diff --git a/aws_config_test.go b/aws_config_test.go index fb41c7b4..9a89f6fd 100644 --- a/aws_config_test.go +++ b/aws_config_test.go @@ -995,6 +995,61 @@ aws_secret_access_key = ProfileSharedCredentialsSecretKey [some-profile] aws_access_key_id = DefaultSharedCredentialsAccessKey aws_secret_access_key = DefaultSharedCredentialsSecretKey +`, + }, + { + Config: &Config{ + Profile: "SharedCredentialsProfile", + Region: "us-east-1", + }, + Description: "environment AWS_ACCESS_KEY_ID does not override config Profile", + EnvironmentVariables: map[string]string{ + "AWS_ACCESS_KEY_ID": servicemocks.MockEnvAccessKey, + "AWS_SECRET_ACCESS_KEY": servicemocks.MockEnvSecretKey, + }, + ExpectedCredentialsValue: aws.Credentials{ + AccessKeyID: "ProfileSharedCredentialsAccessKey", + SecretAccessKey: "ProfileSharedCredentialsSecretKey", + Source: sharedConfigCredentialsProvider, + }, + ExpectedRegion: "us-east-1", + MockStsEndpoints: []*servicemocks.MockEndpoint{ + servicemocks.MockStsGetCallerIdentityValidEndpoint, + }, + SharedCredentialsFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey + +[SharedCredentialsProfile] +aws_access_key_id = ProfileSharedCredentialsAccessKey +aws_secret_access_key = ProfileSharedCredentialsSecretKey +`, + }, + { + Config: &Config{ + Profile: "SharedCredentialsProfile", + Region: "us-east-1", + UseLegacyWorkflow: true, + }, + Description: "environment AWS_ACCESS_KEY_ID overrides config Profile in legacy workflow", + EnvironmentVariables: map[string]string{ + "AWS_ACCESS_KEY_ID": servicemocks.MockEnvAccessKey, + "AWS_SECRET_ACCESS_KEY": servicemocks.MockEnvSecretKey, + }, + ExpectedCredentialsValue: mockdata.MockEnvCredentials, + ExpectedRegion: "us-east-1", + MockStsEndpoints: []*servicemocks.MockEndpoint{ + servicemocks.MockStsGetCallerIdentityValidEndpoint, + }, + SharedCredentialsFile: ` +[default] +aws_access_key_id = DefaultSharedCredentialsAccessKey +aws_secret_access_key = DefaultSharedCredentialsSecretKey + +[SharedCredentialsProfile] +aws_access_key_id = ProfileSharedCredentialsAccessKey +aws_secret_access_key = ProfileSharedCredentialsSecretKey `, }, } diff --git a/credentials.go b/credentials.go index 8a033cd8..1ed55f32 100644 --- a/credentials.go +++ b/credentials.go @@ -45,8 +45,17 @@ func getCredentialsProvider(ctx context.Context, c *Config) (aws.CredentialsProv } if c.Profile != "" && os.Getenv("AWS_ACCESS_KEY_ID") != "" && os.Getenv("AWS_SECRET_ACCESS_KEY") != "" { - logger.Warn(ctx, `A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+ - "The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.") + if c.UseLegacyWorkflow { + diags.AddWarning("Configuration conflict overridden", + `A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+ + `The legacy workflow is enabled, so the Profile will be ignored in favor of the environment variable credentials. `+ + `This behavior may be removed in the future.`) + c.Profile = "" + } else { + diags.AddWarning("Configuration conflict detected", + `A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". `+ + `The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.`) + } } // The default AWS SDK authentication flow silently ignores invalid Profiles. Pre-validate that the Profile exists diff --git a/internal/config/config.go b/internal/config/config.go index 80aacde8..fc2accea 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -48,6 +48,7 @@ type Config struct { Token string UseDualStackEndpoint bool UseFIPSEndpoint bool + UseLegacyWorkflow bool UserAgent UserAgentProducts }