Describe the bug
When both AWS_ROLE_ARN/AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKEN are set, this library is preferring the former. This causes Vault 1.4.0+ to ignore an explicitly set access key in the environment in favor of IRSA. This seems like a bug to me. If someone has gone to the trouble of exporting the access key and session token variables from an STS session, it doesn't make sense to request new credentials with IRSA. Presumably if a user has done this, they have already used the IRSA-based credentials to call sts:AssumeRole.
To Reproduce
Steps to reproduce the behavior:
- In a Kubernetes pod with IRSA enabled, run
aws sts assume-role to assume an STS role in another account
- Export the access key ID, secret, and session token as
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKEN
- Run
vault login -method=aws role=some-vault-role
- Receive
error looking up full ARN of entity error
Having this be a cross-account scenario is key to getting the error looking up full ARN of entity error specifically, but if it isn't a cross-account role you would likely just get a failed login when the role ARN from IRSA does not match the bound ARN wildcards.
Expected behavior
When AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set in the environment (and optionally AWS_SESSION_TOKEN), awsutil should ignore AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE. This is how aws sts get-caller-identity works, for example.
Describe the bug
When both
AWS_ROLE_ARN/AWS_WEB_IDENTITY_TOKEN_FILEandAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKENare set, this library is preferring the former. This causes Vault 1.4.0+ to ignore an explicitly set access key in the environment in favor of IRSA. This seems like a bug to me. If someone has gone to the trouble of exporting the access key and session token variables from an STS session, it doesn't make sense to request new credentials with IRSA. Presumably if a user has done this, they have already used the IRSA-based credentials to callsts:AssumeRole.To Reproduce
Steps to reproduce the behavior:
aws sts assume-roleto assume an STS role in another accountAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKENvault login -method=aws role=some-vault-roleerror looking up full ARN of entityerrorHaving this be a cross-account scenario is key to getting the
error looking up full ARN of entityerror specifically, but if it isn't a cross-account role you would likely just get a failed login when the role ARN from IRSA does not match the bound ARN wildcards.Expected behavior
When
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYare set in the environment (and optionallyAWS_SESSION_TOKEN),awsutilshould ignoreAWS_ROLE_ARNandAWS_WEB_IDENTITY_TOKEN_FILE. This is howaws sts get-caller-identityworks, for example.