Skip to content

fix: AWS credential fallback robust against AWS_PROFILE set to missing profile#1110

Merged
yxxhero merged 2 commits intohelmfile:fix-aws-profile-fallback-no-configfrom
Kellen275:kellen275/fix-aws-profile-fallback-no-config
Apr 9, 2026
Merged

fix: AWS credential fallback robust against AWS_PROFILE set to missing profile#1110
yxxhero merged 2 commits intohelmfile:fix-aws-profile-fallback-no-configfrom
Kellen275:kellen275/fix-aws-profile-fallback-no-config

Conversation

@Kellen275
Copy link
Copy Markdown
Contributor

@Kellen275 Kellen275 commented Apr 9, 2026
edited
Loading

The diff is perhaps more easily viewed when compared with the v0.43.7 release (before we began addressing #1094)

git diff v0.43.7 pkg/awsclicompat/session.go

I have intentionally kept the session_test.go file identical to that of #1104 as well as the profileEnvMu definition just to minimize changes.

@yxxhero
Copy link
Copy Markdown
Member

yxxhero commented Apr 9, 2026

@Kellen275 please fix DCO

@yxxhero
Copy link
Copy Markdown
Member

yxxhero commented Apr 9, 2026

@Kellen275 should I merge this?

@Kellen275
Copy link
Copy Markdown
Contributor Author

Kellen275 commented Apr 9, 2026

@yxxhero perhaps we can toss Copilot on to review? This MR effectively reverts #1098 and then builds upon the solution presented in #1104

I would be more comfortable deferring to you/your team with regards to what the expected behavior should be in the Go tests.

@yxxhero yxxhero requested a review from Copilot April 9, 2026 13:36
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves vals AWS config/session creation so that when an explicit profile is provided but the profile is missing, it can still fall back to the AWS SDK v2 default credential chain even if AWS_PROFILE / AWS_DEFAULT_PROFILE are set to the same missing profile.

Changes:

  • Adds a missing-profile fallback path that temporarily suppresses AWS_PROFILE / AWS_DEFAULT_PROFILE under a mutex and retries config loading without an explicit profile.
  • Keeps explicit profile taking precedence, with FORCE_AWS_PROFILE=true as the secondary profile-selection mechanism.

Comment thread pkg/awsclicompat/session.go Outdated
Comment on lines +202 to +214
os.Unsetenv("AWS_PROFILE")
}
if savedDefaultProfile != "" {
os.Unsetenv("AWS_DEFAULT_PROFILE")
}

// Restore environment variables after the recursive call completes
defer func() {
if savedProfile != "" {
os.Setenv("AWS_PROFILE", savedProfile)
}
if savedDefaultProfile != "" {
os.Setenv("AWS_DEFAULT_PROFILE", savedDefaultProfile)
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errcheck is enabled in this repo, and the calls to os.Unsetenv/os.Setenv here ignore the returned error values. This will be reported by golangci-lint (errcheck) and fail CI. Please either handle and return these errors for the initial Unsetenv calls, and use _ = os.Setenv/_ = os.Unsetenv (or equivalent) in the deferred restore where you can’t return an error, mirroring patterns used elsewhere (e.g. tfstate provider).

Suggested change
os.Unsetenv("AWS_PROFILE")
}
if savedDefaultProfile != "" {
os.Unsetenv("AWS_DEFAULT_PROFILE")
}
// Restore environment variables after the recursive call completes
defer func() {
if savedProfile != "" {
os.Setenv("AWS_PROFILE", savedProfile)
}
if savedDefaultProfile != "" {
os.Setenv("AWS_DEFAULT_PROFILE", savedDefaultProfile)
if err := os.Unsetenv("AWS_PROFILE"); err != nil {
profileEnvMu.Unlock()
return aws.Config{}, err
}
}
if savedDefaultProfile != "" {
if err := os.Unsetenv("AWS_DEFAULT_PROFILE"); err != nil {
if savedProfile != "" {
_ = os.Setenv("AWS_PROFILE", savedProfile)
}
profileEnvMu.Unlock()
return aws.Config{}, err
}
}
// Restore environment variables after the recursive call completes
defer func() {
if savedProfile != "" {
_ = os.Setenv("AWS_PROFILE", savedProfile)
}
if savedDefaultProfile != "" {
_ = os.Setenv("AWS_DEFAULT_PROFILE", savedDefaultProfile)

Copilot uses AI. Check for mistakes.
@Kellen275 Kellen275 force-pushed the kellen275/fix-aws-profile-fallback-no-config branch from 4c32724 to cd4e79c Compare April 9, 2026 13:47
@Kellen275
fix commit history to please DCO
e80a840 
Signed-off-by: Kellen Sappington <kellen275@gmail.com>
@Kellen275 Kellen275 force-pushed the kellen275/fix-aws-profile-fallback-no-config branch from cd4e79c to e80a840 Compare April 9, 2026 13:48
@Kellen275
Copy link
Copy Markdown
Contributor Author

Kellen275 commented Apr 9, 2026

The comment from @copilot should be addressed now

@Kellen275 Kellen275 marked this pull request as ready for review April 9, 2026 13:51
@yxxhero yxxhero merged commit 45481dd into helmfile:fix-aws-profile-fallback-no-config Apr 9, 2026
1 check passed
yxxhero added a commit that referenced this pull request Apr 9, 2026
@yxxhero @Kellen275
fix: AWS credential fallback robust against AWS_PROFILE set to missin…
63a88ef 
…g profile (#1104)

* fix: AWS credential fallback should not require default profile in config

When a specified AWS profile is not found, the fallback was using
WithSharedConfigProfile("default") which still requires a [default]
section in ~/.aws/config. EC2 users with no config file at all would
panic with "failed to get shared config profile, default".

Remove the explicit profile override in the fallback so the SDK uses
its default credential chain (env vars, shared credentials, EC2 IMDS)
without requiring any profile to exist in config files.

Fixes #1094

Signed-off-by: yxxhero <aiopsclub@163.com>

* fix: handle AWS_PROFILE env var in profile-not-found fallback path

Agent-Logs-Url: https://github.com/helmfile/vals/sessions/58c724eb-18ad-4e34-b1ed-9eb28fccfd2a

Co-authored-by: yxxhero <11087727+yxxhero@users.noreply.github.com>

* fix: address lint errors in loadDefaultConfigWithoutProfileEnv

Agent-Logs-Url: https://github.com/helmfile/vals/sessions/00c2fd7d-20cf-42d6-a319-e391f15517e2

Co-authored-by: yxxhero <11087727+yxxhero@users.noreply.github.com>

* fix commit history to please DCO (#1110)

Signed-off-by: Kellen Sappington <kellen275@gmail.com>

---------

Signed-off-by: yxxhero <aiopsclub@163.com>
Signed-off-by: Kellen Sappington <kellen275@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Kellen275 <59538148+Kellen275@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mumoshu mumoshu Awaiting requested review from mumoshu mumoshu is a code owner

@itscaro itscaro Awaiting requested review from itscaro itscaro is a code owner

@yxxhero yxxhero Awaiting requested review from yxxhero yxxhero is a code owner

@xiaomudk xiaomudk Awaiting requested review from xiaomudk xiaomudk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Kellen275 @yxxhero