine/src/test/scala/cromwell/jobstore/JobResultSpec.scala
@@ -17,7 +17,7 @@ class JobResultSpec extends FlatSpec with Matchers {
     val asJson = success.toJson
 
     val jsonString = asJson.toString()
-    jsonString shouldBe """{"returnCode":0,"jobOutputs":{"abc":"hello"}}"""
+    jsonString shouldBe """{"jobOutputs":{"abc":"hello"},"returnCode":0}"""
   }
 
   it should "write more complicated WdlValues" in {
@@ -25,7 +25,7 @@ class JobResultSpec extends FlatSpec with Matchers {
     val asJson = success.toJson
 
     val jsonString = asJson.toString()
-    jsonString shouldBe """{"returnCode":0,"jobOutputs":{"abc":{"hello":4,"goodbye":6}}}"""
+    jsonString shouldBe """{"jobOutputs":{"abc":{"hello":4,"goodbye":6}},"returnCode":0}"""
   }
 
   it should "write JSON for job failures" in {
@@ -34,6 +34,6 @@ class JobResultSpec extends FlatSpec with Matchers {
     val asJson = failure.toJson
 
     val jsonString = asJson.toString()
-    jsonString shouldBe """{"returnCode":0,"reason":"abc","retryable":false}"""
+    jsonString shouldBe """{"reason":"abc","retryable":false,"returnCode":0}"""
   }
 }
diff --git a/engine/src/test/scala/cromwell/webservice/SwaggerServiceSpec.scala b/engine/src/test/scala/cromwell/webservice/SwaggerServiceSpec.scala
index 5ad71b2a0fa..2afd9564dd9 100644
--- a/engine/src/test/scala/cromwell/webservice/SwaggerServiceSpec.scala
+++ b/engine/src/test/scala/cromwell/webservice/SwaggerServiceSpec.scala
@@ -38,19 +38,16 @@ class SwaggerServiceSpec extends FlatSpec with SwaggerService with ScalatestRout
       check {
         status should be(StatusCodes.OK)
 
-        /*
-        BUG: Right now swagger-parser says that type is unexpected in security definitions. Should be fixed in
-        https://github.com/swagger-api/swagger-parser/pull/232/files#diff-392413c3c16ae4930f710f815575830dR30
-
-        Still don't know why they choose not to print the proper location.
-         */
-        val swaggerBugMsg = "attribute type is unexpected"
+        // https://github.com/swagger-api/swagger-parser/issues/976
+        val swaggerBugMsg = "needs to be defined as a path parameter in path or operation level"
 
         val body = responseAs[String]
         val resultWithInfo = new SwaggerParser().readWithInfo(body)
+        val swaggerVersion = resultWithInfo.getSwagger.getSwagger
+        val swaggerMessages = resultWithInfo.getMessages.asScala.filterNot(_ contains swaggerBugMsg)
 
-        resultWithInfo.getSwagger.getSwagger should be("2.0")
-        resultWithInfo.getMessages.asScala.filterNot(_ == swaggerBugMsg) should be(empty)
+        swaggerVersion should be("2.0")
+        swaggerMessages should be(empty)
 
         resultWithInfo.getSwagger.getDefinitions.asScala foreach {
           case (defKey, defVal) => defVal.getProperties.asScala foreach {
diff --git a/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala b/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
index 38478d7b51e..84bd2847ad1 100644
--- a/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
+++ b/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
@@ -197,8 +197,8 @@ class CromwellApiServiceSpec extends AsyncFlatSpec with ScalatestRouteTest with
       check {
         assertResult(
           s"""{
-             |  "status": "fail",
-             |  "message": "Error(s): Error while validating workflow url: unknown protocol: htpps"
+             |  "message": "Error(s): Error while validating workflow url: unknown protocol: htpps",
+             |  "status": "fail"
              |}""".stripMargin) {
           responseAs[String].parseJson.prettyPrint
         }
@@ -257,8 +257,8 @@ class CromwellApiServiceSpec extends AsyncFlatSpec with ScalatestRouteTest with
       check {
         assertResult(
           s"""{
-             |  "status": "fail",
-             |  "message": "Unrecognized workflow ID: ${CromwellApiServiceSpec.UnrecognizedWorkflowId.toString}"
+             |  "message": "Unrecognized workflow ID: ${CromwellApiServiceSpec.UnrecognizedWorkflowId.toString}",
+             |  "status": "fail"
              |}""".stripMargin) {
           responseAs[String].parseJson.prettyPrint
         }
@@ -442,8 +442,8 @@ class CromwellApiServiceSpec extends AsyncFlatSpec with ScalatestRouteTest with
           assertResult(StatusCodes.NotFound) { status }
           assertResult(
             s"""{
-               |  "status": "fail",
-               |  "message": "Unrecognized workflow ID: ${CromwellApiServiceSpec.UnrecognizedWorkflowId.toString}"
+               |  "message": "Unrecognized workflow ID: ${CromwellApiServiceSpec.UnrecognizedWorkflowId.toString}",
+               |  "status": "fail"
                |}""".stripMargin) {
             responseAs[String].parseJson.prettyPrint
           }
@@ -457,8 +457,8 @@ class CromwellApiServiceSpec extends AsyncFlatSpec with ScalatestRouteTest with
           assertResult(StatusCodes.BadRequest) { status }
           assertResult(
             s"""{
-               |  "status": "fail",
-               |  "message": "Invalid workflow ID: 'foo'."
+               |  "message": "Invalid workflow ID: 'foo'.",
+               |  "status": "fail"
                |}""".stripMargin) {
             responseAs[String].parseJson.prettyPrint
           }
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/AmazonS3Factory.java b/filesystems/s3/src/main/java/org/lerch/s3fs/AmazonS3Factory.java
index 659ab722a53..5c505b649c4 100644
--- a/filesystems/s3/src/main/java/org/lerch/s3fs/AmazonS3Factory.java
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/AmazonS3Factory.java
@@ -1,14 +1,16 @@
 package org.lerch.s3fs;
 
-import software.amazon.awssdk.core.auth.AwsCredentialsProvider;
-import software.amazon.awssdk.core.auth.StaticCredentialsProvider;
-import software.amazon.awssdk.core.auth.AwsCredentials;
-import software.amazon.awssdk.core.auth.DefaultCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
+import software.amazon.awssdk.http.SdkHttpClient;
+import software.amazon.awssdk.http.apache.ApacheHttpClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.S3ClientBuilder;
-import software.amazon.awssdk.services.s3.S3AdvancedConfiguration;
-import software.amazon.awssdk.core.client.builder.ClientHttpConfiguration;
-import software.amazon.awssdk.core.config.ClientOverrideConfiguration;
+import software.amazon.awssdk.services.s3.S3Configuration;
 
 import java.net.URI;
 import java.util.Properties;
@@ -51,8 +53,8 @@ public S3Client getS3Client(URI uri, Properties props) {
             builder.endpointOverride(uri);
 
         builder.credentialsProvider(getCredentialsProvider(props))
-               .httpConfiguration(getHttpConfiguration(props))
-               .advancedConfiguration(getAdvancedConfiguration(props))
+               .httpClient(getSdkHttpClient(props))
+               .serviceConfiguration(getConfiguration(props))
                .overrideConfiguration(getOverrideConfiguration(props));
                //.region(getRegion(props));
 
@@ -62,10 +64,7 @@ public S3Client getS3Client(URI uri, Properties props) {
     /**
      * should return a new S3Client
      *
-     * @param credentialsProvider     AWSCredentialsProvider mandatory
-     * @param clientConfiguration     ClientConfiguration mandatory
-     * @param requestMetricsCollector RequestMetricCollector mandatory
-     * @return {@link software.amazon.awssdk.services.s3.AmazonS3}
+     * @return {@link software.amazon.awssdk.services.s3.S3Client}
      */
     protected abstract S3Client createS3Client(S3ClientBuilder builder);
 
@@ -79,17 +78,17 @@ protected AwsCredentialsProvider getCredentialsProvider(Properties props) {
     }
 
     protected AwsCredentials getAWSCredentials(Properties props) {
-        return AwsCredentials.create(props.getProperty(ACCESS_KEY), props.getProperty(SECRET_KEY));
+        return AwsBasicCredentials.create(props.getProperty(ACCESS_KEY), props.getProperty(SECRET_KEY));
     }
 
-    protected ClientHttpConfiguration getHttpConfiguration(Properties props) {
+    protected SdkHttpClient getSdkHttpClient(Properties props) {
         // TODO: custom http configuration based on properties
-        return ClientHttpConfiguration.builder().build();
+        return ApacheHttpClient.builder().build();
     }
 
-    protected S3AdvancedConfiguration getAdvancedConfiguration(Properties props) {
+    protected S3Configuration getConfiguration(Properties props) {
         // TODO: custom configuration based on properties
-        return S3AdvancedConfiguration.builder().build();
+        return S3Configuration.builder().build();
     }
 
     protected ClientOverrideConfiguration getOverrideConfiguration(Properties props) {
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/LICENSE b/filesystems/s3/src/main/java/org/lerch/s3fs/LICENSE
new file mode 100644
index 00000000000..a6c12c9bcb1
--- /dev/null
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Javier Arnáiz @arnaix
+Copyright (c) 2014 Better.be Application Services BV
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/README.md b/filesystems/s3/src/main/java/org/lerch/s3fs/README.md
new file mode 100644
index 00000000000..cc58fb325f5
--- /dev/null
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/README.md
@@ -0,0 +1,9 @@
+An **Amazon AWS S3** FileSystem Provider **JSR-203** for Java 8 (NIO2) using the AWS SDK v2.
+
+This version uses the released version of the AWS SDK v2 and is forked from
+[Emil Lerch's S3 FileSystem](https://github.com/elerch/Amazon-S3-FileSystem-NIO2/tree/e8283b5).
+That version uses a preview version of the AWS SDK v2 and is forked from
+[Upplication's S3 FileSystem](https://github.com/upplication/Amazon-S3-FileSystem-NIO2).
+
+The previous fork did not update the tests for AWS SDK v2, so the tests targeting AWS SDK v1 have been left out of this
+fork.
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileChannel.java b/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileChannel.java
index 15c3e8288c5..7c74aeebaa9 100644
--- a/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileChannel.java
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileChannel.java
@@ -15,7 +15,7 @@
 import java.util.Set;
 
 import software.amazon.awssdk.core.sync.RequestBody;
-import software.amazon.awssdk.core.sync.ResponseInputStream;
+import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
@@ -133,7 +133,7 @@ public int write(ByteBuffer src, long position) throws IOException {
     }
 
     @Override
-    public MappedByteBuffer map(MapMode mode, long position, long size) throws IOException {
+    public MappedByteBuffer map(FileChannel.MapMode mode, long position, long size) throws IOException {
         return filechannel.map(mode, position, size);
     }
 
@@ -171,7 +171,7 @@ protected void sync() throws IOException {
                    .contentLength(length)
                    .contentType(new Tika().detect(stream, path.getFileName().toString()));
 
-            path.getFileSystem().getClient().putObject(builder.build(), RequestBody.of(stream, length));
+            path.getFileSystem().getClient().putObject(builder.build(), RequestBody.fromInputStream(stream, length));
         }
     }
 }
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileSystemProvider.java b/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileSystemProvider.java
index e602f1ef82b..488fdd1a10d 100644
--- a/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileSystemProvider.java
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/S3FileSystemProvider.java
@@ -1,7 +1,7 @@
 package org.lerch.s3fs;
 
 import software.amazon.awssdk.core.sync.RequestBody;
-import software.amazon.awssdk.core.sync.ResponseInputStream;
+import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.Bucket;
 import software.amazon.awssdk.services.s3.model.CopyObjectRequest;
@@ -13,6 +13,7 @@
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.S3Exception;
 import software.amazon.awssdk.services.s3.model.S3Object;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
@@ -388,7 +389,7 @@ public void createDirectory(Path dir, FileAttribute<?>... attrs) throws IOExcept
         builder.bucket(bucketName)
                .key(directoryKey)
                .contentLength(0L);
-        s3Path.getFileSystem().getClient().putObject(builder.build(), RequestBody.of(new byte[0]));
+        s3Path.getFileSystem().getClient().putObject(builder.build(), RequestBody.fromBytes(new byte[0]));
     }
 
     @Override
@@ -641,7 +642,8 @@ public boolean isOpen(S3FileSystem s3FileSystem) {
      * only 4 testing
      */
 
-    protected static ConcurrentMap<String, S3FileSystem> getFilesystems() {
+    @VisibleForTesting
+    public static ConcurrentMap<String, S3FileSystem> getFilesystems() {
         return fileSystems;
     }
 
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/S3SeekableByteChannel.java b/filesystems/s3/src/main/java/org/lerch/s3fs/S3SeekableByteChannel.java
index d685533f36f..952de8e494b 100644
--- a/filesystems/s3/src/main/java/org/lerch/s3fs/S3SeekableByteChannel.java
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/S3SeekableByteChannel.java
@@ -16,7 +16,7 @@
 import org.apache.tika.Tika;
 
 import software.amazon.awssdk.core.sync.RequestBody;
-import software.amazon.awssdk.core.sync.ResponseBytes;
+import software.amazon.awssdk.core.ResponseBytes;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
@@ -118,7 +118,7 @@ protected void sync() throws IOException {
 
             S3Client client = path.getFileSystem().getClient();
 
-            client.putObject(builder.build(), RequestBody.of(stream, length));
+            client.putObject(builder.build(), RequestBody.fromInputStream(stream, length));
         }
     }
 
diff --git a/filesystems/s3/src/main/java/org/lerch/s3fs/util/S3Utils.java b/filesystems/s3/src/main/java/org/lerch/s3fs/util/S3Utils.java
index aea2133c1d2..e8586ef4d97 100644
--- a/filesystems/s3/src/main/java/org/lerch/s3fs/util/S3Utils.java
+++ b/filesystems/s3/src/main/java/org/lerch/s3fs/util/S3Utils.java
@@ -32,10 +32,10 @@
 public class S3Utils {
 
     /**
-     * Get the {@link S3ObjectSummary} that represent this Path or her first child if this path not exists
+     * Get the {@link S3Object} that represent this Path or her first child if this path not exists
      *
      * @param s3Path {@link S3Path}
-     * @return {@link S3ObjectSummary}
+     * @return {@link S3Object}
      * @throws NoSuchFileException if not found the path and any child
      */
     public S3Object getS3ObjectSummary(S3Path s3Path) throws NoSuchFileException {
@@ -54,7 +54,7 @@ public S3Object getS3ObjectSummary(S3Path s3Path) throws NoSuchFileException {
                 .eTag(metadata.eTag())
                 .owner(acl.owner())
                 .size(metadata.contentLength())
-                .storageClass(metadata.storageClassString());
+                .storageClass(metadata.storageClassAsString());
 
             return builder.build();
         } catch (S3Exception e) {
diff --git a/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilder.scala b/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilder.scala
index 98d1b2ab160..81fc34e0f73 100644
--- a/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilder.scala
+++ b/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilder.scala
@@ -32,15 +32,15 @@ package cromwell.filesystems.s3
 
 import java.net.URI
 import com.google.common.net.UrlEscapers
-import software.amazon.awssdk.core.auth.AwsCredentials
-import software.amazon.awssdk.services.s3.{S3AdvancedConfiguration,S3Client}
+import software.amazon.awssdk.auth.credentials.AwsCredentials
+import software.amazon.awssdk.services.s3.{S3Configuration,S3Client}
 import cromwell.cloudsupport.aws.auth.AwsAuthMode
 import cromwell.cloudsupport.aws.s3.S3Storage
 import cromwell.core.WorkflowOptions
 import cromwell.core.path.{NioPath, Path, PathBuilder}
 import cromwell.filesystems.s3.S3PathBuilder._
 import org.lerch.s3fs.S3FileSystemProvider
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.regions.Region
 
 import scala.concurrent.{ExecutionContext, Future}
 import scala.language.postfixOps
@@ -110,7 +110,7 @@ object S3PathBuilder {
   }
 
   def fromAuthMode(authMode: AwsAuthMode,
-                   configuration: S3AdvancedConfiguration,
+                   configuration: S3Configuration,
                    options: WorkflowOptions,
                    storageRegion: Option[Region])(implicit ec: ExecutionContext): Future[S3PathBuilder] = {
     val credentials = authMode.credential((key: String) => options.get(key).get)
@@ -125,7 +125,7 @@ object S3PathBuilder {
   }
 
   def fromCredentials(credentials: AwsCredentials,
-                      configuration: S3AdvancedConfiguration,
+                      configuration: S3Configuration,
                       options: WorkflowOptions,
                       storageRegion: Option[Region]): S3PathBuilder = {
     new S3PathBuilder(S3Storage.s3Client(credentials, storageRegion), configuration)
@@ -133,7 +133,7 @@ object S3PathBuilder {
 }
 
 class S3PathBuilder(client: S3Client,
-                     configuration: S3AdvancedConfiguration
+                     configuration: S3Configuration
                      ) extends PathBuilder {
   // Tries to create a new S3Path from a String representing an absolute s3 path: s3://<bucket>[/<key>].
   def build(string: String): Try[S3Path] = {
@@ -142,7 +142,9 @@ class S3PathBuilder(client: S3Client,
         Try {
           // TODO: System.getenv needs to turn into a full Auth thingy
           // TODO: This assumes the "global endpoint". Need to handle other endpoints
-          val s3Path = new S3FileSystemProvider().getFileSystem(URI.create("s3:////"), System.getenv).getPath(s"""/${bucket}/${path}""")
+          val s3Path = new S3FileSystemProvider()
+            .getFileSystem(URI.create("s3:////"), System.getenv)
+            .getPath(s"""/$bucket/$path""")
           S3Path(s3Path, bucket, client)
         }
       case PossiblyValidRelativeS3Path => Failure(new IllegalArgumentException(s"$string does not have a s3 scheme"))
@@ -161,7 +163,7 @@ case class S3Path private[s3](nioPath: NioPath,
 
   override def pathAsString: String = {
     // pathWithoutScheme will have a leading '/', so by only prepending 's3:/', we'll end up with s3:// as expected
-    s"s3:/${pathWithoutScheme}"
+    s"s3:/$pathWithoutScheme"
   }
 
   override def pathWithoutScheme: String =
@@ -179,7 +181,7 @@ case class S3Path private[s3](nioPath: NioPath,
     if (originalPath.startsWith("s3")) return nioPath.toAbsolutePath.toString
     originalPath.charAt(0) match {
       case '/' =>  nioPath.toAbsolutePath.toString
-      case _ => nioPath.resolve(s"/${bucket}/${originalPath}").toAbsolutePath.toString
+      case _ => nioPath.resolve(s"/$bucket/$originalPath").toAbsolutePath.toString
     }
   }
 }
diff --git a/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilderFactory.scala b/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilderFactory.scala
index f7323bb19eb..443c06ede69 100644
--- a/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilderFactory.scala
+++ b/filesystems/s3/src/main/scala/cromwell/filesystems/s3/S3PathBuilderFactory.scala
@@ -42,7 +42,7 @@ import cromwell.core.WorkflowOptions
 import net.ceedubs.ficus.Ficus._
 
 import scala.concurrent.{ExecutionContext, Future}
-import software.amazon.awssdk.core.auth.AwsCredentials
+import software.amazon.awssdk.auth.credentials.AwsCredentials
 
 // The constructor of this class is required to be Config, Config by cromwell
 // So, we need to take this config and get the AuthMode out of it
diff --git a/filesystems/s3/src/test/scala/cromwell/filesystems/s3/S3PathBuilderSpec.scala b/filesystems/s3/src/test/scala/cromwell/filesystems/s3/S3PathBuilderSpec.scala
index 739ab5e4fca..0e278cd0504 100644
--- a/filesystems/s3/src/test/scala/cromwell/filesystems/s3/S3PathBuilderSpec.scala
+++ b/filesystems/s3/src/test/scala/cromwell/filesystems/s3/S3PathBuilderSpec.scala
@@ -30,14 +30,14 @@
  */
 package cromwell.filesystems.s3
 
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
 import cromwell.cloudsupport.aws.s3.S3Storage
 import cromwell.core.Tags.AwsTest
 import cromwell.core.path._
 import cromwell.core.{TestKitSuite, WorkflowOptions}
 import org.scalatest.prop.Tables.Table
 import org.scalatest.{FlatSpecLike, Matchers}
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.regions.Region
 
 class S3PathBuilderSpec extends TestKitSuite with FlatSpecLike with Matchers with PathBuilderSpecUtils {
 
@@ -48,8 +48,8 @@ class S3PathBuilderSpec extends TestKitSuite with FlatSpecLike with Matchers wit
     val wfOptionsWithProject = WorkflowOptions.empty
 
     S3PathBuilder.fromCredentials(
-      AnonymousCredentialsProvider.create.getCredentials,
-      S3Storage.s3AdvancedConfiguration(),
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      S3Storage.s3Configuration(),
       wfOptionsWithProject,
       Option(Region.US_EAST_1)
     )
@@ -382,8 +382,8 @@ class S3PathBuilderSpec extends TestKitSuite with FlatSpecLike with Matchers wit
 
   private lazy val pathBuilder = {
     S3PathBuilder.fromCredentials(
-      AnonymousCredentialsProvider.create.getCredentials,
-      S3Storage.s3AdvancedConfiguration(),
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      S3Storage.s3Configuration(),
       WorkflowOptions.empty,
       Option(Region.US_EAST_1)
     )
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index a07eb237331..a50d189fe65 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -1,187 +1,92 @@
 import sbt._
 
 object Dependencies {
-  private val akkaHttpCirceIntegrationV = "1.22.0"
-  private val akkaHttpV = "10.1.5"
-  private val akkaV = "2.5.16"
-  private val alibabaCloudBcsV = "5.3.2"
-  private val alibabaCloudCoreV = "3.6.0"
-  private val alibabaCloudOssV = "3.1.0"
-  private val ammoniteOpsV = "1.2.0"
+  private val akkaHttpCirceIntegrationV = "1.24.3"
+  private val akkaHttpV = "10.1.7"
+  private val akkaV = "2.5.19"
+  private val aliyunBcsV = "6.0.6"
+  private val aliyunCoreV = "4.3.2"
+  private val aliyunOssV = "3.4.0"
+  private val ammoniteOpsV = "1.6.3"
   private val apacheCommonNetV = "3.6"
-  private val apacheHttpClientV = "4.5.6"
-  private val apacheHttpCoreV = "4.4.6"
-  private val awsSdkV = "2.0.0-preview-9"
+  private val apacheHttpClientV = "4.5.7"
+  private val awsSdkV = "2.3.9"
   private val betterFilesV = "2.17.1"
-  private val catsEffectV = "1.1.0"
+  private val catsEffectV = "1.2.0"
   private val catsV = "1.5.0"
-  private val circeV = "0.10.1"
-  private val circeOpticsV = "0.10.0"
+  private val circeOpticsV = "0.11.0"
+  private val circeV = "0.11.1"
   private val circeYamlV = "0.9.0"
   private val commonsCodecV = "1.11"
   private val commonsIoV = "2.6"
-  private val commonsLang3V = "3.8"
-  private val commonsLoggingV = "1.2"
+  private val commonsLang3V = "3.8.1"
   private val commonsTextV = "1.6"
   private val configsV = "0.4.4"
-  private val delightRhinoSandboxV = "0.0.9"
-  private val errorProneAnnotationsV = "2.0.19"
-  private val ficusV = "1.4.3"
-  private val fs2V = "1.0.2"
-  private val gaxV = "1.28.0"
-  private val googleApiClientV = "1.25.0"
-  private val googleCloudCoreV = "1.43.0"
+  private val delightRhinoSandboxV = "0.0.10"
+  private val ficusV = "1.4.4"
+  private val fs2V = "1.0.3"
+  private val googleApiClientV = "1.28.0"
+  private val googleCloudCoreV = "1.61.0"
   private val googleCloudKmsV = "v1-rev63-1.25.0"
   private val googleCloudNioV = "0.61.0-alpha"
-  private val googleCloudStorageV = "1.35.0"
-  private val googleCredentialsV = "0.8.0"
   private val googleGenomicsServicesV1ApiV = "v1alpha2-rev495-1.23.0"
   private val googleGenomicsServicesV2ApiV = "v2alpha1-rev31-1.25.0"
-  private val googleOauth2V = "0.11.0"
-  private val grpcV = "1.15.0"
-  private val guavaV = "26.0-jre"
+  private val googleOauth2V = "0.13.0"
+  private val grpcV = "1.18.0"
+  private val guavaV = "27.0.1-jre"
   private val heterodonV = "1.0.0-beta3"
   private val hsqldbV = "2.4.1"
-  private val http4sVersion = "0.20.0-M4"
-  private val jacksonV = "2.9.6"
-  private val janinoV = "3.0.9"
-  private val jodaTimeV = "2.9.4"
-  private val jsr305V = "3.0.0"
-  private val kindProjectorV = "0.9.7"
+  private val http4sVersion = "0.20.0-M5"
+  private val jacksonV = "2.9.8"
+  private val janinoV = "3.0.12"
+  private val javaxActivationV = "1.2.0"
+  private val jaxbV = "2.3.2"
+  private val kindProjectorV = "0.9.9"
   private val kittensV = "1.2.0"
   private val liquibaseSlf4jV = "2.0.0"
   private val liquibaseV = "3.5.5"
   private val logbackV = "1.2.3"
+  private val metrics3ScalaV = "3.5.10" // https://github.com/erikvanoosten/metrics-scala/tree/f733e26#download-4x
   private val metrics3StatsdV = "4.2.0"
-  private val metrics3ScalaV = "3.5.9" // https://github.com/erikvanoosten/metrics-scala/tree/f733e26#download-4x
   private val mockFtpServerV = "2.7.1"
-  private val mockserverNettyV = "5.4.1"
-  private val mongoJavaDriverV = "3.8.1"
-  private val mouseV = "0.19"
+  private val mockserverNettyV = "5.5.1"
+  private val mouseV = "0.20"
   private val mysqlV = "5.1.47"
-  private val nettyHandlerV = "4.1.22.Final"
-  private val owlApiV = "5.1.8"
+  private val nettyV = "4.1.33.Final"
+  private val owlApiV = "5.1.9"
   private val paradiseV = "2.1.1"
   private val pegdownV = "1.6.0"
-  private val protoGoogleCommonProtosV = "0.1.21"
-  private val protoGoogleIamV1V = "0.1.21"
-  private val protobufJavaV = "3.3.1"
-  private val reactiveStreamsV = "1.0.1"
   private val rdf4jV = "2.4.2"
-  private val refinedV = "0.9.2"
+  private val refinedV = "0.9.4"
   private val rhinoV = "1.7.10"
-  private val s3fsV = "1.0.1"
   private val scalaGraphV = "1.12.5"
-  private val scalaLoggingV = "3.9.0"
+  private val scalaLoggingV = "3.9.2"
   private val scalaPoolV = "0.4.1"
-  private val scalaXmlV = "1.0.6"
   private val scalacheckV = "1.14.0"
   private val scalacticV = "3.0.5"
   private val scalameterV = "0.10.1"
   private val scalamockV = "4.1.0"
   private val scalatestV = "3.0.5"
-  private val scalazV = "7.2.26"
-  private val scoptV = "3.7.0"
-  private val sentryLogbackV = "1.7.8"
+  private val scalazV = "7.2.27"
+  private val scoptV = "3.7.1"
+  private val sentryLogbackV = "1.7.17"
   private val shapelessV = "2.3.3"
-  private val simulacrumV = "0.13.0"
+  private val simulacrumV = "0.15.0"
   private val slf4jV = "1.7.25"
-  private val slickCatsV = "0.7.1.1"
+  private val slickCatsV = "0.9.0"
   private val slickV = "3.2.3"
   private val snakeyamlV = "1.23"
-  private val specs2MockV = "4.3.4"
-  private val sprayJsonV = "1.3.4"
-  private val sttpV = "1.3.3"
-  private val swaggerParserV = "1.0.38"
+  private val specs2MockV = "4.4.1"
+  private val sprayJsonV = "1.3.5"
+  private val sttpV = "1.5.8"
+  private val swaggerParserV = "1.0.41"
   private val swaggerUiV = "3.2.2"
+  private val tikaV = "1.20"
   private val typesafeConfigV = "1.3.3"
   private val workbenchGoogleV = "0.15-2fc79a3"
   private val workbenchModelV = "0.10-6800f3a"
   private val workbenchUtilV = "0.3-f3ce961"
 
-  /*
-  If you see warnings from SBT about evictions, insert a specific dependency version into this list.
-  Any dependencies that are removed may be also removed from this list. However, be careful about downgrading any of
-  these dependencies. Older versions have known vulnerabilities, ex: CVE-2017-7525
-   */
-  val cromwellDependencyOverrides = List(
-    "ch.qos.logback" % "logback-classic" % logbackV,
-    "ch.qos.logback" % "logback-core" % logbackV,
-    "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonV,
-    "com.fasterxml.jackson.core" % "jackson-core" % jacksonV,
-    "com.fasterxml.jackson.core" % "jackson-databind" % jacksonV,
-    "com.fasterxml.jackson.dataformat" % "jackson-dataformat-cbor" % jacksonV,
-    "com.fasterxml.jackson.jr" % "jackson-jr-objects" % jacksonV,
-    "com.fasterxml.jackson.module" % "jackson-module-paranamer" % jacksonV,
-    "com.fasterxml.jackson.module" %% "jackson-module-scala" % jacksonV,
-    "com.google.api" % "gax" % gaxV,
-    "com.google.api-client" % "google-api-client" % googleApiClientV,
-    "com.google.api.grpc" % "proto-google-common-protos" % protoGoogleCommonProtosV,
-    "com.google.api.grpc" % "proto-google-iam-v1" % protoGoogleIamV1V,
-    "com.google.auth" % "google-auth-library-credentials" % googleCredentialsV,
-    "com.google.auth" % "google-auth-library-oauth2-http" % googleOauth2V,
-    "com.google.cloud" % "google-cloud-core" % googleCloudCoreV,
-    "com.google.cloud" % "google-cloud-core-http" % googleCloudCoreV,
-    "com.google.code.findbugs" % "jsr305" % jsr305V,
-    "com.google.errorprone" % "error_prone_annotations" % errorProneAnnotationsV,
-    "com.google.guava" % "guava" % guavaV,
-    "com.google.guava-gwt" % "guava" % guavaV,
-    "com.google.http-client" % "google-http-client" % googleApiClientV,
-    "com.google.http-client" % "google-http-client-appengine" % googleApiClientV,
-    "com.google.http-client" % "google-http-client-jackson" % googleApiClientV,
-    "com.google.http-client" % "google-http-client-jackson2" % googleApiClientV,
-    "com.google.oauth-client" % "google-oauth-client" % googleApiClientV,
-    "com.google.protobuf" % "protobuf-java" % protobufJavaV,
-    "com.google.protobuf" % "protobuf-java-util" % protobufJavaV,
-    "com.typesafe" % "config" % typesafeConfigV,
-    "com.typesafe.akka" %% "akka-actor" % akkaV,
-    "com.typesafe.akka" %% "akka-stream" % akkaV,
-    "commons-codec" % "commons-codec" % commonsCodecV,
-    "commons-io" % "commons-io" % commonsIoV,
-    "commons-logging" % "commons-logging" % commonsLoggingV,
-    "eu.timepit" %% "refined" % refinedV,
-    "io.grpc" % "grpc-context" % grpcV,
-    "io.netty" % "netty-handler" % nettyHandlerV,
-    "io.spray" %% "spray-json" % sprayJsonV,
-    "joda-time" % "joda-time" % jodaTimeV,
-    "org.apache.commons" % "commons-lang3" % commonsLang3V,
-    "org.apache.commons" % "commons-text" % commonsTextV,
-    "org.apache.httpcomponents" % "httpclient" % apacheHttpClientV,
-    "org.apache.httpcomponents" % "httpcore" % apacheHttpCoreV,
-    "org.mongodb" % "mongo-java-driver" % mongoJavaDriverV,
-    /*
-    Yes. All of these are required to lock in the rdf4j version.
-
-    Feel free to update versions but do not remove these overrides unless and until an updated
-    owl-api is no longer pulling in vulnerable rdf4j dependencies.
-
-    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000644
-
-    See comment mentioning "OSGI" further below for more info on the bundling of dependencies.
-     */
-    "org.eclipse.rdf4j" % "rdf4j-model" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-api" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-binary" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-datatypes" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-jsonld" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-languages" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-n3" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-nquads" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-ntriples" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-rdfjson" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-rdfxml" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-trig" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-trix" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-rio-turtle" % rdf4jV,
-    "org.eclipse.rdf4j" % "rdf4j-util" % rdf4jV,
-    "org.reactivestreams" % "reactive-streams" % reactiveStreamsV,
-    "org.scala-lang.modules" %% "scala-xml" % scalaXmlV,
-    "org.slf4j" % "slf4j-api" % slf4jV,
-    "org.typelevel" %% "cats-core" % catsV,
-    "org.typelevel" %% "cats-kernel" % catsV,
-    "org.yaml" % "snakeyaml" % snakeyamlV
-  )
-
   private val circeYamlDependency = "io.circe" %% "circe-yaml" % circeYamlV
 
   private val circeDependencies = List(
@@ -242,7 +147,7 @@ object Dependencies {
 
   val implDrsDependencies = List(
     "org.apache.commons" % "commons-lang3" % commonsLang3V,
-    "com.google.cloud" % "google-cloud-storage" % googleCloudStorageV,
+    "com.google.cloud" % "google-cloud-storage" % googleCloudCoreV,
     "com.google.oauth-client" % "google-oauth-client" % googleApiClientV
   ) ++ circeDependencies ++ catsDependencies
 
@@ -291,11 +196,23 @@ object Dependencies {
     "com.mattbertolini" % "liquibase-slf4j" % liquibaseSlf4jV
   )
 
+  private val akkaDependencies = List(
+    "com.typesafe.akka" %% "akka-actor" % akkaV,
+    "com.typesafe.akka" %% "akka-testkit" % akkaV % Test,
+  )
+
+  private val akkaStreamDependencies = List(
+    "com.typesafe.akka" %% "akka-stream" % akkaV,
+    "com.typesafe.akka" %% "akka-stream-testkit" % akkaV % Test,
+  ) ++ akkaDependencies
+
   private val akkaHttpDependencies = List(
     "com.typesafe.akka" %% "akka-http" % akkaHttpV,
+    "com.typesafe.akka" %% "akka-http-testkit" % akkaHttpV % Test,
+    // WOM internally embeds spray-json. Leave this import here until WOM externalizes the json library choice like
+    // other libraries do. See akka-http, elastic4s, etc.
     "com.typesafe.akka" %% "akka-http-spray-json" % akkaHttpV,
-    "com.typesafe.akka" %% "akka-http-testkit" % akkaHttpV % Test
-  )
+  ) ++ akkaStreamDependencies
 
   private val akkaHttpCirceIntegrationDependency = List(
     "de.heikoseeberger" %% "akka-http-circe" % akkaHttpCirceIntegrationV
@@ -318,16 +235,27 @@ object Dependencies {
       exclude("com.google.guava", "guava-jdk5")
   )
 
+  /*
+  Used instead of `"org.lerch" % "s3fs" % s3fsV exclude("org.slf4j", "jcl-over-slf4j")`
+  org.lerch:s3fs:1.0.1 depends on a preview release of software.amazon.awssdk:s3.
+
+  Instead the code has been re-forked into this repo, just like many of the other FileSystemProvider extensions.
+   */
+  private val s3fsDependencies = List(
+    "com.google.code.findbugs" % "jsr305" % "3.0.2",
+    "com.google.guava" % "guava" % guavaV,
+    "org.apache.tika" % "tika-core" % tikaV,
+    "software.amazon.awssdk" % "s3" % awsSdkV,
+  ) ++ slf4jBindingDependencies
+
   private val awsCloudDependencies = List(
     "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonV,
-    "org.lerch" % "s3fs" % s3fsV
-      exclude("org.slf4j", "jcl-over-slf4j")
-  ) ++ List(
+  ) ++ s3fsDependencies ++ List(
     "batch",
     "core",
-    "logs",
+    "cloudwatchlogs",
     "s3",
-    "sts"
+    "sts",
   ).map(artifactName => "software.amazon.awssdk" % artifactName % awsSdkV)
 
   private val googleCloudDependencies = List(
@@ -345,17 +273,41 @@ object Dependencies {
   ) ++ googleGenomicsV1Dependency ++ googleGenomicsV2Dependency
 
   private val aliyunOssDependencies = List(
-    "com.aliyun.oss" % "aliyun-sdk-oss" % alibabaCloudOssV
+    "com.aliyun.oss" % "aliyun-sdk-oss" % aliyunOssV
       // stax is included twice by oss 3.1.0 and cause assembly merge conflicts via stax vs. javax.xml.stream
       exclude("stax", "stax-api")
+      // Exclude jersey-json until aliyun-sdk-oss >3.4.0 is published
+      // https://github.com/aliyun/aliyun-oss-java-sdk/pull/149
+      exclude("com.sun.jersey", "jersey-json")
+      // jaxb-api and jaxb-core and included in jaxb-impl as of 2.3.1
+      // https://github.com/eclipse-ee4j/jaxb-ri/issues/1168
+      exclude("javax.xml.bind", "jaxb-api")
+      exclude("com.sun.xml.bind", "jaxb-core")
       // javax.activation:activation has been replaced. https://stackoverflow.com/a/46493809
       // The old version was causing an assembly merge conflict.
-      exclude("javax.activation", "activation")
+      exclude("javax.activation", "activation"),
+    "com.sun.activation" % "javax.activation" % javaxActivationV,
+    "com.sun.xml.bind" % "jaxb-impl" % jaxbV,
+    "org.glassfish.jaxb" % "jaxb-runtime" % jaxbV
+      // already included in com.sun.activation
+      exclude("jakarta.activation", "jakarta.activation-api"),
   )
 
   private val aliyunBatchComputeDependencies = List(
-    "com.aliyun" % "aliyun-java-sdk-core" % alibabaCloudCoreV,
-    "com.aliyun" % "aliyun-java-sdk-batchcompute" % alibabaCloudBcsV
+    "com.aliyun" % "aliyun-java-sdk-batchcompute" % aliyunBcsV,
+    "com.aliyun" % "aliyun-java-sdk-core" % aliyunCoreV
+      // jaxb-api and jaxb-core and included in jaxb-impl as of 2.3.1
+      // https://github.com/eclipse-ee4j/jaxb-ri/issues/1168
+      exclude("javax.xml.bind", "jaxb-api")
+      exclude("com.sun.xml.bind", "jaxb-core")
+      // javax.activation:activation has been replaced. https://stackoverflow.com/a/46493809
+      // The old version was causing an assembly merge conflict.
+      exclude("javax.activation", "activation"),
+    "com.sun.activation" % "javax.activation" % javaxActivationV,
+    "com.sun.xml.bind" % "jaxb-impl" % jaxbV,
+    "org.glassfish.jaxb" % "jaxb-runtime" % jaxbV
+      // already included in com.sun.activation
+      exclude("jakarta.activation", "jakarta.activation-api"),
   )
 
   private val dbmsDependencies = List(
@@ -383,8 +335,9 @@ object Dependencies {
     "org.apache.commons" % "commons-lang3" % commonsLang3V,
     "org.apache.commons" % "commons-text" % commonsTextV,
     "com.typesafe.scala-logging" %% "scala-logging" % scalaLoggingV,
+    "ch.qos.logback" % "logback-access" % logbackV,
     "ch.qos.logback" % "logback-classic" % logbackV,
-    "ch.qos.logback" % "logback-access" % logbackV
+    "ch.qos.logback" % "logback-core" % logbackV,
   ) ++ catsDependencies ++ configDependencies
 
   val cloudSupportDependencies = googleApiClientDependencies ++ googleCloudDependencies ++ betterFilesDependencies ++ awsCloudDependencies
@@ -479,16 +432,12 @@ object Dependencies {
   ) ++ slf4jBindingDependencies ++ circeDependencies
 
   val coreDependencies = List(
-    "com.typesafe.akka" %% "akka-actor" % akkaV,
-    "com.typesafe.akka" %% "akka-testkit" % akkaV % Test,
-    "com.typesafe.akka" %% "akka-stream" % akkaV,
-    "com.typesafe.akka" %% "akka-stream-testkit" % akkaV % Test,
     "com.google.auth" % "google-auth-library-oauth2-http" % googleOauth2V,
     "com.chuusai" %% "shapeless" % shapelessV,
     "com.github.scopt" %% "scopt" % scoptV,
-    "org.scalamock" %% "scalamock" % scalamockV % Test
-  ) ++ configDependencies ++ catsDependencies ++ googleApiClientDependencies ++ statsDDependencies ++
-    betterFilesDependencies ++
+    "org.scalamock" %% "scalamock" % scalamockV % Test,
+  ) ++ akkaStreamDependencies ++ configDependencies ++ catsDependencies ++
+    googleApiClientDependencies ++ statsDDependencies ++ betterFilesDependencies ++
     // TODO: We're not using the "F" in slf4j. Core only supports logback, specifically the WorkflowLogger.
     slf4jBindingDependencies
 
@@ -499,8 +448,6 @@ object Dependencies {
   val cromwellApiClientDependencies = List(
     "org.scalaz" %% "scalaz-core" % scalazV,
     "co.fs2" %% "fs2-io" % fs2V % Test,
-    "com.typesafe.akka" %% "akka-actor" % akkaV,
-    "com.typesafe.akka" %% "akka-stream" % akkaV
   ) ++ akkaHttpDependencies ++ betterFilesDependencies
 
   val centaurDependencies = List(
@@ -529,9 +476,7 @@ object Dependencies {
     "org.broadinstitute.dsde.workbench" %% "workbench-util" % workbenchUtilV
   ) ++ akkaHttpDependencies ++ catsDependencies ++ swaggerUiDependencies ++ slf4jBindingDependencies
 
-  val wes2cromwellDependencies = List(
-    "com.typesafe.akka" %% "akka-stream" % akkaV
-  ) ++ akkaHttpDependencies ++ coreDependencies
+  val wes2cromwellDependencies = coreDependencies ++ akkaHttpDependencies
 
   val backendDependencies = List(
     "org.scalacheck" %% "scalacheck" % scalacheckV % Test,
@@ -556,4 +501,102 @@ object Dependencies {
 
   val perfDependencies = circeDependencies ++ betterFilesDependencies ++ commonDependencies ++
     googleApiClientDependencies ++ googleCloudDependencies
+
+  val allProjectDependencies =
+    backendDependencies ++
+      bcsBackendDependencies ++
+      centaurCwlRunnerDependencies ++
+      centaurDependencies ++
+      cloudSupportDependencies ++
+      commonDependencies ++
+      coreDependencies ++
+      cromiamDependencies ++
+      cromwellApiClientDependencies ++
+      cwlDependencies ++
+      databaseMigrationDependencies ++
+      databaseSqlDependencies ++
+      dockerHashingDependencies ++
+      draft2LanguageFactoryDependencies ++
+      engineDependencies ++
+      gcsFileSystemDependencies ++
+      httpFileSystemDependencies ++
+      implDrsDependencies ++
+      implFtpDependencies ++
+      languageFactoryDependencies ++
+      ossFileSystemDependencies ++
+      perfDependencies ++
+      serverDependencies ++
+      sparkBackendDependencies ++
+      spiDependencies ++
+      spiUtilDependencies ++
+      statsDProxyDependencies ++
+      tesBackendDependencies ++
+      wdlDependencies ++
+      wes2cromwellDependencies ++
+      womDependencies ++
+      womtoolDependencies
+
+  /*
+  If you see warnings from SBT about evictions, insert a specific dependency version into this list.
+
+  Do not know a good way to check when these are out of date as `sbt dependencyUpdates` does not
+  report on dependency overrides.
+
+  Any dependencies that are removed may be also removed from this list.
+  However, be careful about downgrading any of these dependencies.
+  Older versions have known vulnerabilities, ex: CVE-2017-7525
+   */
+
+  val nettyDependencyOverrides = List(
+    "buffer",
+    "codec",
+    "codec-dns",
+    "codec-http",
+    "codec-http2",
+    "codec-socks",
+    "common",
+    "handler-proxy",
+    "resolver",
+    "resolver-dns",
+    "transport",
+    "transport-native-epoll",
+    "transport-native-unix-common",
+  ).map(m => "io.netty" % s"netty-$m" % nettyV)
+
+  val rdf4jDependencyOverrides = List(
+    /*
+    Yes. All of these are required to lock in the rdf4j version.
+
+    Feel free to update versions but do not remove these overrides unless and until an updated
+    owl-api is no longer pulling in vulnerable rdf4j dependencies.
+
+    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000644
+
+    See comment mentioning "OSGI" further above for more info on the bundling of dependencies.
+     */
+    "model",
+    "rio-api",
+    "rio-binary",
+    "rio-datatypes",
+    "rio-jsonld",
+    "rio-languages",
+    "rio-n3",
+    "rio-nquads",
+    "rio-ntriples",
+    "rio-rdfjson",
+    "rio-rdfxml",
+    "rio-trig",
+    "rio-trix",
+    "rio-turtle",
+    "util",
+  ).map(m => "org.eclipse.rdf4j" % s"rdf4j-$m" % rdf4jV)
+
+  /*
+  If we use a version in one of our projects, that's the one we want all the libraries to use
+  ...plus other groups of transitive dependencies shared across multiple projects
+   */
+  val cromwellDependencyOverrides =
+    allProjectDependencies ++
+      nettyDependencyOverrides ++
+      rdf4jDependencyOverrides
 }
diff --git a/project/Merging.scala b/project/Merging.scala
index de61f625f4e..9d46dee3232 100644
--- a/project/Merging.scala
+++ b/project/Merging.scala
@@ -36,7 +36,7 @@ object Merging {
           val oldStrategy = (assemblyMergeStrategy in assembly).value
           oldStrategy(x)
       }
-    case "asm-license.txt" | "overview.html" | "cobertura.properties" =>
+    case "asm-license.txt" | "module-info.class" | "overview.html" | "cobertura.properties" =>
       MergeStrategy.discard
     case PathList("mime.types") =>
       MergeStrategy.last
diff --git a/scripts/perf/statsd-proxy/src/main/scala/statsdproxy/StatsDProxy.scala b/scripts/perf/statsd-proxy/src/main/scala/statsdproxy/StatsDProxy.scala
index 163ae4deb5f..ddca37fa21d 100644
--- a/scripts/perf/statsd-proxy/src/main/scala/statsdproxy/StatsDProxy.scala
+++ b/scripts/perf/statsd-proxy/src/main/scala/statsdproxy/StatsDProxy.scala
@@ -42,7 +42,7 @@ object StatsDProxy extends IOApp with StrictLogging {
     // Re-wrap the packet in the redirect address, send it, and then unpack it to create a stream of bytes that can be written to a file
     pipedToOutbound <- Stream(Packet(redirectAddress, receivedPacket.bytes))
       .covary[IO]
-      .to(clientSocket.writes())
+      .through(clientSocket.writes())
       .map(_ => receivedPacket.bytes.toVector :+ '\n'.toByte)
       .flatMap(Stream.emits(_))
   } yield pipedToOutbound
diff --git a/server/src/test/scala/cromwell/engine/workflow/lifecycle/MaterializeWorkflowDescriptorActorSpec.scala b/server/src/test/scala/cromwell/engine/workflow/lifecycle/MaterializeWorkflowDescriptorActorSpec.scala
index 6e9af9b25cc..47ab1e1d6dc 100644
--- a/server/src/test/scala/cromwell/engine/workflow/lifecycle/MaterializeWorkflowDescriptorActorSpec.scala
+++ b/server/src/test/scala/cromwell/engine/workflow/lifecycle/MaterializeWorkflowDescriptorActorSpec.scala
@@ -84,7 +84,8 @@ class MaterializeWorkflowDescriptorActorSpec extends CromwellTestKitWordSpec wit
             wfDesc.knownValues.head._2 shouldBe WomString("world")
             wfDesc.getWorkflowOption(WorkflowOptions.WriteToCache) shouldBe Option("true")
             wfDesc.getWorkflowOption(WorkflowOptions.ReadFromCache) shouldBe None
-            wfDesc.backendDescriptor.customLabels shouldBe Labels("label1" -> "value1", "label2" -> "value2", "Label1" -> "valu£1")
+            wfDesc.backendDescriptor.customLabels shouldBe
+              Labels("Label1" -> "valu£1", "label1" -> "value1", "label2" -> "value2")
             // Default backend assignment is "Local":
             wfDesc.backendAssignments foreach {
               case (call, assignment) if call.callable.name.equals("hello") => assignment shouldBe "Local"
diff --git a/src/ci/bin/test.inc.sh b/src/ci/bin/test.inc.sh
index 1dabd3b0b1f..41a38e17de6 100644
--- a/src/ci/bin/test.inc.sh
+++ b/src/ci/bin/test.inc.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -o errexit -o nounset -o pipefail
+
 # A set of common functions for use in other scripts.
 #
 # Functions:
@@ -20,15 +22,15 @@
 #
 #   - crmcit
 #     Simulate a centaur integration test build. Example: `crmcit=y src/ci/bin/testCentaurPapiV2.sh`
-#
+
 cromwell::private::check_debug() {
     # shellcheck disable=SC2154
-    if [ -n "${crmdbg:+set}" ]; then
-        set -x
+    if [[ -n "${crmdbg:+set}" ]]; then
+        set -o xtrace
     fi
 
     # shellcheck disable=SC2154
-    if [ -n "${crmcit:+set}" ]; then
+    if [[ -n "${crmcit:+set}" ]]; then
         CROMWELL_BUILD_CENTAUR_TYPE="integration"
     fi
 }
@@ -39,9 +41,9 @@ cromwell::private::create_build_variables() {
     CROMWELL_BUILD_PROVIDER_JENKINS="jenkins"
     CROMWELL_BUILD_PROVIDER_UNKNOWN="unknown"
 
-    if [ "${TRAVIS-false}" = "true" ]; then
+    if [[ "${TRAVIS-false}" == "true" ]]; then
         CROMWELL_BUILD_PROVIDER="${CROMWELL_BUILD_PROVIDER_TRAVIS}"
-    elif [ "${JENKINS-false}" = "true" ]; then
+    elif [[ "${JENKINS-false}" == "true" ]]; then
         CROMWELL_BUILD_PROVIDER="${CROMWELL_BUILD_PROVIDER_JENKINS}"
     else
         CROMWELL_BUILD_PROVIDER="${CROMWELL_BUILD_PROVIDER_UNKNOWN}"
@@ -71,6 +73,12 @@ cromwell::private::create_build_variables() {
     CROMWELL_BUILD_WAIT_FOR_IT_SCRIPT="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/${CROMWELL_BUILD_WAIT_FOR_IT_FILENAME}"
     CROMWELL_BUILD_EXIT_FUNCTIONS="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/cromwell_build_exit_functions.$$"
 
+    if [[ -n "${VIRTUAL_ENV:+set}" ]]; then
+      CROMWELL_BUILD_IS_VIRTUAL_ENV=true
+    else
+      CROMWELL_BUILD_IS_VIRTUAL_ENV=false
+    fi
+
     case "${CROMWELL_BUILD_PROVIDER}" in
         "${CROMWELL_BUILD_PROVIDER_TRAVIS}")
             CROMWELL_BUILD_IS_CI=true
@@ -158,15 +166,15 @@ cromwell::private::create_build_variables() {
 
     CROMWELL_BUILD_CROMWELL_CONFIG="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/${CROMWELL_BUILD_BACKEND_TYPE}_application.conf"
 
-    if [ -z "${CROMWELL_BUILD_OPTIONAL_SECURE-}" ]; then
+    if [[ -z "${CROMWELL_BUILD_OPTIONAL_SECURE-}" ]]; then
         CROMWELL_BUILD_OPTIONAL_SECURE=false
     fi
 
-    if [ -z "${CROMWELL_BUILD_REQUIRES_SECURE-}" ]; then
+    if [[ -z "${CROMWELL_BUILD_REQUIRES_SECURE-}" ]]; then
         CROMWELL_BUILD_REQUIRES_SECURE=false
     fi
 
-    if [ -z "${JES_TOKEN-}" ]; then
+    if [[ -z "${JES_TOKEN-}" ]]; then
         JES_TOKEN="jes token is not set as an environment variable"
     fi
 
@@ -190,6 +198,7 @@ cromwell::private::create_build_variables() {
     export CROMWELL_BUILD_HOME_DIRECTORY
     export CROMWELL_BUILD_IS_CI
     export CROMWELL_BUILD_IS_SECURE
+    export CROMWELL_BUILD_IS_VIRTUAL_ENV
     export CROMWELL_BUILD_LOG_DIRECTORY
     export CROMWELL_BUILD_MYSQL_HOSTNAME
     export CROMWELL_BUILD_MYSQL_PASSWORD
@@ -243,12 +252,12 @@ cromwell::private::create_centaur_variables() {
     CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE="papiUpgrade"
     CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE_NEW_WORKFLOWS="papiUpgradeNewWorkflows"
 
-    if [ -z "${CROMWELL_BUILD_CENTAUR_TYPE-}" ]; then
-        if [[ "${CROMWELL_BUILD_TYPE}" = centaurEngineUpgrade* ]]; then
+    if [[ -z "${CROMWELL_BUILD_CENTAUR_TYPE-}" ]]; then
+        if [[ "${CROMWELL_BUILD_TYPE}" == centaurEngineUpgrade* ]]; then
             CROMWELL_BUILD_CENTAUR_TYPE="${CROMWELL_BUILD_CENTAUR_TYPE_ENGINE_UPGRADE}"
-        elif [[ "${CROMWELL_BUILD_TYPE}" = centaurPapiUpgradeNewWorkflows* ]]; then
+        elif [[ "${CROMWELL_BUILD_TYPE}" == centaurPapiUpgradeNewWorkflows* ]]; then
             CROMWELL_BUILD_CENTAUR_TYPE="${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE_NEW_WORKFLOWS}"
-        elif [[ "${CROMWELL_BUILD_TYPE}" = centaurPapiUpgrade* ]]; then
+        elif [[ "${CROMWELL_BUILD_TYPE}" == centaurPapiUpgrade* ]]; then
             CROMWELL_BUILD_CENTAUR_TYPE="${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE}"
         else
             CROMWELL_BUILD_CENTAUR_TYPE="${CROMWELL_BUILD_CENTAUR_TYPE_STANDARD}"
@@ -285,7 +294,8 @@ cromwell::private::create_centaur_variables() {
 cromwell::private::verify_secure_build() {
     case "${CROMWELL_BUILD_PROVIDER}" in
         "${CROMWELL_BUILD_PROVIDER_TRAVIS}")
-            if [ "${CROMWELL_BUILD_IS_SECURE}" != "true" ] && [ "${CROMWELL_BUILD_REQUIRES_SECURE}" = "true" ]; then
+            if [[ "${CROMWELL_BUILD_IS_SECURE}" != "true" ]] && \
+                [[ "${CROMWELL_BUILD_REQUIRES_SECURE}" == "true" ]]; then
                 echo "********************************************************"
                 echo "********************************************************"
                 echo "**                                                    **"
@@ -344,8 +354,22 @@ cromwell::private::delete_sbt_boot() {
     rm -rf ~/.sbt/boot/
 }
 
+cromwell::private::pip_install() {
+    local pip_package
+    pip_package="${1:?pip_install called without a package}"; shift
+
+    if [[ "${CROMWELL_BUILD_IS_CI}" == "true" ]]; then
+        sudo -H pip install "${pip_package}" "$@"
+    elif [[ "${CROMWELL_BUILD_IS_VIRTUAL_ENV}" == "true" ]]; then
+        pip install "${pip_package}" "$@"
+    else
+        pip install "${pip_package}" --user "$@"
+    fi
+}
+
 cromwell::private::upgrade_pip() {
-    sudo -H pip install --upgrade pip
+    cromwell::private::pip_install pip --upgrade
+    cromwell::private::pip_install requests[security] --ignore-installed
 }
 
 cromwell::private::install_wait_for_it() {
@@ -378,13 +402,12 @@ cromwell::private::pull_common_docker_images() {
 cromwell::private::install_cwltest() {
     # TODO: No clue why these are needed for cwltool. If you know please update this comment.
     sudo apt-get install procps || true
-    sudo -H pip install 'requests[security]'
-    sudo -H pip install --ignore-installed cwltool=="${CROMWELL_BUILD_CWL_TOOL_VERSION}"
-    sudo -H pip install cwltest=="${CROMWELL_BUILD_CWL_TEST_VERSION}"
+    cromwell::private::pip_install cwltool=="${CROMWELL_BUILD_CWL_TOOL_VERSION}" --ignore-installed
+    cromwell::private::pip_install cwltest=="${CROMWELL_BUILD_CWL_TEST_VERSION}"
 }
 
 cromwell::private::checkout_pinned_cwl() {
-    if [ ! -d "${CROMWELL_BUILD_CWL_TEST_DIRECTORY}" ]; then
+    if [[ ! -d "${CROMWELL_BUILD_CWL_TEST_DIRECTORY}" ]]; then
         git clone \
             https://github.com/common-workflow-language/common-workflow-language.git \
             "${CROMWELL_BUILD_CWL_TEST_DIRECTORY}"
@@ -414,7 +437,7 @@ cromwell::private::docker_login() {
     else
         local dockerhub_auth_include
         dockerhub_auth_include="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/dockerhub_auth.inc.sh"
-        if [ -f "${dockerhub_auth_include}" ]; then
+        if [[ -f "${dockerhub_auth_include}" ]]; then
             # shellcheck source=/dev/null
             source "${dockerhub_auth_include}"
         fi
@@ -424,7 +447,7 @@ cromwell::private::docker_login() {
 cromwell::private::vault_login() {
     if cromwell::private::is_xtrace_enabled; then
         cromwell::private::exec_silent_function cromwell::private::vault_login
-    elif [ "${CROMWELL_BUILD_IS_SECURE}" = "true" ]; then
+    elif [[ "${CROMWELL_BUILD_IS_SECURE}" == "true" ]]; then
         case "${CROMWELL_BUILD_PROVIDER}" in
             "${CROMWELL_BUILD_PROVIDER_TRAVIS}")
                 # Login to vault to access secrets
@@ -435,7 +458,6 @@ cromwell::private::vault_login() {
                     broadinstitute/dsde-toolbox \
                     vault auth "${vault_token}" < /dev/null > /dev/null && echo vault auth success \
                 || true
-                unset vault_token
                 ;;
             *)
                 ;;
@@ -445,7 +467,7 @@ cromwell::private::vault_login() {
 
 cromwell::private::render_secure_resources() {
     sbt renderCiResources \
-    || if [ "${CROMWELL_BUILD_IS_CI}" = "true" ]; then
+    || if [[ "${CROMWELL_BUILD_IS_CI}" == "true" ]]; then
         echo
         echo "Continuing without rendering secure resources."
     else
@@ -466,7 +488,7 @@ cromwell::private::copy_all_resources() {
 }
 
 cromwell::private::setup_secure_resources() {
-    if [ "${CROMWELL_BUILD_REQUIRES_SECURE}" == "true" ] || [ "${CROMWELL_BUILD_OPTIONAL_SECURE}" == "true" ]; then
+    if [[ "${CROMWELL_BUILD_REQUIRES_SECURE}" == "true" ]] || [[ "${CROMWELL_BUILD_OPTIONAL_SECURE}" == "true" ]]; then
         case "${CROMWELL_BUILD_PROVIDER}" in
             "${CROMWELL_BUILD_PROVIDER_TRAVIS}")
                 cromwell::private::vault_login
@@ -486,7 +508,7 @@ cromwell::private::setup_secure_resources() {
 }
 
 cromwell::private::make_build_directories() {
-    if [ "${CROMWELL_BUILD_PROVIDER}" == "${CROMWELL_BUILD_PROVIDER_JENKINS}" ]; then
+    if [[ "${CROMWELL_BUILD_PROVIDER}" == "${CROMWELL_BUILD_PROVIDER_JENKINS}" ]]; then
         sudo chmod -R a+w .
     fi
     mkdir -p "${CROMWELL_BUILD_LOG_DIRECTORY}"
@@ -516,7 +538,7 @@ cromwell::private::setup_prior_version_resources() {
     export CROMWELL_BUILD_CROMWELL_PRIOR_VERSION_JAR
 
     prior_config="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/${CROMWELL_BUILD_BACKEND_TYPE}_${prior_version}_application.conf"
-    if [ -f "${prior_config}" ]; then
+    if [[ -f "${prior_config}" ]]; then
         CROMWELL_BUILD_CROMWELL_PRIOR_VERSION_CONFIG="${prior_config}"
         export CROMWELL_BUILD_CROMWELL_PRIOR_VERSION_CONFIG
     fi
@@ -594,14 +616,14 @@ cromwell::private::start_build_heartbeat() {
 }
 
 cromwell::private::start_cromwell_log_tail() {
-    while [ ! -f "${CROMWELL_BUILD_CROMWELL_LOG}" ]; do
+    while [[ ! -f "${CROMWELL_BUILD_CROMWELL_LOG}" ]]; do
         sleep 2
     done && tail -n 0 -f "${CROMWELL_BUILD_CROMWELL_LOG}" 2> /dev/null &
     CROMWELL_BUILD_CROMWELL_LOG_TAIL_PID=$!
 }
 
 cromwell::private::start_centaur_log_tail() {
-    while [ ! -f "${CROMWELL_BUILD_CENTAUR_LOG}" ]; do
+    while [[ ! -f "${CROMWELL_BUILD_CENTAUR_LOG}" ]]; do
         sleep 2
     done && tail -n 0 -f "${CROMWELL_BUILD_CENTAUR_LOG}" 2> /dev/null &
     CROMWELL_BUILD_CENTAUR_LOG_TAIL_PID=$!
@@ -618,25 +640,25 @@ cromwell::private::cat_conformance_log() {
 }
 
 cromwell::private::kill_build_heartbeat() {
-    if [ -n "${CROMWELL_BUILD_HEARTBEAT_PID:+set}" ]; then
+    if [[ -n "${CROMWELL_BUILD_HEARTBEAT_PID:+set}" ]]; then
         cromwell::private::kill_tree "${CROMWELL_BUILD_HEARTBEAT_PID}"
     fi
 }
 
 cromwell::private::kill_cromwell_log_tail() {
-    if [ -n "${CROMWELL_BUILD_CROMWELL_LOG_TAIL_PID:+set}" ]; then
+    if [[ -n "${CROMWELL_BUILD_CROMWELL_LOG_TAIL_PID:+set}" ]]; then
         cromwell::private::kill_tree "${CROMWELL_BUILD_CROMWELL_LOG_TAIL_PID}"
     fi
 }
 
 cromwell::private::kill_centaur_log_tail() {
-    if [ -n "${CROMWELL_BUILD_CENTAUR_LOG_TAIL_PID:+set}" ]; then
+    if [[ -n "${CROMWELL_BUILD_CENTAUR_LOG_TAIL_PID:+set}" ]]; then
         cromwell::private::kill_tree ${CROMWELL_BUILD_CENTAUR_LOG_TAIL_PID}
     fi
 }
 
 cromwell::private::run_exit_functions() {
-    if [ -f "${CROMWELL_BUILD_EXIT_FUNCTIONS}" ]; then
+    if [[ -f "${CROMWELL_BUILD_EXIT_FUNCTIONS}" ]]; then
         local exit_function
         while read exit_function; do
           ${exit_function} || true
@@ -649,7 +671,7 @@ cromwell::private::run_exit_functions() {
 # Requires one positional parameter, the function to run.
 cromwell::private::add_exit_function() {
     local exit_function
-    exit_function="${1:?add_exit_function called without a function}"
+    exit_function="${1:?add_exit_function called without a function}"; shift
     echo "${exit_function}" >> "${CROMWELL_BUILD_EXIT_FUNCTIONS}"
     trap cromwell::private::run_exit_functions TERM EXIT
 }
@@ -657,10 +679,11 @@ cromwell::private::add_exit_function() {
 cromwell::private::exec_silent_function() {
     local silent_function
     local xtrace_restore_function
-    silent_function="${1:?exec_silent_function called without a function}"
-    xtrace_restore_function="$(shopt -po xtrace)"
+    silent_function="${1:?exec_silent_function called without a function}"; shift
+
+    xtrace_restore_function="$(shopt -po xtrace || true)"
     shopt -uo xtrace
-    ${silent_function}
+    ${silent_function} "$@"
     ${xtrace_restore_function}
 }
 
@@ -672,7 +695,7 @@ cromwell::private::is_xtrace_enabled() {
 cromwell::private::kill_tree() {
   local pid
   local cpid
-  pid="${1:?kill_tree called without a pid}"
+  pid="${1:?kill_tree called without a pid}"; shift
   for cpid in $(pgrep -P "${pid}"); do
     cromwell::private::kill_tree "${cpid}"
   done
@@ -716,18 +739,18 @@ cromwell::build::setup_common_environment() {
 
 cromwell::build::setup_centaur_environment() {
     cromwell::private::create_centaur_variables
-    if [ "${CROMWELL_BUILD_CENTAUR_TYPE}" = "${CROMWELL_BUILD_CENTAUR_TYPE_ENGINE_UPGRADE}" ]; then
+    if [[ "${CROMWELL_BUILD_CENTAUR_TYPE}" == "${CROMWELL_BUILD_CENTAUR_TYPE_ENGINE_UPGRADE}" ]]; then
         cromwell::private::setup_prior_version_resources
-    elif [ "${CROMWELL_BUILD_CENTAUR_TYPE}" = "${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE}" ]; then
+    elif [[ "${CROMWELL_BUILD_CENTAUR_TYPE}" == "${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE}" ]]; then
         cromwell::private::setup_prior_version_resources
         export CROMWELL_BUILD_CROMWELL_CONFIG="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/papi_v1_37_papi_v2_upgrade.application.conf"
-    elif [ "${CROMWELL_BUILD_CENTAUR_TYPE}" = "${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE_NEW_WORKFLOWS}" ]; then
+    elif [[ "${CROMWELL_BUILD_CENTAUR_TYPE}" == "${CROMWELL_BUILD_CENTAUR_TYPE_PAPI_UPGRADE_NEW_WORKFLOWS}" ]]; then
         export CROMWELL_BUILD_CROMWELL_CONFIG="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/papi_v1_37_papi_v2_upgrade.application.conf"
     fi;
     cromwell::private::start_build_heartbeat
     cromwell::private::start_cromwell_log_tail
     cromwell::private::start_centaur_log_tail
-    if [ "${CROMWELL_BUILD_IS_CI}" = "true" ]; then
+    if [[ "${CROMWELL_BUILD_IS_CI}" == "true" ]]; then
         cromwell::private::add_exit_function cromwell::private::cat_centaur_log
     fi
     cromwell::private::add_exit_function cromwell::private::kill_build_heartbeat
@@ -745,7 +768,7 @@ cromwell::build::run_centaur() {
 
 cromwell::build::setup_conformance_environment() {
     cromwell::private::export_conformance_variables
-    if [ "${CROMWELL_BUILD_IS_CI}" = "true" ]; then
+    if [[ "${CROMWELL_BUILD_IS_CI}" == "true" ]]; then
         cromwell::private::install_cwltest
     fi
     cromwell::private::checkout_pinned_cwl
@@ -757,7 +780,7 @@ cromwell::build::setup_conformance_environment() {
 
 cromwell::build::assemble_jars() {
     cromwell::private::find_cromwell_jar
-    if [ "${CROMWELL_BUILD_IS_CI}" = "true" ] || ! cromwell::private::exists_cromwell_jar; then
+    if [[ "${CROMWELL_BUILD_IS_CI}" == "true" ]] || ! cromwell::private::exists_cromwell_jar; then
         echo "Please wait, building jars…"
         cromwell::private::assemble_jars
     fi
@@ -769,17 +792,17 @@ cromwell::build::assemble_jars() {
 }
 
 cromwell::build::generate_code_coverage() {
-    if [ "${CROMWELL_BUILD_GENERATE_COVERAGE}" = "true" ]; then
+    if [[ "${CROMWELL_BUILD_GENERATE_COVERAGE}" == "true" ]]; then
         cromwell::private::generate_code_coverage
     fi
 }
 
 cromwell::build::publish_artifacts() {
-    if [ "${CROMWELL_BUILD_PROVIDER}" == "${CROMWELL_BUILD_PROVIDER_TRAVIS}" ] && \
-        [ "${CROMWELL_BUILD_TYPE}" == "sbt" ] && \
-        [ "${CROMWELL_BUILD_EVENT}" == "push" ]; then
+    if [[ "${CROMWELL_BUILD_PROVIDER}" == "${CROMWELL_BUILD_PROVIDER_TRAVIS}" ]] && \
+        [[ "${CROMWELL_BUILD_TYPE}" == "sbt" ]] && \
+        [[ "${CROMWELL_BUILD_EVENT}" == "push" ]]; then
 
-        if [ "${CROMWELL_BUILD_BRANCH}" = "develop" ]; then
+        if [[ "${CROMWELL_BUILD_BRANCH}" == "develop" ]]; then
             # Publish images for both the "cromwell develop branch" and the "cromwell dev environment".
             CROMWELL_SBT_DOCKER_TAGS=develop,dev \
                 cromwell::private::publish_artifacts_and_docker \
@@ -790,13 +813,13 @@ cromwell::build::publish_artifacts() {
             # Docker tags float. "30" is the latest hotfix. Those dockers are published here on each hotfix commit.
             cromwell::private::publish_artifacts_and_docker -Dproject.isSnapshot=false
 
-        elif [ -n "${CROMWELL_BUILD_TAG:+set}" ]; then
+        elif [[ -n "${CROMWELL_BUILD_TAG:+set}" ]]; then
             # Artifact tags are static. Once "30" is set that is only "30" forever. Those artifacts are published here.
             cromwell::private::publish_artifacts_only \
                 -Dproject.version="${CROMWELL_BUILD_TAG}" \
                 -Dproject.isSnapshot=false
 
-        elif [ "${CROMWELL_BUILD_IS_SECURE}" = "true" ]; then
+        elif [[ "${CROMWELL_BUILD_IS_SECURE}" == "true" ]]; then
             cromwell::private::publish_artifacts_check
 
         fi
@@ -804,6 +827,39 @@ cromwell::build::publish_artifacts() {
     fi
 }
 
+cromwell::build::exec_retry_function() {
+    local retried_function
+    local retry_count
+    local attempt
+    local exit_status
+
+    retried_function="${1:?exec_retry_function called without a function}"; shift
+    retry_count="${1:-3}"; shift || true
+    sleep_seconds="${1:-15}"; shift || true
+
+    # https://unix.stackexchange.com/a/82610
+    # https://stackoverflow.com/a/17336953
+    for attempt in $(seq 0 ${retry_count}); do
+        [[ ${attempt} -gt 0 ]] && sleep ${sleep_seconds}
+        ${retried_function} && exit_status=0 && break || exit_status=$?
+    done
+    return ${exit_status}
+}
+
+cromwell::build::exec_silent_function() {
+    local silent_function
+    silent_function="${1:?exec_silent_function called without a function}"; shift
+    if cromwell::private::is_xtrace_enabled; then
+        cromwell::private::exec_silent_function ${silent_function} "$@"
+    else
+        ${silent_function} "$@"
+    fi
+}
+
+cromwell::build::pip_install() {
+    cromwell::private::pip_install "$@"
+}
+
 cromwell::build::add_exit_function() {
     cromwell::private::add_exit_function "$1"
 }
diff --git a/src/ci/bin/testCentaurAws.sh b/src/ci/bin/testCentaurAws.sh
index 4f49f0baba4..c4ea36d0975 100755
--- a/src/ci/bin/testCentaurAws.sh
+++ b/src/ci/bin/testCentaurAws.sh
@@ -15,7 +15,7 @@ cromwell::build::assemble_jars
 
 
 # Installing the AWS CLI
-pip install awscli --upgrade --user
+cromwell::build::pip_install awscli --upgrade
 export AWS_SHARED_CREDENTIALS_FILE="${CROMWELL_BUILD_RESOURCES_DIRECTORY}"/aws_credentials
 export AWS_CONFIG_FILE="${CROMWELL_BUILD_RESOURCES_DIRECTORY}"/aws_config
 
diff --git a/src/ci/bin/testCentaurBcs.sh b/src/ci/bin/testCentaurBcs.sh
index 8c980f5d778..94d0c2f4f91 100755
--- a/src/ci/bin/testCentaurBcs.sh
+++ b/src/ci/bin/testCentaurBcs.sh
@@ -1,72 +1,146 @@
 #!/usr/bin/env bash
 
-# Disabled until:
-# - https://github.com/broadinstitute/cromwell/issues/3555
-# - https://github.com/broadinstitute/cromwell/issues/3554
-exit 0
-
 set -o errexit -o nounset -o pipefail
 export CROMWELL_BUILD_REQUIRES_SECURE=true
 # import in shellcheck / CI / IntelliJ compatible ways
 # shellcheck source=/dev/null
 source "${BASH_SOURCE%/*}/test.inc.sh" || source test.inc.sh
+# shellcheck source=/dev/null
+source "${BASH_SOURCE%/*}/test_bcs.inc.sh" || source test_bcs.inc.sh
 
 cromwell::build::setup_common_environment
 
+cromwell::build::bcs::setup_bcs_environment
+
 cromwell::build::setup_centaur_environment
 
 cromwell::build::assemble_jars
 
-cromwell::build::setup_secure_resources
-
+# Instead of excluding tests, only include a fixed list of tests. This is because due to the
+# numerous issues below, contributors did not like having to constantly update the exclude lists.
 # https://github.com/broadinstitute/cromwell/issues/3522
 # https://github.com/broadinstitute/cromwell/issues/3523
 # https://github.com/broadinstitute/cromwell/issues/3524
-exclude_known_bugs=( \
-    -e bad_file_string \
-    -e bad_output_task \
-    -e tmp_dir \
-)
-
 # https://github.com/broadinstitute/cromwell/issues/3518
-exclude_docker_tests=( \
-    -e curl \
-    -e docker_hash_dockerhub \
-    -e docker_hash_gcr \
-    -e docker_hash_quay \
-    -e dont_cache_to_failed_jobs \
-    -e hello \
-    -e hello_yaml \
-    -e inline_file \
-    -e inline_file_custom_entryname \
-    -e iwdr_input_string \
-    -e iwdr_input_string_function \
-    -e non_root_default_user \
-    -e three_step_cwl \
-)
-
 # https://github.com/broadinstitute/cromwell/issues/3519
-exclude_glob_tests=( \
-    -e cwl_glob_sort \
-    -e cwl_interpolated_strings \
-    -e dontglobinputs \
-    -e globbingbehavior \
-    -e globbingindex \
-    -e globbingscatter \
-    -e lots_of_inputs \
-    -e space \
-    -e wdl_empty_glob \
+include_tests=( \
+    -i abort.instant_abort \
+    -i abort.sub_workflow_abort \
+    -i aliased_subworkflows \
+    -i array_io \
+    -i array_literal_locations \
+    -i arrays_scatters_ifs \
+    -i bad_docker_name \
+    -i bad_workflow_failure_mode \
+    -i cacheBetweenWF \
+    -i cacheWithinWF \
+    -i chainfail \
+    -i complex_types_files \
+    -i composedenginefunctions \
+    -i cwl_input_binding_expression \
+    -i cwl_optionals \
+    -i declarations \
+    -i declarations_as_nodes \
+    -i declarations_in_ifs \
+    -i default_runtime_attributes \
+    -i defined_function \
+    -i dont_strip_line_prefix \
+    -i dot_dir_stuck_running \
+    -i draft3_declaration_chain \
+    -i draft3_default_input_overrides \
+    -i draft3_empty \
+    -i draft3_import_structs \
+    -i draft3_lots_of_nesting \
+    -i draft3_nested_scatter \
+    -i draft3_nested_struct \
+    -i draft3_passthrough_value \
+    -i draft3_sizeenginefunction \
+    -i draft3_struct_output \
+    -i draft3_taskless_engine_functions \
+    -i empty_scatter \
+    -i empty_string \
+    -i exit \
+    -i expression_lib_cwl \
+    -i failures.terminal_status \
+    -i filearrayoutput \
+    -i floating_tags \
+    -i forkjoin \
+    -i hello_cwl \
+    -i if_then_else_expressions \
+    -i ifs_upstream_and_downstream \
+    -i input_mirror \
+    -i invalid_inputs_json \
+    -i invalid_labels \
+    -i invalid_options_json \
+    -i invalid_runtime_attributes \
+    -i invalid_wdl \
+    -i length \
+    -i long_cmd \
+    -i lots_of_nesting \
+    -i member_access \
+    -i missing_imports \
+    -i missing_sub_inputs \
+    -i multiline_command_line \
+    -i multiplesourcedarray \
+    -i nested_lookups \
+    -i null_input_values \
+    -i object_access \
+    -i optional_declarations \
+    -i optional_parameter \
+    -i output_filename_interpolation \
+    -i output_redirection \
+    -i passingfiles \
+    -i prefix \
+    -i public_http_import \
+    -i readFromCacheFalse \
+    -i read_tsv \
+    -i read_write_json \
+    -i read_write_map \
+    -i referencingpreviousinputsandoutputs \
+    -i runtime_attribute_expressions \
+    -i runtime_failOnStderr \
+    -i scatterchain \
+    -i scattergather \
+    -i scatters_in_ifs \
+    -i select_functions \
+    -i simple_if \
+    -i simple_if_workflow_outputs \
+    -i single_to_array_coercion \
+    -i sizeenginefunction \
+    -i square \
+    -i stdout_stderr_passing \
+    -i string_interpolation \
+    -i sub_function \
+    -i sub_workflow_decls \
+    -i sub_workflow_hello_world \
+    -i sub_workflow_interactions \
+    -i sub_workflow_interactions_scatter \
+    -i sub_workflow_no_output \
+    -i sub_workflow_var_refs \
+    -i subdirectory \
+    -i subworkflows_in_ifs \
+    -i taskless_engine_functions \
+    -i test_file_outputs_from_input \
+    -i three_step__subwf_cwl \
+    -i unexpected_call_input_failure \
+    -i unexpected_subworkflow_call_input_failure \
+    -i valid_labels \
+    -i variable_scoping \
+    -i wdl_function_locations \
+    -i workflow_output_declarations \
+    -i workflow_type_and_version_default \
+    -i workflow_type_and_version_wdl \
+    -i workflowenginefunctions \
+    -i writeToCache \
+    -i write_lines \
+    -i write_lines_files \
+    -i write_tsv \
 )
 
-centaur/test_cromwell.sh \
-    -n "${CROMWELL_BUILD_CENTAUR_CONFIG}" \
-    -l "${CROMWELL_BUILD_LOG_DIRECTORY}" \
-    -g \
+cromwell::build::run_centaur \
     -p 100 \
     -t 1m \
     -e localdockertest \
-    "${exclude_known_bugs[@]}" \
-    "${exclude_docker_tests[@]}" \
-    "${exclude_glob_tests[@]}"
+    "${include_tests[@]}" \
 
 cromwell::build::generate_code_coverage
diff --git a/src/ci/bin/testCentaurTes.sh b/src/ci/bin/testCentaurTes.sh
index 8de6898dae1..76f9ef3ee82 100755
--- a/src/ci/bin/testCentaurTes.sh
+++ b/src/ci/bin/testCentaurTes.sh
@@ -17,14 +17,14 @@ FUNNEL_CONF="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/funnel.conf"
 
 # Increase max open files to the maximum allowed. Attempt to help on macos due to the default soft ulimit -n -S 256.
 ulimit -n "$(ulimit -n -H)"
-if [ ! -f "${FUNNEL_PATH}" ]; then
+if [[ ! -f "${FUNNEL_PATH}" ]]; then
     FUNNEL_TAR_GZ="funnel-${CROMWELL_BUILD_OS}-amd64-0.5.0.tar.gz"
     curl "https://github.com/ohsu-comp-bio/funnel/releases/download/0.5.0/${FUNNEL_TAR_GZ}" -o "${FUNNEL_TAR_GZ}" -L
     tar xzf "${FUNNEL_TAR_GZ}"
 fi
 
 shutdown_funnel() {
-    if [ -n "${FUNNEL_PID+set}" ]; then
+    if [[ -n "${FUNNEL_PID+set}" ]]; then
         cromwell::build::kill_tree "${FUNNEL_PID}"
     fi
 }
@@ -32,7 +32,7 @@ shutdown_funnel() {
 cromwell::build::add_exit_function shutdown_funnel
 
 mkdir -p logs
-nohup "${FUNNEL_PATH}" server run --config "${FUNNEL_CONF}" > logs/funnel.log 2>&1 &
+nohup "${FUNNEL_PATH}" server run --config "${FUNNEL_CONF}" &> logs/funnel.log &
 
 FUNNEL_PID=$!
 
diff --git a/src/ci/bin/testConformanceLocal.sh b/src/ci/bin/testConformanceLocal.sh
index 83fd889214b..8fdfb682f28 100755
--- a/src/ci/bin/testConformanceLocal.sh
+++ b/src/ci/bin/testConformanceLocal.sh
@@ -11,7 +11,7 @@ cromwell::build::setup_conformance_environment
 
 # Override of the default sbt assembly command which is just `assembly`.
 # The conformance runs only need these two subprojects so save a couple of minutes and skip the rest.
-CROMWELL_SBT_ASSEMBLY_COMMAND="server/assembly centaurCwlRunner/assembly"
+export CROMWELL_SBT_ASSEMBLY_COMMAND="server/assembly centaurCwlRunner/assembly"
 cromwell::build::assemble_jars
 
 CENTAUR_CWL_RUNNER_MODE="local"
@@ -20,7 +20,7 @@ CENTAUR_CWL_RUNNER_MODE="local"
 export CENTAUR_CWL_RUNNER_MODE
 
 shutdown_cromwell() {
-    if [ -n "${CROMWELL_PID+set}" ]; then
+    if [[ -n "${CROMWELL_PID+set}" ]]; then
         cromwell::build::kill_tree "${CROMWELL_PID}"
     fi
 }
diff --git a/src/ci/bin/testConformancePapiV2.sh b/src/ci/bin/testConformancePapiV2.sh
index a15b0bbd68b..3d27b1fd2e1 100755
--- a/src/ci/bin/testConformancePapiV2.sh
+++ b/src/ci/bin/testConformancePapiV2.sh
@@ -12,7 +12,7 @@ cromwell::build::setup_conformance_environment
 
 # Override of the default sbt assembly command which is just `assembly`.
 # The conformance runs only need these two subprojects so save a couple of minutes and skip the rest.
-CROMWELL_SBT_ASSEMBLY_COMMAND="server/assembly centaurCwlRunner/assembly"
+export CROMWELL_SBT_ASSEMBLY_COMMAND="server/assembly centaurCwlRunner/assembly"
 cromwell::build::assemble_jars
 
 CENTAUR_CWL_RUNNER_MODE="papi"
@@ -25,7 +25,7 @@ export GOOGLE_AUTH_MODE
 export PAPI_INPUT_GCS_PREFIX
 
 shutdown_cromwell() {
-    if [ -n "${CROMWELL_PID+set}" ]; then
+    if [[ -n "${CROMWELL_PID+set}" ]]; then
         cromwell::build::kill_tree "${CROMWELL_PID}"
     fi
 }
diff --git a/src/ci/bin/testConformanceTesk.sh b/src/ci/bin/testConformanceTesk.sh
index 1eb489cc16c..0d7d077caa3 100755
--- a/src/ci/bin/testConformanceTesk.sh
+++ b/src/ci/bin/testConformanceTesk.sh
@@ -5,7 +5,7 @@ set -o errexit -o nounset -o pipefail
 # shellcheck source=/dev/null
 source "${BASH_SOURCE%/*}/test.inc.sh" || source test.inc.sh
 
-if [ "${CROMWELL_BUILD_EVENT}" != "cron" ]; then
+if [[ "${CROMWELL_BUILD_EVENT}" != "cron" ]]; then
     echo "TESK integration tests run only as a CRON JOB"
     exit 0
 fi
@@ -28,7 +28,7 @@ export TESK_INPUT_FTP_PREFIX
 export CROMWELL_BUILD_CWL_TEST_PARALLELISM
 
 shutdown_cromwell() {
-    if [ -n "${CROMWELL_PID+set}" ]; then
+    if [[ -n "${CROMWELL_PID+set}" ]]; then
         cromwell::build::kill_tree "${CROMWELL_PID}"
     fi
 }
diff --git a/src/ci/bin/test_bcs.inc.sh b/src/ci/bin/test_bcs.inc.sh
new file mode 100644
index 00000000000..2a5d776f17b
--- /dev/null
+++ b/src/ci/bin/test_bcs.inc.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o pipefail
+# import in shellcheck / CI / IntelliJ compatible ways
+# shellcheck source=/dev/null
+source "${BASH_SOURCE%/*}/test.inc.sh" || source test.inc.sh
+
+# A set of common BCS functions for use in other scripts.
+#
+# Functions:
+#
+#   - cromwell::build::bcs::*
+#     Functions for use in other BCS scripts
+#
+#   - cromwell::private::bcs::*
+#     Functions for use only within this file by cromwell::build::bcs::* functions
+#
+
+cromwell::private::bcs::bcs_install() {
+    cromwell::build::pip_install batchcompute-cli==1.7.1 --upgrade
+}
+
+cromwell::private::bcs::bcs_run() {
+    local bcs_command
+    local bcs_command_result
+
+    bcs_command="${1:?bcs_run called without a command}"; shift
+    bcs_command_result="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/${bcs_command}_result.txt"
+
+    # Login failures print out the access key so send output to a file.
+    bcs "${bcs_command}" "$@" </dev/null 2>&1 | tee "${bcs_command_result}"
+
+    # bcs commands always exit with zero. make sure the result text does not contain "error".
+    if grep -q -i error "${bcs_command_result}"; then
+        echo "bcs ${bcs_command} failed" >&2
+        grep -i error "${bcs_command_result}" >&2
+        return 1
+    else
+        return 0
+    fi
+}
+
+cromwell::private::bcs::try_bcs_login() {
+    local bcs_login_include
+    bcs_login_include="${CROMWELL_BUILD_RESOURCES_DIRECTORY}/bcs_login.inc.sh"
+    if [[ -f "${bcs_login_include}" ]]; then
+        # shellcheck source=/dev/null
+        source "${bcs_login_include}"
+    fi
+}
+
+cromwell::private::bcs::try_bcs_create_cluster() {
+    local cluster_name
+
+    cluster_name=$(printf "cromwell_build_${CROMWELL_BUILD_PROVIDER}_${CROMWELL_BUILD_NUMBER}" | tr -c a-zA-Z0-9_- _)
+
+    echo "Creating BCS cluster name: '${cluster_name}'"
+
+    CROMWELL_BUILD_BCS_CLUSTER_ID=$( \
+        cromwell::private::bcs::bcs_run \
+            create_cluster \
+            "${cluster_name}" \
+            --image img-ubuntu \
+            --type ecs.sn1.medium \
+            --nodes 8 \
+            --vpc_cidr_block 192.168.1.0/24 \
+            --no_cache_support \
+            | grep 'Cluster created:' \
+            | awk '{print $NF}' \
+    )
+
+    echo "Created BCS cluster id: '${CROMWELL_BUILD_BCS_CLUSTER_ID}'"
+
+    export CROMWELL_BUILD_BCS_CLUSTER_ID
+}
+
+cromwell::private::bcs::try_bcs_delete_cluster() {
+    cromwell::private::bcs::bcs_run delete_cluster --yes "${CROMWELL_BUILD_BCS_CLUSTER_ID}"
+}
+
+cromwell::private::bcs::bcs_login() {
+    cromwell::build::exec_retry_function cromwell::private::bcs::try_bcs_login
+}
+
+cromwell::private::bcs::bcs_config() {
+    cromwell::private::bcs::bcs_run config --god true
+}
+
+cromwell::private::bcs::bcs_create_cluster() {
+    cromwell::build::exec_retry_function cromwell::private::bcs::try_bcs_create_cluster
+}
+
+cromwell::private::bcs::bcs_delete_cluster() {
+    if [[ -n "${CROMWELL_BUILD_BCS_CLUSTER_ID}" ]]; then
+        cromwell::build::exec_retry_function cromwell::private::bcs::try_bcs_delete_cluster || true
+    fi
+}
+
+cromwell::private::bcs::bcs_delete_old_resources() {
+    # Clean up assuming that all BCS jobs and clusters that are older than 3 hours are orphans to be deleted. jq 1.5
+    # date functions all use UTC. https://stedolan.github.io/jq/manual/v1.5/#Dates Set the timezone environment variable
+    # to UTC before running the command just in case this script/bcs are run on a different zone outside of UTC.
+    echo "Please wait, removing old jobs…"
+
+    TZ=utc \
+        bcs job --all --show_json \
+        | jq \
+            -L "${CROMWELL_BUILD_RESOURCES_DIRECTORY}" \
+            --raw-output 'include "bcs"; printIdsMoreThanSecondsOld(.; 3 * 60 * 60)' \
+        | xargs -n 1 -I '{}' bash -c 'bcs delete_job --yes {} || true'
+
+    echo "Please wait, removing old clusters…"
+    TZ=utc \
+        bcs cluster --show_json \
+        | jq \
+            -L "${CROMWELL_BUILD_RESOURCES_DIRECTORY}" \
+            --raw-output 'include "bcs"; printIdsMoreThanSecondsOld(.; 3 * 60 * 60)' \
+        | xargs -n 1 -I '{}' bash -c 'bcs delete_cluster --yes {} || true'
+}
+
+cromwell::build::bcs::setup_bcs_environment() {
+    cromwell::private::bcs::bcs_install
+    cromwell::build::exec_silent_function cromwell::private::bcs::bcs_login
+    cromwell::private::bcs::bcs_config
+    cromwell::private::bcs::bcs_delete_old_resources
+
+    # Create the BCS cluster before sbt assembly as cluster creation takes a few minutes
+    cromwell::build::add_exit_function cromwell::private::bcs::bcs_delete_cluster
+    cromwell::private::bcs::bcs_create_cluster
+}
diff --git a/src/ci/resources/bcs.jq b/src/ci/resources/bcs.jq
new file mode 100644
index 00000000000..ef76bc3a628
--- /dev/null
+++ b/src/ci/resources/bcs.jq
@@ -0,0 +1,31 @@
+# Convert a bcs date to an jq compatible date.
+# The bcs date should already be in UTC.
+# https://stedolan.github.io/jq/manual/v1.5/#Dates
+def bcsToEpochSeconds(bcs_date):
+    bcs_date
+    | sub(" "; "T")
+    | sub("\\..*$"; "Z")
+    | fromdateiso8601;
+
+# Returns true if the jq function `now` is more than `seconds` ahead of `epoch_date_seconds`.
+# https://stedolan.github.io/jq/manual/v1.5/#Dates
+def isMoreThanSecondsOld(epoch_date_seconds; seconds):
+    now - epoch_date_seconds > seconds;
+
+# Filters the bcs date `key` if it is more than `seconds` old.
+# https://stedolan.github.io/jq/manual/v1.5/#select(boolean_expression)
+def filterMoreThanSecondsOld(key; seconds):
+    map(select(isMoreThanSecondsOld(
+        bcsToEpochSeconds(key);
+        seconds
+    )));
+
+# Returns items under `key` that were created more than `seconds` ago.
+# For bcs jobs and clusters the key is usually `.`.
+# Expects `key` to be able to parse `{ Items: [ .Items[] | {Id, CreationTime} ] }`
+def printIdsMoreThanSecondsOld(key; seconds):
+    key
+    | .Items
+    | filterMoreThanSecondsOld(.CreationTime; seconds)
+    | .[]
+    | .Id;
diff --git a/src/ci/resources/bcs_application.conf.ctmpl b/src/ci/resources/bcs_application.conf.ctmpl
index fedc963c61a..38944e6914d 100644
--- a/src/ci/resources/bcs_application.conf.ctmpl
+++ b/src/ci/resources/bcs_application.conf.ctmpl
@@ -10,17 +10,17 @@ backend {
       actor-factory = "cromwell.backend.impl.bcs.BcsBackendLifecycleActorFactory"
 
       config {
-        root = "oss://broad-test/cromwell-dir"
-        region = "cn-hangzhou"
+        root = "oss://cloud-cromwell-dev-self-cleaning/cromwell-dir"
+        region = "us-east-1"
         access-id = "{{$cromwellBcs.Data.access_id}}"
         access-key = "{{$cromwellBcs.Data.access_key}}"
 
-        concurrent-job-limit = 1000
+        concurrent-job-limit = 50
 
         filesystems {
           oss {
             auth {
-              endpoint = "oss-cn-hangzhou.aliyuncs.com"
+              endpoint = "oss-us-east-1.aliyuncs.com"
               access-id = "{{$cromwellBcs.Data.access_id}}"
               access-key = "{{$cromwellBcs.Data.access_key}}"
             }
@@ -35,7 +35,8 @@ backend {
           #cluster: "OnDemand ecs.sn1.medium img-ubuntu"
           # Alternatively leave a fixed cluster spun up via:
           # bcs cc travis_test_cluster -i img-ubuntu -t ecs.sn1.medium -n 1 -d 'travis test cluster'
-          cluster: "cls-4tf87ceg15legjo0ri4003"
+          cluster: "OnDemand ecs.sn1.medium img-ubuntu"
+          cluster: ${?CROMWELL_BUILD_BCS_CLUSTER_ID}
 
           # TODO: We should continue to allow users and our Travis test to cache images in their own OSS bucket
           # BUT we should also be able to check the hash of the image in OSS using the config supplied credentials
@@ -67,7 +68,7 @@ engine {
   filesystems {
     oss {
       auth {
-        endpoint = "oss-cn-hangzhou.aliyuncs.com"
+        endpoint = "oss-us-east-1.aliyuncs.com"
         access-id = "{{$cromwellBcs.Data.access_id}}"
         access-key = "{{$cromwellBcs.Data.access_key}}"
       }
diff --git a/src/ci/resources/bcs_login.inc.sh.ctmpl b/src/ci/resources/bcs_login.inc.sh.ctmpl
new file mode 100644
index 00000000000..bbb0327afe6
--- /dev/null
+++ b/src/ci/resources/bcs_login.inc.sh.ctmpl
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Used to login bcs from the command line. If/when there is a better way to bcs login please update testCentaurBcs.sh
+# and remove all traces of this include.
+
+set -o errexit -o nounset -o pipefail
+
+local bcs_access_id
+local bcs_access_key
+
+{{with $cromwellBcs := vault (printf "secret/dsde/cromwell/common/cromwell-bcs")}}
+bcs_access_id="{{$cromwellBcs.Data.access_id}}"
+bcs_access_key="{{$cromwellBcs.Data.access_key}}"
+{{end}}
+
+cromwell::build::exec_silent_function \
+  cromwell::private::bcs::bcs_run login us-east-1 "${bcs_access_id}" "${bcs_access_key}" >/dev/null
diff --git a/src/ci/resources/dockerhub_auth.inc.sh.ctmpl b/src/ci/resources/dockerhub_auth.inc.sh.ctmpl
index 448eb6d437a..bcc208bed3a 100644
--- a/src/ci/resources/dockerhub_auth.inc.sh.ctmpl
+++ b/src/ci/resources/dockerhub_auth.inc.sh.ctmpl
@@ -14,6 +14,3 @@ docker_password="{{$cromwellDockerhub.Data.password}}"
 {{end}}
 
 docker login --username "${docker_username}" --password "${docker_password}"
-
-unset docker_username
-unset docker_password
diff --git a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchBackendInitializationData.scala b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchBackendInitializationData.scala
index 37503ccd0cf..2ce458874c6 100644
--- a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchBackendInitializationData.scala
+++ b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchBackendInitializationData.scala
@@ -31,7 +31,7 @@
 
 package cromwell.backend.impl.aws
 
-import software.amazon.awssdk.core.auth.AwsCredentials
+import software.amazon.awssdk.auth.credentials.AwsCredentials
 import cromwell.backend.standard.{StandardInitializationData, StandardValidatedRuntimeAttributesBuilder}
 
 case class AwsBatchBackendInitializationData
diff --git a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchInitializationActor.scala b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchInitializationActor.scala
index d1f505eac55..8a9ae750148 100644
--- a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchInitializationActor.scala
+++ b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchInitializationActor.scala
@@ -34,7 +34,7 @@ package cromwell.backend.impl.aws
 import java.io.IOException
 
 import akka.actor.ActorRef
-import software.amazon.awssdk.core.auth.AwsCredentials
+import software.amazon.awssdk.auth.credentials.AwsCredentials
 import cromwell.filesystems.s3.batch.S3BatchCommandBuilder
 import cromwell.backend.standard.{StandardInitializationActor,
                                   StandardInitializationActorParams,
diff --git a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchJob.scala b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchJob.scala
index 2bad0139a0a..bd3d1e1daf3 100644
--- a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchJob.scala
+++ b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchJob.scala
@@ -47,7 +47,7 @@ import cromwell.backend.BackendJobDescriptor
 import cromwell.backend.io.JobPaths
 import org.slf4j.LoggerFactory
 import fs2.Stream
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.regions.Region
 
 import scala.collection.JavaConverters._
 import scala.concurrent.duration._
@@ -104,25 +104,25 @@ final case class AwsBatchJob(jobDescriptor: BackendJobDescriptor, // WDL/CWL
     //       later, so I'm leaving it here for potential future use.
     script.concat(s"""
     |echo "MIME-Version: 1.0
-    |Content-Type: multipart/alternative; boundary="${boundary}"
-
-    |--${boundary}
+    |Content-Type: multipart/alternative; boundary="$boundary"
+    |
+    |--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="rc.txt"
     |"
-    |cat ${dockerRc}
-    |echo "--${boundary}
+    |cat $dockerRc
+    |echo "--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="stdout.txt"
     |"
-    |cat ${dockerStdout}
-    |echo "--${boundary}
+    |cat $dockerStdout
+    |echo "--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="stderr.txt"
     |"
-    |cat ${dockerStderr}
-    |echo "--${boundary}--"
-    |exit $$(cat ${dockerRc})
+    |cat $dockerStderr
+    |echo "--$boundary--"
+    |exit $$(cat $dockerRc)
     """).stripMargin
   }
   def submitJob[F[_]]()(
diff --git a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPaths.scala b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPaths.scala
index 6b54aac0051..f63d309c7d3 100644
--- a/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPaths.scala
+++ b/supportedBackends/aws/src/main/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPaths.scala
@@ -31,7 +31,7 @@
 
 package cromwell.backend.impl.aws
 
-import software.amazon.awssdk.core.auth.{AwsCredentials}
+import software.amazon.awssdk.auth.credentials.AwsCredentials
 import akka.actor.ActorSystem
 import com.typesafe.config.Config
 import cromwell.backend.io.WorkflowPaths
diff --git a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchAsyncBackendJobExecutionActorSpec.scala b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchAsyncBackendJobExecutionActorSpec.scala
index 062762fcaeb..03249474f27 100644
--- a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchAsyncBackendJobExecutionActorSpec.scala
+++ b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchAsyncBackendJobExecutionActorSpec.scala
@@ -59,8 +59,8 @@ import cromwell.util.SampleWdl
 import org.scalatest._
 import org.slf4j.Logger
 import org.specs2.mock.Mockito
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
-import software.amazon.awssdk.core.regions.Region
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
+import software.amazon.awssdk.regions.Region
 import spray.json._
 import wdl.draft2.model._
 import wdl.transforms.draft2.wdlom2wom.WdlDraft2WomExecutableMakers._
@@ -80,8 +80,12 @@ import scala.util.Success
 
 class AwsBatchAsyncBackendJobExecutionActorSpec extends TestKitSuite("AwsBatchAsyncBackendJobExecutionActorSpec")
   with FlatSpecLike with Matchers with ImplicitSender with Mockito with BackendSpec with BeforeAndAfter with DefaultJsonProtocol {
-  lazy val mockPathBuilder: S3PathBuilder = S3PathBuilder.fromCredentials(AnonymousCredentialsProvider.create.getCredentials,
-    S3Storage.DefaultConfiguration, WorkflowOptions.empty, Option(Region.US_EAST_1))
+  lazy val mockPathBuilder: S3PathBuilder = S3PathBuilder.fromCredentials(
+    AnonymousCredentialsProvider.create.resolveCredentials(),
+    S3Storage.DefaultConfiguration,
+    WorkflowOptions.empty,
+    Option(Region.US_EAST_1)
+  )
 
   var kvService: ActorRef = system.actorOf(Props(new InMemoryKvServiceActor))
 
@@ -129,7 +133,11 @@ class AwsBatchAsyncBackendJobExecutionActorSpec extends TestKitSuite("AwsBatchAs
   }
 
   private def buildInitializationData(jobDescriptor: BackendJobDescriptor, configuration: AwsBatchConfiguration) = {
-    val workflowPaths = AwsBatchWorkflowPaths(jobDescriptor.workflowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)(system)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      jobDescriptor.workflowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
     val runtimeAttributesBuilder = AwsBatchRuntimeAttributes.runtimeAttributesBuilder(configuration)
     AwsBatchBackendInitializationData(workflowPaths, runtimeAttributesBuilder, configuration, null)
   }
diff --git a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchCallPathsSpec.scala b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchCallPathsSpec.scala
index 6203947e9e1..eef2ba85ac4 100644
--- a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchCallPathsSpec.scala
+++ b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchCallPathsSpec.scala
@@ -31,7 +31,7 @@
 
 package cromwell.backend.impl.aws
 
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
 import common.collections.EnhancedCollections._
 import cromwell.backend.BackendSpec
 import cromwell.backend.io.JobPathsSpecHelper._
@@ -59,7 +59,11 @@ class AwsBatchCallPathsSpec extends TestKitSuite with FlatSpecLike with Matchers
     )
     val jobDescriptorKey = firstJobDescriptorKey(workflowDescriptor)
     val configuration = new AwsBatchConfiguration(AwsBatchBackendConfigurationDescriptor)
-    val workflowPaths = AwsBatchWorkflowPaths(workflowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      workflowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
 
     val callPaths = AwsBatchJobPaths(workflowPaths, jobDescriptorKey)
 
@@ -78,7 +82,11 @@ class AwsBatchCallPathsSpec extends TestKitSuite with FlatSpecLike with Matchers
     )
     val jobDescriptorKey = firstJobDescriptorKey(workflowDescriptor)
     val configuration = new AwsBatchConfiguration(AwsBatchBackendConfigurationDescriptor)
-    val workflowPaths = AwsBatchWorkflowPaths(workflowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      workflowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
 
     val callPaths = AwsBatchJobPaths(workflowPaths, jobDescriptorKey)
 
@@ -101,7 +109,11 @@ class AwsBatchCallPathsSpec extends TestKitSuite with FlatSpecLike with Matchers
     )
     val jobDescriptorKey = firstJobDescriptorKey(workflowDescriptor)
     val configuration = new AwsBatchConfiguration(AwsBatchBackendConfigurationDescriptor)
-    val workflowPaths = AwsBatchWorkflowPaths(workflowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      workflowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
 
     val callPaths = AwsBatchJobPaths(workflowPaths, jobDescriptorKey)
     
diff --git a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchJobSpec.scala b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchJobSpec.scala
index d23ddf834ba..cb8738be118 100644
--- a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchJobSpec.scala
+++ b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchJobSpec.scala
@@ -31,11 +31,7 @@
 
 package cromwell.backend.impl.aws
 
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
-import cromwell.core.TestKitSuite
-import org.scalatest.{FlatSpecLike, Matchers}
-import org.specs2.mock.Mockito
-import cromwell.util.SampleWdl
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
 
 import cromwell.core.TestKitSuite
 import cromwell.util.SampleWdl
@@ -80,12 +76,12 @@ class AwsBatchJobSpec extends TestKitSuite with FlatSpecLike with Matchers with
     |export HOME="$HOME"
     |(
     |  cd /cromwell_root
-
+    |
     |)
     |(
     |  cd /cromwell_root
-
-
+    |
+    |
     |  echo "Hello World! Welcome to Cromwell . . . on AWS!" >&2
     |)  > '/cromwell_root/hello-stdout.log' 2> '/cromwell_root/hello-stderr.log'
     |echo $? > /cromwell_root/hello-rc.txt.tmp
@@ -97,32 +93,32 @@ class AwsBatchJobSpec extends TestKitSuite with FlatSpecLike with Matchers with
     |(
     |  cd /cromwell_root
     |  sync
-
-
+    |
+    |
     |)
     |mv /cromwell_root/hello-rc.txt.tmp /cromwell_root/hello-rc.txt"""
 
     val boundary = "d283898f11be0dee6f9ac01470450bee"
     val expectedscript = script.concat(s"""
     |echo "MIME-Version: 1.0
-    |Content-Type: multipart/alternative; boundary="${boundary}"
-
-    |--${boundary}
+    |Content-Type: multipart/alternative; boundary="$boundary"
+    |
+    |--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="rc.txt"
     |"
     |cat /cromwell_root/hello-rc.txt
-    |echo "--${boundary}
+    |echo "--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="stdout.txt"
     |"
     |cat /cromwell_root/hello-stdout.log
-    |echo "--${boundary}
+    |echo "--$boundary
     |Content-Type: text/plain
     |Content-Disposition: attachment; filename="stderr.txt"
     |"
     |cat /cromwell_root/hello-stderr.log
-    |echo "--${boundary}--"
+    |echo "--$boundary--"
     |exit $$(cat /cromwell_root/hello-rc.txt)
     """).stripMargin
 
@@ -131,7 +127,11 @@ class AwsBatchJobSpec extends TestKitSuite with FlatSpecLike with Matchers with
       inputFileAsJson = Option(JsObject(SampleWdl.HelloWorld.rawInputs.safeMapValues(JsString.apply)).compactPrint)
     )
     val configuration = new AwsBatchConfiguration(AwsBatchBackendConfigurationDescriptor)
-    val workflowPaths = AwsBatchWorkflowPaths(workFlowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)(system)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      workFlowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
 
     val call = workFlowDescriptor.callable.taskCallNodes.head
     val jobKey = BackendJobDescriptorKey(call, None, 1)
diff --git a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPathsSpec.scala b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPathsSpec.scala
index 748a77ecba7..77b84616ec5 100644
--- a/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPathsSpec.scala
+++ b/supportedBackends/aws/src/test/scala/cromwell/backend/impl/aws/AwsBatchWorkflowPathsSpec.scala
@@ -31,7 +31,7 @@
 
 package cromwell.backend.impl.aws
 
-import software.amazon.awssdk.core.auth.AnonymousCredentialsProvider
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider
 import common.collections.EnhancedCollections._
 import cromwell.backend.BackendSpec
 // import cromwell.cloudsupport.aws.auth.AwsBatchAuthModeSpec
@@ -57,7 +57,11 @@ class AwsBatchWorkflowPathsSpec extends TestKitSuite with FlatSpecLike with Matc
     )
     val configuration = new AwsBatchConfiguration(AwsBatchBackendConfigurationDescriptor)
 
-    val workflowPaths = AwsBatchWorkflowPaths(workflowDescriptor, AnonymousCredentialsProvider.create.getCredentials, configuration)(system)
+    val workflowPaths = AwsBatchWorkflowPaths(
+      workflowDescriptor,
+      AnonymousCredentialsProvider.create.resolveCredentials(),
+      configuration
+    )
     workflowPaths.executionRoot.pathAsString should be("s3://my-cromwell-workflows-bucket/")
     workflowPaths.workflowRoot.pathAsString should
       be(s"s3://my-cromwell-workflows-bucket/wf_hello/${workflowDescriptor.id}/")
diff --git a/supportedBackends/google/pipelines/v1alpha2/src/test/scala/cromwell/backend/google/pipelines/v1alpha2/PipelinesApiInitializationActorSpec.scala b/supportedBackends/google/pipelines/v1alpha2/src/test/scala/cromwell/backend/google/pipelines/v1alpha2/PipelinesApiInitializationActorSpec.scala
index d7833d45f07..6517a1aae77 100644
--- a/supportedBackends/google/pipelines/v1alpha2/src/test/scala/cromwell/backend/google/pipelines/v1alpha2/PipelinesApiInitializationActorSpec.scala
+++ b/supportedBackends/google/pipelines/v1alpha2/src/test/scala/cromwell/backend/google/pipelines/v1alpha2/PipelinesApiInitializationActorSpec.scala
@@ -196,7 +196,7 @@ class PipelinesApiInitializationActorSpec extends TestKitSuite("PipelinesApiInit
       restrictMetadataAccess = false
     )
     authJsonOption shouldNot be(empty)
-    authJsonOption.get should be(
+    normalize(authJsonOption.get) should be(
       normalize(
         """
           |{
@@ -229,7 +229,7 @@ class PipelinesApiInitializationActorSpec extends TestKitSuite("PipelinesApiInit
       restrictMetadataAccess = true
     )
     authJsonOption shouldNot be(empty)
-    authJsonOption.get should be(
+    normalize(authJsonOption.get) should be(
       normalize(
         """
           |{