Fix aws OIDC github login

[edwardrf]

Description

Write AWS_WEB_IDENTITY_TOKEN_FILE with github idtoken irrespective of if AWS_ROLE_ARN is present.

Linked Issues

fixes: #2831

Checklist

• I have performed a self-review of my code
• I have added appropriate tests
• I have updated the Defang CLI docs and/or README to reflect my changes, if necessary

Summary by CodeRabbit

• Bug Fixes

  • Default credential checks now detect and log invalid default credentials instead of silently ignoring them.
  • Web identity token handling improved: parent directories are created for token files and the GitHub-issued identity token is used when writing the token.

• Tests

  • Tests updated to use a single temporary directory and to adjust token persistence validation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b93513c9-acb6-40e7-9244-f918d33d2cfe

📥 Commits

Reviewing files that changed from the base of the PR and between 7d2ae8b and a1643bb.

📒 Files selected for processing (3)

• src/pkg/clouds/aws/login.go
• src/pkg/login/login.go
• src/pkg/login/login_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• src/pkg/login/login.go
• src/pkg/login/login_test.go

---

📝 Walkthrough

Walkthrough

Aws.Authenticate now logs and proceeds when default credential testing fails; NonInteractiveGitHubLogin writes a web identity token file whenever AWS_WEB_IDENTITY_TOKEN_FILE is unset using the GitHub idToken; writeWebIdentityToken creates the parent directory (0700) before writing; tests use a single temp dir and expect a .jwt token filename.

Changes

Cohort / File(s)	Summary
AWS Credential Testing src/pkg/clouds/aws/login.go	Aws.Authenticate checks a.testCredentials(ctx, nil) result: on success it returns immediately; on error it logs the failure at debug level and continues to other auth flows instead of ignoring the error.
Web Identity Token Handling src/pkg/login/login.go	Non-interactive GitHub login now writes a web identity token file when AWS_WEB_IDENTITY_TOKEN_FILE is unset, using the GitHub idToken (not resp.AccessToken). writeWebIdentityToken ensures the parent directory exists via os.MkdirAll(..., 0700) and returns any directory-creation error before writing.
Tests / Token storage path src/pkg/login/login_test.go	Test TestNonInteractiveLogin now reuses a single t.TempDir() for client state and token store, and checks the persisted token file named client.TokenStorageName(fabric) + ".jwt".

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI/Client
    participant GH as GitHub (OIDC)
    participant Fabric as Fabric Auth Server
    participant FS as Filesystem
    participant AWS as AWS SDK

    CLI->>GH: Request OIDC idToken (non-interactive)
    GH-->>CLI: idToken
    CLI->>Fabric: Exchange idToken for Fabric access token
    Fabric-->>CLI: resp.AccessToken
    CLI->>FS: If AWS_WEB_IDENTITY_TOKEN_FILE unset -> ensure dir (0700), write idToken file
    CLI->>CLI: set AWS_WEB_IDENTITY_TOKEN_FILE & AWS_ROLE_SESSION_NAME env
    CLI->>AWS: Attempt AWS auth using web identity token (or fallback)
    AWS-->>CLI: Auth result (success or failure)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through code at break of dawn,
Wrote idTokens on a dewy lawn,
Made folders snug with 0700 care,
Logged misfit creds and left them there,
🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix aws OIDC github login' directly reflects the main change: fixing AWS OIDC GitHub login by always writing the web identity token file with GitHub's idToken.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch edw/fix-aws-oidc

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

level=warning msg="[linters_context] running gomodguard failed: unable to read module file go.mod: current working directory must have a go.mod file: if you are not using go modules it is suggested to disable this linter"
level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/pkg/login/login.go`:
- Around line 95-97: The token is being requested with an empty audience which
yields GitHub's default aud and will be rejected by AWS; update the call that
fetches the OIDC token (the github.GetIdToken(...) invocation) to pass the
AWS-expected audience (e.g. "sts.amazonaws.com" or the configured audience)
instead of leaving it empty, and keep writing that token via
writeWebIdentityToken when AWS_WEB_IDENTITY_TOKEN_FILE is empty so
AssumeRoleWithWebIdentity receives a matching aud; ensure the audience string is
configurable or matches the value used in your AWS trust policy.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6715f826-d4d9-42f8-8ceb-a3b926d0ae4f

📥 Commits

Reviewing files that changed from the base of the PR and between fd71bb9 and 3ac2f2d.

📒 Files selected for processing (2)

• src/pkg/clouds/aws/login.go
• src/pkg/login/login.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/pkg/login/login_test.go (1)

117-121: ⚠️ Potential issue | 🔴 Critical

Pipeline failure: StateDir directory is not created before use.

The test sets client.StateDir to a path that includes a defang subdirectory, but this directory is never created. t.TempDir() only creates the base temp directory, not the nested path. When NonInteractiveGitHubLogin tries to write the web identity token file to this path, it fails with no such file or directory.

🐛 Proposed fix to create the directory

 		// use a prevStateDir dir for the token file
 		prevStateDir := client.StateDir
 		client.StateDir = filepath.Join(t.TempDir(), "defang")
+		if err := os.MkdirAll(client.StateDir, 0755); err != nil {
+			t.Fatalf("failed to create StateDir: %v", err)
+		}
 		originalTokenStore := client.TokenStore
 		client.TokenStore = &tokenstore.LocalDirTokenStore{Dir: t.TempDir()}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/pkg/login/login_test.go` around lines 117 - 121, The test fails because
client.StateDir is set to a nested path (filepath.Join(t.TempDir(), "defang"))
but the "defang" directory is never created before NonInteractiveGitHubLogin
writes the token file; fix by creating the directory (use os.MkdirAll) at
client.StateDir after setting it and before calling NonInteractiveGitHubLogin
(or adjust to use the plain t.TempDir() without nesting); also ensure
tokenstore.LocalDirTokenStore{Dir: t.TempDir()} points to an existing directory
or create it similarly so TokenStore writes succeed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/pkg/login/login_test.go`:
- Around line 117-121: The test fails because client.StateDir is set to a nested
path (filepath.Join(t.TempDir(), "defang")) but the "defang" directory is never
created before NonInteractiveGitHubLogin writes the token file; fix by creating
the directory (use os.MkdirAll) at client.StateDir after setting it and before
calling NonInteractiveGitHubLogin (or adjust to use the plain t.TempDir()
without nesting); also ensure tokenstore.LocalDirTokenStore{Dir: t.TempDir()}
points to an existing directory or create it similarly so TokenStore writes
succeed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b958cab6-f9eb-438b-86ba-16e4440a8f26

📥 Commits

Reviewing files that changed from the base of the PR and between 3ac2f2d and 5aa37e3.

📒 Files selected for processing (1)

• src/pkg/login/login_test.go