Skip to content

Commit

Permalink
aws/session: Fix SDK AWS_PROFILE and static environment credential be…
Browse files Browse the repository at this point in the history
…havior (#2694)

Fixes the SDK's behavior when determining the source of credentials to
load. Previously the SDK would ignore the AWS_PROFILE environment, if
static environment credentials were also specified.

If both AWS_PROFILE and static environment credentials are defined, the
SDK will load any credentials from the shared config/credentials file
for the AWS_PROFILE first. Only if there are no credentials defined in
the shared config/credentials file will the SDK use the static
environment credentials instead.
  • Loading branch information
jasdel authored Jul 17, 2019
1 parent 2e1d76a commit 262e4f3
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 7 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG_PENDING.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,6 @@
### SDK Enhancements

### SDK Bugs
* `aws/session`: Fix SDK AWS_PROFILE and static environment credential behavior ()
* Fixes the SDK's behavior when determining the source of credentials to load. Previously the SDK would ignore the AWS_PROFILE environment, if static environment credentials were also specified.
* If both AWS_PROFILE and static environment credentials are defined, the SDK will load any credentials from the shared config/credentials file for the AWS_PROFILE first. Only if there are no credentials defined in the shared config/credentials file will the SDK use the static environment credentials instead.
7 changes: 3 additions & 4 deletions aws/session/credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,11 @@ func resolveCredentials(cfg *aws.Config,
handlers request.Handlers,
sessOpts Options,
) (*credentials.Credentials, error) {
// The resolveCredentials order of resolving credentials is wrong. It
// ignores the customer's provided profile if ENV credentials are also
// provided.

switch {
case len(sharedCfg.RoleARN) != 0 && len(sharedCfg.CredentialSource) != 0:
case len(envCfg.Profile) != 0:
// User explicitly provided an Profile, so load from shared config
// first.
return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)

case envCfg.Creds.HasKeys():
Expand Down
6 changes: 3 additions & 3 deletions aws/session/session_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -347,9 +347,9 @@ func TestNewSessionWithOptions_Overrides(t *testing.T) {
InProfile: "full_profile",
OutRegion: "env_region",
OutCreds: credentials.Value{
AccessKeyID: "env_akid",
SecretAccessKey: "env_secret",
ProviderName: "EnvConfigCredentials",
AccessKeyID: "full_profile_akid",
SecretAccessKey: "full_profile_secret",
ProviderName: "SharedConfigCredentials",
},
},
{
Expand Down

0 comments on commit 262e4f3

Please sign in to comment.