[BUG]: @initAws with profile does not support credential_source in ~/.aws/config

[bestickley]

varlock version

1.5.0

Steps to reproduce

~/.aws/config:

[default]
credential_source = EcsContainer
region = us-gov-west-1

.env.schema:

# @plugin(@varlock/aws-secrets-plugin)
# @initAws(region=us-gov-west-1, profile=$AWS_PROFILE)
# ---

With AWS_PROFILE=default set in the environment:

❌ awsParam(): Authentication failed with provided credentials
   Verify that your AWS credentials are valid and have the required permissions

The same profile works fine with the AWS CLI:

aws sts get-caller-identity --profile default
# Returns valid account/role — no error

Root cause

The aws-secrets-plugin calls fromIni({ profile }) directly, bypassing the full AWS SDK
credential provider chain (fromNodeProviderChain). The fromIni provider does contain code
to resolve credential_source entries, but it fails in this environment — likely because
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is a relative path and the bundled SDK does not
construct the full endpoint URL http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
correctly.

What is expected?

credential_source = EcsContainer in a named profile should work the same way it does in the
AWS CLI and fromNodeProviderChain.

Workaround

Omit profile from @initAws entirely so varlock falls back to the default credential chain,
which correctly handles ECS/CodeBuild container role credentials:

# @initAws(region=us-gov-west-1)

For local dev where a named profile is needed, set AWS_PROFILE in the environment — the
default credential chain picks it up automatically.

What is actually happening?

Error

System Info

- varlock: `1.5.0`
- `@varlock/aws-secrets-plugin`: `1.1.0`
- Node.js: `24`
- AWS credential source: CodeBuild container role (`credential_source = EcsContainer`)
- Platform: AWS GovCloud (`us-gov-west-1`)

Any additional comments?

No response

[theoephraim]

thanks for the report - will get this fixed shortly :)