Honor explicit profile in client when credentials from AWS_ environment variables are present

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,7 @@
 Unreleased Changes
 ------------------
 
+* Issue - Honor explicit profile in client config when credentials from AWS_ environment variables are present
 * Issue - Fixed a bug where `Transfer-Encoding` could never be set to `chunked` in streaming operations because all body objects (`String`, `StringIO`) would respond to `#size`.
 
 3.89.1 (2020-01-14)

gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb

@@ -1,7 +1,6 @@
 module Aws
   # @api private
   class CredentialProviderChain
-
     def initialize(config = nil)
       @config = config
     end
@@ -20,16 +19,16 @@ def resolve
     def providers
       [
         [:static_credentials, {}],
+        [:static_profile_assume_role_web_identity_credentials, {}],
+        [:static_profile_assume_role_credentials, {}],
+        [:static_profile_credentials, {}],
+        [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
         [:process_credentials, {}],
-        [:instance_profile_credentials, {
-          retries: @config ? @config.instance_profile_credentials_retries : 0,
-          http_open_timeout: @config ? @config.instance_profile_credentials_timeout : 1,
-          http_read_timeout: @config ? @config.instance_profile_credentials_timeout : 1,
-        }],
+        [:instance_profile_credentials, {}]
       ]
     end
 
@@ -38,24 +37,50 @@ def static_credentials(options)
         Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
-          options[:config].session_token)
-      else
-        nil
+          options[:config].session_token
+        )
+      end
+    end
+
+    def static_profile_assume_role_web_identity_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.assume_role_web_identity_credentials_from_config(options[:config].profile)
+      end
+    end
+
+    def static_profile_assume_role_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        assume_role_with_profile(options, options[:config].profile)
+      end
+    end
+
+    def static_profile_credentials(options)
+      if options[:config] && options[:config].profile
+        SharedCredentials.new(profile_name: options[:config].profile)
       end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def static_profile_process_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        process_provider = Aws.shared_config.credentials_process(options[:config].profile)
+        ProcessCredentials.new(process_provider) if process_provider
+      end
+    rescue Errors::NoSuchProfileError
+      nil
     end
 
-    def env_credentials(options)
-      key =    %w(AWS_ACCESS_KEY_ID     AMAZON_ACCESS_KEY_ID     AWS_ACCESS_KEY)
+    def env_credentials(_options)
+      key =    %w(AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY)
       secret = %w(AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY)
-      token =  %w(AWS_SESSION_TOKEN     AMAZON_SESSION_TOKEN)
+      token =  %w(AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN)
       Credentials.new(envar(key), envar(secret), envar(token))
     end
 
     def envar(keys)
       keys.each do |key|
-        if ENV.key?(key)
-          return ENV[key]
-        end
+        return ENV[key] if ENV.key?(key)
       end
       nil
     end
@@ -72,28 +97,22 @@ def shared_credentials(options)
     end
 
     def process_credentials(options)
-      config = Aws.shared_config
       profile_name = determine_profile_name(options)
-      if config.config_enabled? && process_provider = config.credentials_process(profile_name)
+      if Aws.shared_config.config_enabled? && process_provider = Aws.shared_config.credentials_process(profile_name)
         ProcessCredentials.new(process_provider)
-      else
-        nil
       end
     rescue Errors::NoSuchProfileError
       nil
     end
 
     def assume_role_credentials(options)
       if Aws.shared_config.config_enabled?
-        assume_role_with_profile(options)
-      else
-        nil
+        assume_role_with_profile(options, determine_profile_name(options))
       end
     end
 
     def assume_role_web_identity_credentials(options)
-      if (role_arn = ENV['AWS_ROLE_ARN']) &&
-        (token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE'])
+      if (role_arn = ENV['AWS_ROLE_ARN']) && (token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE'])
         AssumeRoleWebIdentityCredentials.new(
           role_arn: role_arn,
           web_identity_token_file: token_file,
@@ -102,28 +121,24 @@ def assume_role_web_identity_credentials(options)
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(profile)
-      else
-        nil
       end
     end
 
     def instance_profile_credentials(options)
-      if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
+      if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
         ECSCredentials.new(options)
       else
         InstanceProfileCredentials.new(options)
       end
     end
 
-    def assume_role_with_profile(options)
-      profile_name = determine_profile_name(options)
+    def assume_role_with_profile(options, profile_name)
       region = (options[:config] && options[:config].region)
       Aws.shared_config.assume_role_credentials_from_config(
         profile: profile_name,
         region: region,
         chain_config: @config
       )
     end
-
   end
 end