Resolves #2171: Honor 'use_aws_shared_config_files' for process… (#2172)

* Resolves #2171: Honor 'use_aws_shared_config_files' for the process-based CredentialProvider
aws · Dec 17, 2020 · 8491d11 · 8491d11
1 parent 7cd2fb0
commit 8491d11
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 18 deletions.
diff --git a/.changes/nextrelease/credential-resolver-ordering-update b/.changes/nextrelease/credential-resolver-ordering-update
@@ -0,0 +1,7 @@
+[
+    {
+        "type": "bugfix",
+        "category": "Credentials",
+        "description": "Aligns the credential resolver to the documentation and other SDK behaviors."
+    }
+]
diff --git a/src/Credentials/CredentialProvider.php b/src/Credentials/CredentialProvider.php
@@ -54,14 +54,17 @@ class CredentialProvider
     const ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE';
 
     /**
-     * Create a default credential provider that first checks for environment
-     * variables, then checks for the "default" profile in ~/.aws/credentials,
+     * Create a default credential provider that
+     * first checks for environment variables,
+     * then checks for assumed role via web identity,
+     * then checks for cached SSO credentials from the CLI,
+     * then check for credential_process in the "default" profile in ~/.aws/credentials,
+     * then checks for the "default" profile in ~/.aws/credentials,
+     * then for credential_process in the "default profile" profile in ~/.aws/config,
      * then checks for "profile default" profile in ~/.aws/config (which is
-     * the default profile of AWS CLI), then tries to make a GET Request to
-     * fetch credentials if Ecs environment variable is presented, then checks
-     * for credential_process in the "default" profile in ~/.aws/credentials,
-     * then for credential_process in the "default profile" profile in
-     * ~/.aws/config, and finally checks for EC2 instance profile credentials.
+     * the default profile of AWS CLI),
+     * then tries to make a GET Request to fetch credentials if ECS environment variable is presented,
+     * finally checks for EC2 instance profile credentials.
      *
      * This provider is automatically wrapped in a memoize function that caches
      * previously provided credentials.
@@ -76,9 +79,9 @@ public static function defaultProvider(array $config = [])
         $cacheable = [
             'web_identity',
             'sso',
-            'ecs',
             'process_credentials',
             'process_config',
+            'ecs',
             'instance'
         ];
 
@@ -95,7 +98,12 @@ public static function defaultProvider(array $config = [])
                 self::getHomeDir() . '/.aws/config',
                 $config
             );
+            $defaultChain['process_credentials'] = self::process();
             $defaultChain['ini'] = self::ini();
+            $defaultChain['process_config'] = self::process(
+                'profile default',
+                self::getHomeDir() . '/.aws/config'
+            );
             $defaultChain['ini_config'] = self::ini(
                 'profile default',
                 self::getHomeDir() . '/.aws/config'
@@ -112,13 +120,9 @@ public static function defaultProvider(array $config = [])
 
         if (!empty($shouldUseEcsCredentialsProvider)) {
             $defaultChain['ecs'] = self::ecsCredentials($config);
+        } else {
+            $defaultChain['instance'] = self::instanceProfile($config);
         }
-        $defaultChain['process_credentials'] = self::process();
-        $defaultChain['process_config'] = self::process(
-            'profile default',
-            self::getHomeDir() . '/.aws/config'
-        );
-        $defaultChain['instance'] = self::instanceProfile($config);
 
         if (isset($config['credentials'])
             && $config['credentials'] instanceof CacheInterface

diff --git a/tests/Credentials/CredentialProviderTest.php b/tests/Credentials/CredentialProviderTest.php
@@ -1807,19 +1807,19 @@ public function testCallsDefaultsCreds()
 
     public function testCachesCacheableInDefaultChain()
     {
-        $this->clearEnv();
-        putenv('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/latest');
         $cacheable = [
             'web_identity',
-            'ecs',
+            'sso',
             'process_credentials',
             'process_config',
-            'sso',
+            'ecs',
             'instance'
         ];
 
         $credsForCache = new Credentials('foo', 'bar', 'baz', PHP_INT_MAX);
         foreach ($cacheable as $provider) {
+            $this->clearEnv();
+            if ($provider == 'ecs') putenv('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/latest');
             $cache = new LruArrayCache;
             $cache->set('aws_cached_' . $provider . '_credentials', $credsForCache);
             $credentials = call_user_func(CredentialProvider::defaultProvider([