fix: Fixing role assumption when env creds aren't fetched from auth provider

yhakbar · yhakbar · commit f7ac00d9a79e · 2025-09-03T15:37:56.000-04:00
diff --git a/internal/awshelper/config.go b/internal/awshelper/config.go
@@ -121,17 +121,22 @@ func CreateAwsConfig(
 		return aws.Config{}, errors.Errorf("Error loading AWS config: %w", err)
 	}
 
-	iamRoleOptions := getMergedIAMRoleOptions(awsCfg, opts)
-	if iamRoleOptions.RoleARN != "" {
-		if iamRoleOptions.WebIdentityToken != "" {
-			l.Debugf("Assuming role %s using WebIdentity token", iamRoleOptions.RoleARN)
-
-			cfg.Credentials = getWebIdentityCredentialsFromIAMRoleOptions(cfg, iamRoleOptions)
-		} else {
-			l.Debugf("Assuming role %s", iamRoleOptions.RoleARN)
-
-			cfg.Credentials = getSTSCredentialsFromIAMRoleOptions(cfg, iamRoleOptions, getExternalID(awsCfg))
+	envCreds := createCredentialsFromEnv(opts)
+	if envCreds == nil {
+		iamRoleOptions := getMergedIAMRoleOptions(awsCfg, opts)
+		if iamRoleOptions.RoleARN != "" {
+			if iamRoleOptions.WebIdentityToken != "" {
+				l.Debugf("Assuming role %s using WebIdentity token", iamRoleOptions.RoleARN)
+
+				cfg.Credentials = getWebIdentityCredentialsFromIAMRoleOptions(cfg, iamRoleOptions)
+			} else {
+				l.Debugf("Assuming role %s", iamRoleOptions.RoleARN)
+
+				cfg.Credentials = getSTSCredentialsFromIAMRoleOptions(cfg, iamRoleOptions, getExternalID(awsCfg))
+			}
 		}
+	} else {
+		l.Debugf("Skipping role assumption as credentials are already available from auth provider command")
 	}
 
 	return cfg, nil
