From 35d17d6a5434a514cba7624a85483a52037f9dec Mon Sep 17 00:00:00 2001
From: Bob Ziuchkovski <bziuchkovski@getguru.com>
Date: Fri, 19 Sep 2025 11:43:31 -0600
Subject: [PATCH 1/5] support setting AWS_ROLE_ARN via env var for
 aws-cli/setup

---
 src/commands/setup.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/commands/setup.yml b/src/commands/setup.yml
index d1072b6..4a607cd 100644
--- a/src/commands/setup.yml
+++ b/src/commands/setup.yml
@@ -79,7 +79,7 @@ parameters:
       The Amazon Resource Name (ARN) of the role that the caller is assuming.
       Role ARN must be configured for web identity.
     type: string
-    default: ""
+    default: ${AWS_ROLE_ARN}
 
   role_session_name:
     description: An identifier for the assumed role session

From 004e218f87a7ddc2a83f3bcbc481e667df12ab78 Mon Sep 17 00:00:00 2001
From: Bob Ziuchkovski <bziuchkovski@getguru.com>
Date: Fri, 19 Sep 2025 13:03:19 -0600
Subject: [PATCH 2/5] be more explicit about the new behavior of
 role_arn/$AWS_ROLE_ARN

---
 src/commands/setup.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/commands/setup.yml b/src/commands/setup.yml
index 4a607cd..e8dbf84 100644
--- a/src/commands/setup.yml
+++ b/src/commands/setup.yml
@@ -1,7 +1,8 @@
 description: |
   Installs aws-cli and then configure and store AWS credentials in
   ~/.aws/credentials and ~/.aws/config.
-  If role_session_name and role_arn are provided, it will attempt to use OIDC auth.
+  If role_arn is set, either explicitly or by the value of $AWS_ROLE_ARN, this command will attempt to use OIDC
+  auth.
 
 parameters:
   version:
@@ -77,7 +78,8 @@ parameters:
   role_arn:
     description: |
       The Amazon Resource Name (ARN) of the role that the caller is assuming.
-      Role ARN must be configured for web identity.
+      Role ARN must be configured for web identity / OIDC auth.
+      (defaults to env var of ${AWS_ROLE_ARN})
     type: string
     default: ${AWS_ROLE_ARN}
 

From c9af894bacca11ab4dd93c496078ce65bb4fc945 Mon Sep 17 00:00:00 2001
From: Bob Ziuchkovski <bziuchkovski@getguru.com>
Date: Fri, 19 Sep 2025 13:04:22 -0600
Subject: [PATCH 3/5] add disable_oidc param as an explicit means of skipping
 oidc auth

---
 src/commands/setup.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/commands/setup.yml b/src/commands/setup.yml
index e8dbf84..82300ee 100644
--- a/src/commands/setup.yml
+++ b/src/commands/setup.yml
@@ -2,7 +2,7 @@ description: |
   Installs aws-cli and then configure and store AWS credentials in
   ~/.aws/credentials and ~/.aws/config.
   If role_arn is set, either explicitly or by the value of $AWS_ROLE_ARN, this command will attempt to use OIDC
-  auth.
+  auth. If you're providing $AWS_ROLE_ARN but don't want to use OIDC auth, set disable_oidc to true.
 
 parameters:
   version:
@@ -114,6 +114,13 @@ parameters:
     description: |
       Set to true if you want to disable the AWS CLI install step. Default to false.
 
+  disable_oidc:
+    type: boolean
+    default: false
+    description: |
+      Set to true if you want don't want to use OIDC auth but are setting $AWS_ROLE_ARN. This command will otherwise
+      attempt to use OIDC auth if $AWS_ROLE_ARN is set.
+
   when:
     description: |
       Allows script to run on a specific condition of a workflow.
@@ -142,6 +149,7 @@ steps:
         and:
           - <<parameters.role_session_name>>
           - <<parameters.role_arn>>
+          - not: <<parameters.disable_oidc>>
       steps:
         - run:
             name: Assume Role with Web Identity

From 4bacecf4dcbb12c4b004f7b5fbb7a6b22d52f7b3 Mon Sep 17 00:00:00 2001
From: Bob Ziuchkovski <bziuchkovski@getguru.com>
Date: Wed, 24 Sep 2025 10:43:09 -0600
Subject: [PATCH 4/5] add explicit check for empty string in
 parameters.role_arn

---
 src/commands/setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/commands/setup.yml b/src/commands/setup.yml
index 82300ee..72e9585 100644
--- a/src/commands/setup.yml
+++ b/src/commands/setup.yml
@@ -149,6 +149,8 @@ steps:
         and:
           - <<parameters.role_session_name>>
           - <<parameters.role_arn>>
+          - not:
+            - equal: [<<parameters.role_arn>>, ""]
           - not: <<parameters.disable_oidc>>
       steps:
         - run:

From b83fd46aef6c5813692ae3fbafff0c0d663f819d Mon Sep 17 00:00:00 2001
From: Bob Ziuchkovski <bziuchkovski@getguru.com>
Date: Wed, 24 Sep 2025 11:06:25 -0600
Subject: [PATCH 5/5] don't attempt role assumption unless role arn is provided

---
 src/commands/setup.yml                       | 3 ---
 src/scripts/assume_role_with_web_identity.sh | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/commands/setup.yml b/src/commands/setup.yml
index 72e9585..0c0e6db 100644
--- a/src/commands/setup.yml
+++ b/src/commands/setup.yml
@@ -148,9 +148,6 @@ steps:
       condition:
         and:
           - <<parameters.role_session_name>>
-          - <<parameters.role_arn>>
-          - not:
-            - equal: [<<parameters.role_arn>>, ""]
           - not: <<parameters.disable_oidc>>
       steps:
         - run:
diff --git a/src/scripts/assume_role_with_web_identity.sh b/src/scripts/assume_role_with_web_identity.sh
index be283ad..8b5ed21 100644
--- a/src/scripts/assume_role_with_web_identity.sh
+++ b/src/scripts/assume_role_with_web_identity.sh
@@ -15,6 +15,11 @@ AWS_CLI_BOOL_SET_AWS_ENV_VARS="$(echo "${AWS_CLI_BOOL_SET_AWS_ENV_VARS}" | circl
 AWS_CLI_STR_ROLE_SESSION_NAME=$(printf '%s' "${AWS_CLI_STR_ROLE_SESSION_NAME}" | tr -sC 'A-Za-z0-9=,.@_\-' '-')
 AWS_CLI_STR_ROLE_SESSION_NAME=$(echo "${AWS_CLI_STR_ROLE_SESSION_NAME}" | cut -c -64)
 
+if [ -z "${AWS_CLI_STR_ROLE_ARN}" ]; then
+    echo "Role ARN is not specified. Skipping assume role with web identity."
+    exit 0
+fi
+
 if [ -z "${AWS_CLI_STR_ROLE_SESSION_NAME}" ]; then
     echo "Role session name is required"
     exit 1