From 262e4f3c639311ab8900bee9234acd1251f96e64 Mon Sep 17 00:00:00 2001 From: Jason Del Ponte Date: Wed, 17 Jul 2019 16:41:45 -0700 Subject: [PATCH] aws/session: Fix SDK AWS_PROFILE and static environment credential behavior (#2694) Fixes the SDK's behavior when determining the source of credentials to load. Previously the SDK would ignore the AWS_PROFILE environment, if static environment credentials were also specified. If both AWS_PROFILE and static environment credentials are defined, the SDK will load any credentials from the shared config/credentials file for the AWS_PROFILE first. Only if there are no credentials defined in the shared config/credentials file will the SDK use the static environment credentials instead. --- CHANGELOG_PENDING.md | 3 +++ aws/session/credentials.go | 7 +++---- aws/session/session_test.go | 6 +++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md index ab74ef5108c..6b65c25efba 100644 --- a/CHANGELOG_PENDING.md +++ b/CHANGELOG_PENDING.md @@ -5,3 +5,6 @@ ### SDK Enhancements ### SDK Bugs +* `aws/session`: Fix SDK AWS_PROFILE and static environment credential behavior () + * Fixes the SDK's behavior when determining the source of credentials to load. Previously the SDK would ignore the AWS_PROFILE environment, if static environment credentials were also specified. + * If both AWS_PROFILE and static environment credentials are defined, the SDK will load any credentials from the shared config/credentials file for the AWS_PROFILE first. Only if there are no credentials defined in the shared config/credentials file will the SDK use the static environment credentials instead. diff --git a/aws/session/credentials.go b/aws/session/credentials.go index aa6fa7c13da..9c6fbfa77ce 100644 --- a/aws/session/credentials.go +++ b/aws/session/credentials.go @@ -19,12 +19,11 @@ func resolveCredentials(cfg *aws.Config, handlers request.Handlers, sessOpts Options, ) (*credentials.Credentials, error) { - // The resolveCredentials order of resolving credentials is wrong. It - // ignores the customer's provided profile if ENV credentials are also - // provided. switch { - case len(sharedCfg.RoleARN) != 0 && len(sharedCfg.CredentialSource) != 0: + case len(envCfg.Profile) != 0: + // User explicitly provided an Profile, so load from shared config + // first. return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts) case envCfg.Creds.HasKeys(): diff --git a/aws/session/session_test.go b/aws/session/session_test.go index 8a6b535e4e6..e06cfdb94b6 100644 --- a/aws/session/session_test.go +++ b/aws/session/session_test.go @@ -347,9 +347,9 @@ func TestNewSessionWithOptions_Overrides(t *testing.T) { InProfile: "full_profile", OutRegion: "env_region", OutCreds: credentials.Value{ - AccessKeyID: "env_akid", - SecretAccessKey: "env_secret", - ProviderName: "EnvConfigCredentials", + AccessKeyID: "full_profile_akid", + SecretAccessKey: "full_profile_secret", + ProviderName: "SharedConfigCredentials", }, }, {