From dc9a9e76147411700385804a0839e5366a4c7072 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Thu, 20 Mar 2025 14:46:44 -0700 Subject: [PATCH 1/3] disable environment and shared credentials when using WIF --- builtin/logical/aws/client.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/builtin/logical/aws/client.go b/builtin/logical/aws/client.go index d80e2940689f..9c600673d676 100644 --- a/builtin/logical/aws/client.go +++ b/builtin/logical/aws/client.go @@ -97,6 +97,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT } } + opts := make([]awsutil.Option, 0) if config.IdentityTokenAudience != "" { ns, err := namespace.FromContext(ctx) if err != nil { @@ -115,6 +116,10 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT credsConfig.RoleSessionName = fmt.Sprintf("vault-aws-secrets-%s", sessionSuffix) credsConfig.WebIdentityTokenFetcher = fetcher credsConfig.RoleARN = config.RoleARN + + // explicitly disable environment and shared credential providers when using Web Identity Token Fetcher + // enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases + opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false)) } if len(regions) == 0 { @@ -132,7 +137,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT } else { credsConfig.Region = fallbackRegion } - creds, err := credsConfig.GenerateCredentialChain() + creds, err := credsConfig.GenerateCredentialChain(opts...) if err != nil { return nil, err } From 97561088a3b688155197e187c48cbfe086e8ce16 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Thu, 20 Mar 2025 14:50:26 -0700 Subject: [PATCH 2/3] add changelog --- changelog/29982.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/29982.txt diff --git a/changelog/29982.txt b/changelog/29982.txt new file mode 100644 index 000000000000..a5a5be624234 --- /dev/null +++ b/changelog/29982.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/aws: explicitly disable environment and shared credential providers when using WIF +``` \ No newline at end of file From e429eadd9459368323687c74b9d55ccbf187ee52 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 24 Mar 2025 10:16:22 -0700 Subject: [PATCH 3/3] update changelog based on feeedback --- changelog/29982.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/29982.txt b/changelog/29982.txt index a5a5be624234..ee4e2f7ef31c 100644 --- a/changelog/29982.txt +++ b/changelog/29982.txt @@ -1,3 +1,3 @@ ```release-note:bug -secrets/aws: explicitly disable environment and shared credential providers when using WIF +secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration ``` \ No newline at end of file