aws · richardwang1124 · Aug 25, 2025 · Aug 21, 2025 · Aug 25, 2025 · Aug 25, 2025
diff --git a/build_tools/services.rb b/build_tools/services.rb
@@ -9,10 +9,10 @@ class ServiceEnumerator
     MANIFEST_PATH = File.expand_path('../../services.json', __FILE__)
 
     # Minimum `aws-sdk-core` version for new gem builds
-    MINIMUM_CORE_VERSION = "3.228.0"
+    MINIMUM_CORE_VERSION = "3.231.0"
 
     # Minimum `aws-sdk-core` version for new S3 gem builds
-    MINIMUM_CORE_VERSION_S3 = "3.228.0"
+    MINIMUM_CORE_VERSION_S3 = "3.231.0"
 
     EVENTSTREAM_PLUGIN = "Aws::Plugins::EventStreamConfiguration"
 

diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Add support for ENV as credential source for `AssumeRoleCredentials`.
+
 3.230.0 (2025-08-21)
 ------------------
 

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb
@@ -369,6 +369,15 @@ def credentials_from_source(credential_source, config)
         )
       when 'EcsContainer'
         ECSCredentials.new
+      when 'Environment'
+        creds = Credentials.new(
+          ENV['AWS_ACCESS_KEY_ID'],
+          ENV['AWS_SECRET_ACCESS_KEY'],
+          ENV['AWS_SESSION_TOKEN'],
+          account_id: ENV['AWS_ACCOUNT_ID']
+        )
+        creds.metrics = ['CREDENTIALS_ENV_VARS']
+        creds
       else
         raise Errors::InvalidCredentialSourceError, "Unsupported credential_source: #{credential_source}"
       end

diff --git a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb
@@ -960,6 +960,55 @@ module Aws
           region: 'us-east-1'
         )
       end
+
+      it 'can assume a role with ENV as a source' do
+        stub_const(
+          'ENV',
+          'AWS_ACCESS_KEY_ID' => 'AKID_ENV_STUB',
+          'AWS_SECRET_ACCESS_KEY' => 'SECRET_ENV_STUB'
+        )
+        profile = 'ar_env_src'
+        assume_role_stub(
+          'arn:aws:iam::123456789012:role/foo',
+          'AKID_ENV_STUB',
+          'AR_AKID',
+          'AR_SECRET',
+          'AR_TOKEN'
+        )
+        client = ApiHelper.sample_rest_xml::Client.new(
+          profile: profile,
+          region: 'us-east-1'
+        )
+        expect(
+          client.config.credentials.credentials.access_key_id
+        ).to eq('AR_AKID')
+        expect(metric_values(client.config.credentials.metrics)).to include('p', 'g', 'i')
+      end
+
+      it 'emits correct UserAgent metrics during STS calls for ENV as a source' do
+        stub_const(
+          'ENV',
+          'AWS_ACCESS_KEY_ID' => 'AKID_ENV_STUB',
+          'AWS_SECRET_ACCESS_KEY' => 'SECRET_ENV_STUB'
+        )
+        profile = 'ar_env_src'
+        assume_role_stub(
+          'arn:aws:iam::123456789012:role/foo',
+          'AKID_ENV_STUB',
+          'AR_AKID',
+          'AR_SECRET',
+          'AR_TOKEN'
+        )
+        expect_any_instance_of(STS::Client).to receive(:assume_role).and_wrap_original do |m, *args|
+          resp = m.call(*args)
+          expect(metrics_from_user_agent_header(resp)).to include('p', 'g')
+          resp
+        end
+        ApiHelper.sample_rest_xml::Client.new(
+          profile: profile,
+          region: 'us-east-1'
+        )
+      end
     end
 
     describe 'AWS_SDK_CONFIG_OPT_OUT set' do