secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration (#29982)

vinay-gopalan · web-flow · commit a5d9a1552c13 · 2025-03-25T10:37:11.000-07:00
diff --git a/builtin/logical/aws/client.go b/builtin/logical/aws/client.go
@@ -97,6 +97,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		}
 	}
 
+	opts := make([]awsutil.Option, 0)
 	if config.IdentityTokenAudience != "" {
 		ns, err := namespace.FromContext(ctx)
 		if err != nil {
@@ -115,6 +116,10 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		credsConfig.RoleSessionName = fmt.Sprintf("vault-aws-secrets-%s", sessionSuffix)
 		credsConfig.WebIdentityTokenFetcher = fetcher
 		credsConfig.RoleARN = config.RoleARN
+
+		// explicitly disable environment and shared credential providers when using Web Identity Token Fetcher
+		// enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases
+		opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false))
 	}
 
 	if len(regions) == 0 {
@@ -132,7 +137,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		} else {
 			credsConfig.Region = fallbackRegion
 		}
-		creds, err := credsConfig.GenerateCredentialChain()
+		creds, err := credsConfig.GenerateCredentialChain(opts...)
 		if err != nil {
 			return nil, err
 		}
diff --git a/changelog/29982.txt b/changelog/29982.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration
+```

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT`
`97`	`97`	`}`
`98`	`98`	`}`
`99`	`99`
	`100`	`+ opts := make([]awsutil.Option, 0)`
`100`	`101`	`if config.IdentityTokenAudience != "" {`
`101`	`102`	`ns, err := namespace.FromContext(ctx)`
`102`	`103`	`if err != nil {`
`@@ -115,6 +116,10 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT`
`115`	`116`	`credsConfig.RoleSessionName = fmt.Sprintf("vault-aws-secrets-%s", sessionSuffix)`
`116`	`117`	`credsConfig.WebIdentityTokenFetcher = fetcher`
`117`	`118`	`credsConfig.RoleARN = config.RoleARN`
	`119`	`+`
	`120`	`+ // explicitly disable environment and shared credential providers when using Web Identity Token Fetcher`
	`121`	`+ // enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases`
	`122`	`+ opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false))`
`118`	`123`	`}`
`119`	`124`
`120`	`125`	`if len(regions) == 0 {`
`@@ -132,7 +137,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT`
`132`	`137`	`} else {`
`133`	`138`	`credsConfig.Region = fallbackRegion`
`134`	`139`	`}`
`135`		`- creds, err := credsConfig.GenerateCredentialChain()`
	`140`	`+ creds, err := credsConfig.GenerateCredentialChain(opts...)`
`136`	`141`	`if err != nil {`
`137`	`142`	`return nil, err`
`138`	`143`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration`
	`3`	+```