Fix precedence of credential sources (#1378)

When both environment variables such as `AWS_ACCESS_KEY_ID` are present, and a profile is set explicitly in provider configuration, we will now choose the explict provider configuration. Don't load AWS environment variables ourselves as this is implemented in AWS's LoadDefaultConfig method already where it has the correct preference to use the named profile over any environment variables. This precidence is defined here: https://github.com/aws/aws-sdk-go-v2/blob/58cf6509525a12d64fd826da883bfdbacbd2f00e/config/resolve_credentials.go#L102-L134 When we were parsing the access key environment variables ourselves, it appeared to AWS's library that these were not just in the environment, but specified manually by us alongside the profile. When the profile is defined alongside an explicit access key, the profile is ignored. However, if only the profile is specified by the user, but access keys are available ambiently via the environment, the profile will be used instead. We don't currently have any good facility to test the various difference configuration variations so have tested this manually by altering local configuration. We might also be able to remove the custom checking for AWS_REGION, AWS_DEFAULT_REGION and AWS_SHARED_CREDENTIALS_FILE for the same reason, but this will require further manual testing. Fixes #1191 --------- Co-authored-by: Ramon Quitales <ramon@pulumi.com>
pulumi · Feb 29, 2024 · 550eb8c · 550eb8c
1 parent 58c782c
commit 550eb8c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,13 +2,53 @@
 
 ## Unreleased
 
+## 0.98.0 (2024-02-29)
+
 - **BREAKING CHANGE**: [De-duplicate types for simple arrays of tags](https://github.com/pulumi/pulumi-aws-native/pull/1348)
   - See PR for a complete list of resources affected (512)
 - [Add types for 9 untyped properties](https://github.com/pulumi/pulumi-aws-native/pull/1365)
 - [Fix generating types for refs to map types](https://github.com/pulumi/pulumi-aws-native/pull/1363)
 - [Implement defaultTags configuration](https://github.com/pulumi/pulumi-aws-native/issues/1369)
+- [Fix precedence of credential sources](https://github.com/pulumi/pulumi-aws-native/pull/1378)
 - [Fix handling of write-only properties](https://github.com/pulumi/pulumi-aws-native/pull/1377)
 
+#### Resources
+- `🟢` "aws-native:customerprofiles:Domain": required inputs: "defaultExpirationDays" input has changed to Required
+- `🟢` "aws-native:customerprofiles:ObjectType": required inputs: "description" input has changed to Required
+- "aws-native:dynamodb:Table":
+    - `🟡` inputs: "resourcePolicy" missing
+    - `🟡` properties: "resourcePolicy" missing output "resourcePolicy"
+- `🟢` "aws-native:mediapackagev2:Channel": required inputs: "channelGroupName" input has changed to Required
+- "aws-native:mediapackagev2:ChannelPolicy": required inputs:
+    - `🟢` "channelGroupName" input has changed to Required
+    - `🟢` "channelName" input has changed to Required
+- "aws-native:mediapackagev2:OriginEndpoint":
+    - `🟢` required: "containerType" property is no longer Required
+    - required inputs:
+        - `🟢` "channelGroupName" input has changed to Required
+        - `🟢` "channelName" input has changed to Required
+- "aws-native:mediapackagev2:OriginEndpointPolicy": required inputs:
+    - `🟢` "channelGroupName" input has changed to Required
+    - `🟢` "channelName" input has changed to Required
+    - `🟢` "originEndpointName" input has changed to Required
+#### Types
+- `🔴` "aws-native:dynamodb:TableResourcePolicy" missing
+- `🟡` "aws-native:dynamodb:TableStreamSpecification": properties: "resourcePolicy" missing
+- `🟡` "aws-native:iottwinmaker:EntityProperty": properties: "definition" type changed from "#/types/aws-native:iottwinmaker:EntityPropertyDefinitionProperties" to "#/types/aws-native:iottwinmaker:EntityDefinition"
+- `🔴` "aws-native:iottwinmaker:EntityPropertyDefinitionProperties" missing
+
+#### New resources:
+
+- `controltower.EnabledBaseline`
+- `guardduty.Master`
+- `guardduty.Member`
+
+#### New functions:
+
+- `controltower.getEnabledBaseline`
+- `guardduty.getMember`
+<!-- thollander/actions-comment-pull-request "schemaCheck" -->
+
 ## 0.97.0 (2024-02-21)
 
 - [Fix types which are maps](https://github.com/pulumi/pulumi-aws-native/pull/1342)

diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -314,15 +314,17 @@ func (p *cfnProvider) Configure(ctx context.Context, req *pulumirpc.ConfigureReq
 		}
 	}
 
+	// Environment variables are checked by the AWS SDK by default as a fallback after explicitly defined config.
+	// See https://github.com/pulumi/pulumi-aws-native/pull/1378
 	var accessKey, secretKey, token string
 
-	if v, ok := varsOrEnv(vars, "aws-native:config:accessKey", "AWS_ACCESS_KEY_ID"); ok {
+	if v, ok := varsOrEnv(vars, "aws-native:config:accessKey"); ok {
 		accessKey = v
 	}
-	if v, ok := varsOrEnv(vars, "aws-native:config:secretKey", "AWS_SECRET_ACCESS_KEY"); ok {
+	if v, ok := varsOrEnv(vars, "aws-native:config:secretKey"); ok {
 		secretKey = v
 	}
-	if v, ok := varsOrEnv(vars, "aws-native:config:token", "AWS_SESSION_TOKEN"); ok {
+	if v, ok := varsOrEnv(vars, "aws-native:config:token"); ok {
 		token = v
 	}