fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro...

[Br1an67]

Fixes #4679

Problem Statement

When using AWS generators (STSSessionToken, ECRAuthorizationToken) with explicit credentials via secretRef or JWT authentication (IRSA), the AWS SDK's default credential chain was still being loaded. This chain includes the EC2 Instance Metadata Service (IMDS), which could provide conflicting credentials when running on EC2 instances.

This caused issues where the EC2 IMDS credentials would be used instead of the explicitly configured credentials, leading to errors like AccessDenied: Cannot call GetSessionToken with session credentials.

Related Issue

Fixes #4679

Proposed Changes

Modified NewGeneratorSession in providers/v1/aws/auth/auth.go to use config.WithCredentialsProvider during config loading instead of setting awscfg.Credentials after loading.

This change ensures that when explicit credentials are provided (via secretRef or JWT auth), the EC2 IMDS is not consulted as part of the credential chain. The credentials provider is now passed during the LoadDefaultConfig call, which prevents the default credential chain from being used.

Before:

awscfg, err := config.LoadDefaultConfig(ctx)
if credsProvider != nil {
    awscfg.Credentials = credsProvider
}

After:

var loadCfgOpts []func(*config.LoadOptions) error
if credsProvider != nil {
    loadCfgOpts = append(loadCfgOpts, config.WithCredentialsProvider(credsProvider))
}
awscfg, err := config.LoadDefaultConfig(ctx, loadCfgOpts...)

This approach is consistent with how the New function (used for SecretStores) handles credentials.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Testing

All existing tests pass:

• TestNewGeneratorSession_DefaultCredentialChain
• TestNewGeneratorSession_CredentialProviderPriority
• TestNewGeneratorSession_OnlySecretRef
• TestNewGeneratorSession_RegionConfiguration
• TestNewGeneratorSession_AssumeRoleWithDefaultCredentials
• STS generator tests
• ECR generator tests

Changes

providers/v1/aws/auth/auth.go — NewGeneratorSession function

Modified credential and region handling to pass explicit credentials and region into config.LoadDefaultConfig via config.WithCredentialsProvider and config.WithRegion instead of loading the default config and mutating it afterward. This prevents the AWS SDK default credential chain (including EC2 IMDS) from being consulted when explicit credentials are provided (secretRef or JWT/IRSA), avoiding conflicts such as "AccessDenied: Cannot call GetSessionToken with session credentials". Behavior now matches the New function used for SecretStores. Tests reported by the author continue to pass.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 808bd71f-54f3-4f82-97a1-50a9bb3bb5df

📥 Commits

Reviewing files that changed from the base of the PR and between 3780ddb and 85dad71.

📒 Files selected for processing (1)

• providers/v1/aws/auth/auth.go

🚧 Files skipped from review as they are similar to previous changes (1)

• providers/v1/aws/auth/auth.go

---

Walkthrough

NewGeneratorSession now builds a list of LoadDefaultConfig options (e.g., WithCredentialsProvider, WithRegion) based on provided inputs and calls awsconfig.LoadDefaultConfig with those options instead of mutating the returned config after loading.

Changes

Cohort / File(s)	Summary
AWS Config Loading Refactor providers/v1/aws/auth/auth.go	Replaces post-load config field assignments with pre-load option construction. When credentials or region are provided, corresponding WithCredentialsProvider and WithRegion options are added and passed into LoadDefaultConfig. Error handling remains unchanged.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR directly addresses the root cause identified in issue #4679 by modifying NewGeneratorSession to supply credentials during config.LoadDefaultConfig instead of post-load assignment, preventing IMDS fallback when explicit credentials are provided.
Out of Scope Changes check	✅ Passed	The PR contains only targeted changes to the AWS auth module's NewGeneratorSession function aligned with issue #4679; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can validate your CodeRabbit configuration file in your editor.

If your editor has YAML language server, you can enable auto-completion and validation by adding # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json at the top of your CodeRabbit configuration file.

[Skarlso]

@Br1an67 Thank you for your pr! Please sign your commit with commit -s. :)

[Skarlso]

/ok-to-test sha=3780ddb809d1aa0d52b7c040fb06ae948a4f1cc9

[eso-service-account-app]

[Bot] - ✅ e2e for 3780ddb809d1aa0d52b7c040fb06ae948a4f1cc9 passed

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud