Resolve local AWS credentials via the full provider chain#39
Open
stevethomas wants to merge 2 commits into
Open
Resolve local AWS credentials via the full provider chain#39stevethomas wants to merge 2 commits into
stevethomas wants to merge 2 commits into
Conversation
Switch the local credential branch from CredentialProvider::ini() to defaultProvider() (with AWS_PROFILE set from the keyed env) so a credential_process profile — e.g. 1Password-backed short-lived credentials — resolves alongside plain static access keys. Backwards compatible: only the local branch changes (CI and on-AWS paths untouched), and a static key+secret profile still resolves via the chain's ini link. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
defaultProvider() only selects the profile from $AWS_PROFILE, so the earlier approach set it via putenv. Replace with an explicit memoised chain (process + ini against both the credentials and config files) scoped to the keyed profile — no environment mutation, and no fall- through to the IMDS provider on a misconfigured local profile. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prerequisite for
credential_process-based auth (1Password / SSO / Keychain). Replaces the local branch'sCredentialProvider::ini()inRegistersAws::awsCredentials()with an explicit, memoised credential chain scoped to the keyed profile:This lets a profile defined purely via
credential_processin~/.aws/configresolve — the seam 1Password'sopplugs into — so long-lived keys can be kept out of~/.aws/credentialsentirely, while plain static-key profiles keep working unchanged.Built explicitly rather than via
defaultProvider()becausedefaultProvider()only selects the profile from the$AWS_PROFILEenv var (it ignores a passed-in profile). The explicit chain keeps the profile scoped without mutating the environment, and avoidsdefaultProvider()'s fall-through to the IMDS/instance provider on a misconfigured local profile.Backwards compatibility
inilink.credential_processprofile both resolve correctly.Test plan
./vendor/bin/pest— 213 passed./vendor/bin/phpstan analyse --memory-limit=1G— no errors./vendor/bin/pint— pass🤖 Generated with Claude Code