feat: enable opt-in legacy authentication flow (#595)

* feat: enable opt-in legacy authentication flow * chore: prefer warning diags
hashicorp · Aug 14, 2023 · 2c505f6 · 2c505f6
1 parent 9da7acd
commit 2c505f6
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 2 deletions.
diff --git a/aws_config_test.go b/aws_config_test.go
@@ -995,6 +995,61 @@ aws_secret_access_key = ProfileSharedCredentialsSecretKey
 [some-profile]
 aws_access_key_id = DefaultSharedCredentialsAccessKey
 aws_secret_access_key = DefaultSharedCredentialsSecretKey
+`,
+		},
+		{
+			Config: &Config{
+				Profile: "SharedCredentialsProfile",
+				Region:  "us-east-1",
+			},
+			Description: "environment AWS_ACCESS_KEY_ID does not override config Profile",
+			EnvironmentVariables: map[string]string{
+				"AWS_ACCESS_KEY_ID":     servicemocks.MockEnvAccessKey,
+				"AWS_SECRET_ACCESS_KEY": servicemocks.MockEnvSecretKey,
+			},
+			ExpectedCredentialsValue: aws.Credentials{
+				AccessKeyID:     "ProfileSharedCredentialsAccessKey",
+				SecretAccessKey: "ProfileSharedCredentialsSecretKey",
+				Source:          sharedConfigCredentialsProvider,
+			},
+			ExpectedRegion: "us-east-1",
+			MockStsEndpoints: []*servicemocks.MockEndpoint{
+				servicemocks.MockStsGetCallerIdentityValidEndpoint,
+			},
+			SharedCredentialsFile: `
+[default]
+aws_access_key_id = DefaultSharedCredentialsAccessKey
+aws_secret_access_key = DefaultSharedCredentialsSecretKey
+
+[SharedCredentialsProfile]
+aws_access_key_id = ProfileSharedCredentialsAccessKey
+aws_secret_access_key = ProfileSharedCredentialsSecretKey
+`,
+		},
+		{
+			Config: &Config{
+				Profile:           "SharedCredentialsProfile",
+				Region:            "us-east-1",
+				UseLegacyWorkflow: true,
+			},
+			Description: "environment AWS_ACCESS_KEY_ID overrides config Profile in legacy workflow",
+			EnvironmentVariables: map[string]string{
+				"AWS_ACCESS_KEY_ID":     servicemocks.MockEnvAccessKey,
+				"AWS_SECRET_ACCESS_KEY": servicemocks.MockEnvSecretKey,
+			},
+			ExpectedCredentialsValue: mockdata.MockEnvCredentials,
+			ExpectedRegion:           "us-east-1",
+			MockStsEndpoints: []*servicemocks.MockEndpoint{
+				servicemocks.MockStsGetCallerIdentityValidEndpoint,
+			},
+			SharedCredentialsFile: `
+[default]
+aws_access_key_id = DefaultSharedCredentialsAccessKey
+aws_secret_access_key = DefaultSharedCredentialsSecretKey
+
+[SharedCredentialsProfile]
+aws_access_key_id = ProfileSharedCredentialsAccessKey
+aws_secret_access_key = ProfileSharedCredentialsSecretKey
 `,
 		},
 	}

diff --git a/credentials.go b/credentials.go
@@ -45,8 +45,17 @@ func getCredentialsProvider(ctx context.Context, c *Config) (aws.CredentialsProv
 	}
 
 	if c.Profile != "" && os.Getenv("AWS_ACCESS_KEY_ID") != "" && os.Getenv("AWS_SECRET_ACCESS_KEY") != "" {
-		logger.Warn(ctx, `A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+
-			"The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.")
+		if c.UseLegacyWorkflow {
+			diags.AddWarning("Configuration conflict overridden",
+				`A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+
+					`The legacy workflow is enabled, so the Profile will be ignored in favor of the environment variable credentials. `+
+					`This behavior may be removed in the future.`)
+			c.Profile = ""
+		} else {
+			diags.AddWarning("Configuration conflict detected",
+				`A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+
+					`The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.`)
+		}
 	}
 
 	// The default AWS SDK authentication flow silently ignores invalid Profiles. Pre-validate that the Profile exists

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -48,6 +48,7 @@ type Config struct {
 	Token                          string
 	UseDualStackEndpoint           bool
 	UseFIPSEndpoint                bool
+	UseLegacyWorkflow              bool
 	UserAgent                      UserAgentProducts
 }