`credential_source = Environment` not working due to credential chain precedence

[ducks]

Describe the bug

credential_source = Environment not working due to credential chain precedence

Bug Description

When using credential_source = Environment in AWS config for role assumption, the SDK uses environment variables directly instead of using them as source credentials to assume the specified role.

Root Cause

In credential_provider_chain.rb, the providers array processes:

• Position 7: env_credentials - returns env vars directly
• Position 10: assume_role_credentials - handles role assumption

Since env_credentials runs first and finds credentials, the chain stops before role assumption is evaluated.

Workaround

Use source_profile instead of credential_source:

[profile source-creds]
aws_access_key_id = <your-access-key>
aws_secret_access_key = <your-secret-key>

[default]
role_arn = arn:aws:iam::123456789012:role/MyRole
source_profile = source-creds
role_session_name = test-session
region = us-west-2

This workaround requires plaintext access keys which we'd like to prevent.

Let me know if this makes sense or if I am overlooking something and misunderstanding how this should work.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Expected Behavior

According to AWS documentation:

credential_source = Environment - Environment to pull source credentials from environment variables

Expected flow:

1. SDK sees role_arn + credential_source = Environment in config
2. SDK uses AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY as source credentials
3. SDK calls AssumeRole with those source credentials
4. SDK returns assumed role credentials

Current Behavior

Actual Behavior

The SDK uses environment variables directly and never evaluates role assumption config.

Actual flow:

1. SDK finds AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY in environment
2. SDK returns those credentials directly (credential chain stops)
3. Role assumption config is never processed

Reproduction Steps

Reproduction

Environment variables:

AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=xyz...

Config file (~/.aws/config):

[default]
role_arn = arn:aws:iam::123456789012:role/MyRole
credential_source = Environment
role_session_name = test-session
region = us-west-2

Ruby code:

s3 = Aws::S3::Client.new
s3.list_buckets
# Error shows: User: arn:aws:iam::123456789012:user/source-user
# Should show: User: arn:aws:iam::123456789012:assumed-role/MyRole/test-session

Possible Solution

Proposed Fix

Move role assumption evaluation before direct environment variable usage when credential_source = Environment is configured, or modify the credential chain logic to handle this case properly.

Additional Information/Context

No response

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-core 3.233.0

Environment details (Version of Ruby, OS environment)

Ruby 3.3.8, Rails 8.0.3, Docker/Linux

[richardwang1124]

Hey, thanks for opening an issue. I believe you are correct and this is something we need to fix. I need to confirm some details regarding AssumeRoleCredentials profile chaining with the team first and I'll keep you updated.

[ducks]

cool cool, thanks so much. let me know if there is anything I can do to help.