Fix precedence of credential sources #1378
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Don't load AWS environment variables ourselves as this is implemented in AWS's LoadDefaultConfig method already where it has the correct preference to use the named profile over any environment variables. We don't currently have any good facility to test the various difference configuration variations. We might also be able to remove the custom checking for AWS_REGION, AWS_DEFAULT_REGION and AWS_SHARED_CREDENTIALS_FILE for the same reason, but this will require further manual testing.
danielrbradley
added
the
impact/no-changelog-required
Does the PR have any schema changes?Looking good! No breaking changes found. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1378 +/- ##
=======================================
Coverage 22.71% 22.71%
=======================================
Files 25 25
Lines 4226 4226
=======================================
Hits 960 960
Misses 3105 3105
Partials 161 161 ☔ View full report in Codecov by Sentry. |
mjeffryes
approved these changes
Feb 28, 2024
mjeffryes
added
impact/changelog
and removed
impact/no-changelog-required
…1191-prefer-config-profile-over-env
thomas11
approved these changes
Feb 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When both environment variables such as
AWS_ACCESS_KEY_IDare present, and a profile is set explicitly in provider configuration, we will now choose the explict provider configuration.Don't load AWS environment variables ourselves as this is implemented in AWS's LoadDefaultConfig method already where it has the correct preference to use the named profile over any environment variables. This precidence is defined here: https://github.com/aws/aws-sdk-go-v2/blob/58cf6509525a12d64fd826da883bfdbacbd2f00e/config/resolve_credentials.go#L102-L134
When we were parsing the access key environment variables ourselves, it appeared to AWS's library that these were not just in the environment, but specified manually by us alongside the profile. When the profile is defined alongside an explicit access key, the profile is ignored. However, if only the profile is specified by the user, but access keys are available ambiently via the environment, the profile will be used instead.
We don't currently have any good facility to test the various difference configuration variations so have tested this manually by altering local configuration.
We might also be able to remove the custom checking for AWS_REGION, AWS_DEFAULT_REGION and AWS_SHARED_CREDENTIALS_FILE for the same reason, but this will require further manual testing.
Fixes #1191