fixes sts creds provider env var resolution

sbiscigl · sbiscigl · commit 6b686e265701 · 2025-10-29T14:12:53.000-04:00
diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -6,14 +6,16 @@
 #pragma once
 
 #include <aws/core/Core_EXPORTS.h>
-#include <aws/core/http/Scheme.h>
-#include <aws/core/http/Version.h>
 #include <aws/core/Region.h>
-#include <aws/core/utils/memory/stl/AWSString.h>
 #include <aws/core/http/HttpTypes.h>
+#include <aws/core/http/Scheme.h>
+#include <aws/core/http/Version.h>
 #include <aws/core/utils/Array.h>
+#include <aws/core/utils/StringUtils.h>
+#include <aws/core/utils/memory/stl/AWSString.h>
 #include <aws/crt/Optional.h>
 #include <smithy/tracing/TelemetryProvider.h>
+
 #include <memory>
 
 namespace Aws
@@ -447,6 +449,16 @@ namespace Aws
             static Aws::String LoadConfigFromEnvOrProfile(const Aws::String& envKey, const Aws::String& profile,
                                                           const Aws::String& profileProperty, const Aws::Vector<Aws::String>& allowedValues,
                                                           const Aws::String& defaultValue);
+            /**
+             * A helper function to read config value from env variable or aws profile config. Addresses a problem in
+             * LoadConfigFromEnvOrProfile where env variables values are always mapped to their lower case equivalent.
+             * This fails for cases where ENV vars need to be case sensitive in instances like AWS_ROLE_ARN can have
+             * camel case values.
+             */
+            static Aws::String LoadConfigFromEnvOrProfileCaseSensitive(
+                const Aws::String& envKey, const Aws::String& profile, const Aws::String& profileProperty,
+                const Aws::Vector<Aws::String>& allowedValues, const Aws::String& defaultValue,
+                const std::function<Aws::String(const char*)>& envValueMapping = Utils::StringUtils::ToLower);
 
             /**
              * A wrapper for interfacing with telemetry functionality. Defaults to Noop provider.
diff --git a/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp b/src/aws-cpp-sdk-core/source/client/ClientConfiguration.cpp
@@ -45,9 +45,11 @@ static const char* AWS_METADATA_SERVICE_TIMEOUT_ENV_VAR = "AWS_METADATA_SERVICE_
 static const char* AWS_METADATA_SERVICE_TIMEOUT_CONFIG_VAR = "metadata_service_timeout";
 static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_ENV_VAR = "AWS_METADATA_SERVICE_NUM_ATTEMPTS";
 static const char* AWS_METADATA_SERVICE_NUM_ATTEMPTS_CONFIG_VAR = "metadata_service_num_attempts";
-static const char* AWS_IAM_ROLE_ARN_ENV_VAR = "AWS_IAM_ROLE_ARN";
+static const char* AWS_IAM_ROLE_ARN_ENV_VAR = "AWS_ROLE_ARN";
+static const char* AWS_IAM_ROLE_ARN_ENV_VAR_COMPAT = "AWS_IAM_ROLE_ARN";
 static const char* AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION = "role_arn";
-static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR = "AWS_IAM_ROLE_SESSION_NAME";
+static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR = "AWS_ROLE_SESSION_NAME";
+static const char* AWS_IAM_ROLE_SESSION_NAME_ENV_VAR_COMPAT = "AWS_IAM_ROLE_SESSION_NAME";
 static const char* AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION = "role_session_name";
 static const char* AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE";
 static const char* AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION = "web_identity_token_file";
@@ -327,23 +329,33 @@ void setConfigFromEnvOrProfile(ClientConfiguration &config)
     // Uses default retry mode with the specified max attempts from metadata_service_num_attempts
     config.credentialProviderConfig.imdsConfig.imdsRetryStrategy = InitRetryStrategy(attempts, "");
 
-    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_ARN_ENV_VAR,
-          config.profileName,
-          AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
-
-      config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_IAM_ROLE_SESSION_NAME_ENV_VAR,
-          config.profileName,
-          AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
-
-      config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = ClientConfiguration::LoadConfigFromEnvOrProfile(AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR,
-          config.profileName,
-          AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION,
-          {}, /* allowed values */
-          "" /* default value */);
+    config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(
+        AWS_IAM_ROLE_ARN_ENV_VAR, config.profileName, AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION, {}, /* allowed values */
+        "" /* default value */, [](const Aws::String& envValue) -> Aws::String { return envValue; });
+
+    // there was a typo in the original environment variable, this exists for backwards compatibility
+    if (config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn.empty()) {
+      config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(
+          AWS_IAM_ROLE_ARN_ENV_VAR_COMPAT, config.profileName, AWS_IAM_ROLE_ARN_CONFIG_FILE_OPTION, {}, /* allowed values */
+          "" /* default value */, [](const Aws::String& envValue) -> Aws::String { return envValue; });
+    }
+
+    config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName = ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(
+        AWS_IAM_ROLE_SESSION_NAME_ENV_VAR, config.profileName, AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION, {}, /* allowed values */
+        "" /* default value */, [](const Aws::String& envValue) -> Aws::String { return envValue; });
+
+    // there was a typo in the original environment variable, this exists for backwards compatibility
+    if (config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName.empty()) {
+      config.credentialProviderConfig.stsCredentialsProviderConfig.sessionName =
+          ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(
+              AWS_IAM_ROLE_SESSION_NAME_ENV_VAR_COMPAT, config.profileName, AWS_IAM_ROLE_SESSION_NAME_CONFIG_FILE_OPTION,
+              {}, /* allowed values */
+              "" /* default value */, [](const Aws::String& envValue) -> Aws::String { return envValue; });
+    }
+
+    config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = ClientConfiguration::LoadConfigFromEnvOrProfile(
+        AWS_WEB_IDENTITY_TOKEN_FILE_ENV_VAR, config.profileName, AWS_WEB_IDENTITY_TOKEN_FILE_CONFIG_FILE_OPTION, {}, /* allowed values */
+        "" /* default value */);
 }
 
 ClientConfiguration::ClientConfiguration()
@@ -558,29 +570,35 @@ Aws::String ClientConfiguration::LoadConfigFromEnvOrProfile(const Aws::String& e
                                                             const Aws::Vector<Aws::String>& allowedValues,
                                                             const Aws::String& defaultValue)
 {
-    Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
-    if (option.empty()) {
-        option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
-    }
-    option = Aws::Utils::StringUtils::ToLower(option.c_str());
-    if (option.empty()) {
-        return defaultValue;
-    }
-
-    if (!allowedValues.empty() && std::find(allowedValues.cbegin(), allowedValues.cend(), option) == allowedValues.cend()) {
-        Aws::OStringStream expectedStr;
-        expectedStr << "[";
-        for(const auto& allowed : allowedValues) {
-            expectedStr << allowed << ";";
-        }
-        expectedStr << "]";
+  return LoadConfigFromEnvOrProfileCaseSensitive(envKey, profile, profileProperty, allowedValues, defaultValue);
+}
+Aws::String ClientConfiguration::LoadConfigFromEnvOrProfileCaseSensitive(const Aws::String& envKey, const Aws::String& profile,
+                                                                         const Aws::String& profileProperty,
+                                                                         const Aws::Vector<Aws::String>& allowedValues,
+                                                                         const Aws::String& defaultValue,
+                                                                         const std::function<Aws::String(const char*)>& envValueMapping) {
+  Aws::String option = Aws::Environment::GetEnv(envKey.c_str());
+  if (option.empty()) {
+    option = Aws::Config::GetCachedConfigValue(profile, profileProperty);
+  }
+  option = envValueMapping(option.c_str());
+  if (option.empty()) {
+    return defaultValue;
+  }
 
-        AWS_LOGSTREAM_WARN(CLIENT_CONFIG_TAG, "Unrecognised value for " << envKey << ": " << option <<
-                                              ". Using default instead: " << defaultValue <<
-                                              ". Expected empty or one of: " << expectedStr.str());
-        option = defaultValue;
+  if (!allowedValues.empty() && std::find(allowedValues.cbegin(), allowedValues.cend(), option) == allowedValues.cend()) {
+    Aws::OStringStream expectedStr;
+    expectedStr << "[";
+    for (const auto& allowed : allowedValues) {
+      expectedStr << allowed << ";";
     }
-    return option;
+    expectedStr << "]";
+
+    AWS_LOGSTREAM_WARN(CLIENT_CONFIG_TAG, "Unrecognised value for " << envKey << ": " << option << ". Using default instead: "
+                                                                    << defaultValue << ". Expected empty or one of: " << expectedStr.str());
+    option = defaultValue;
+  }
+  return option;
 }
 
 } // namespace Client
diff --git a/tests/aws-cpp-sdk-core-integration-tests/STSWebIdentityProviderIntegrationTest.cpp b/tests/aws-cpp-sdk-core-integration-tests/STSWebIdentityProviderIntegrationTest.cpp
@@ -6,8 +6,8 @@
 #include <aws/cognito-identity/model/SetIdentityPoolRolesRequest.h>
 #include <aws/core/Aws.h>
 #include <aws/core/auth/STSCredentialsProvider.h>
-#include <aws/core/utils/FileSystemUtils.h>
 #include <aws/core/platform/Environment.h>
+#include <aws/core/utils/FileSystemUtils.h>
 #include <aws/iam/IAMClient.h>
 #include <aws/iam/model/CreateRoleRequest.h>
 #include <aws/iam/model/DeleteRolePolicyRequest.h>
@@ -16,10 +16,12 @@
 #include <aws/sts/STSClient.h>
 #include <aws/sts/model/AssumeRoleRequest.h>
 #include <aws/testing/AwsTestHelpers.h>
+#include <aws/testing/platform/PlatformTesting.h>
 #include <gtest/gtest.h>
 
 using namespace Aws;
 using namespace Aws::Client;
+using namespace Aws::Environment;
 using namespace Aws::Auth;
 using namespace Aws::Utils;
 using namespace Aws::IAM;
@@ -29,13 +31,30 @@ using namespace Aws::STS::Model;
 using namespace Aws::CognitoIdentity;
 using namespace Aws::CognitoIdentity::Model;
 
+extern char **environ;
+
 namespace {
 const char* TRUST_POLICY = R"({"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"cognito-identity.amazonaws.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"cognito-identity.amazonaws.com:aud":"IDENTITY_POOL_ID_PLACEHOLDER"},"ForAnyValue:StringLike":{"cognito-identity.amazonaws.com:amr":"unauthenticated"}}},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::TEST_ACCOUNT_ID:root"},"Action":"sts:AssumeRole"}]})";
 const char* ALLOW_S3_POLICY = R"({"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket/*","arn:aws:s3:::example-bucket"]}]})";
 // If it takes longer than 60s for a IAM role to be consistent -- thats a problem
 // and we likely want to move on and fail the test
 const std::chrono::milliseconds IAM_CONSISTENCY_SLEEP = std::chrono::seconds(1);
 const size_t MAX_IAM_CONSISTENCY_RETRIES = 60;
+
+void dumpEnv() {
+  std::cout << "DEBUG: Dumping environment" << '\n';
+  for (char **env = environ; *env != nullptr; env++) {
+    std::cout << *env << '\n';
+  }
+}
+
+void dumpCredsConfig(const ClientConfiguration::CredentialProviderConfiguration& config) {
+  std::cout << "DEBUG: Dumping credentials config" << '\n';
+  std::cout << "DEBUG: Region: " << config.region << '\n';
+  std::cout << "DEBUG: Role ARN: " << config.stsCredentialsProviderConfig.roleArn << '\n';
+  std::cout << "DEBUG: Session name: " << config.stsCredentialsProviderConfig.sessionName << '\n';
+  std::cout << "DEBUG: Token file path: " << config.stsCredentialsProviderConfig.tokenFilePath << '\n';
+}
 }
 
 class CognitoIdentitySetup {
@@ -156,6 +175,53 @@ TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWork) {
   config.credentialProviderConfig.region = config.region;
   config.credentialProviderConfig.stsCredentialsProviderConfig.roleArn = testResourcesRAII.GetRoleArn();
   config.credentialProviderConfig.stsCredentialsProviderConfig.tokenFilePath = testResourcesRAII.GetTokenFileName();
+  dumpCredsConfig(config.credentialProviderConfig);
+  STSAssumeRoleWebIdentityCredentialsProvider provider{config.credentialProviderConfig};
+  AWSCredentials credentials{};
+  size_t attempts = 0;
+  bool shouldSleep = false;
+  do {
+    if (shouldSleep) {
+      std::this_thread::sleep_for(IAM_CONSISTENCY_SLEEP);
+    }
+    credentials = provider.GetAWSCredentials();
+    shouldSleep = true;
+    attempts++;
+  } while (credentials.IsEmpty() && attempts < MAX_IAM_CONSISTENCY_RETRIES);
+  EXPECT_FALSE(credentials.IsEmpty());
+}
+
+TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWorkWithEnvVar) {
+  CognitoIdentitySetup testResourcesRAII{UUID::RandomUUID()};
+  dumpEnv();
+  const EnvironmentRAII environmentRAII{{{"AWS_ROLE_ARN", testResourcesRAII.GetRoleArn()},
+                                          {"AWS_ROLE_SESSION_NAME", UUID::RandomUUID()},
+                                          {"AWS_WEB_IDENTITY_TOKEN_FILE", testResourcesRAII.GetTokenFileName()}}};
+  const ClientConfiguration config{};
+  dumpCredsConfig(config.credentialProviderConfig);
+  STSAssumeRoleWebIdentityCredentialsProvider provider{config.credentialProviderConfig};
+  AWSCredentials credentials{};
+  size_t attempts = 0;
+  bool shouldSleep = false;
+  do {
+    if (shouldSleep) {
+      std::this_thread::sleep_for(IAM_CONSISTENCY_SLEEP);
+    }
+    credentials = provider.GetAWSCredentials();
+    shouldSleep = true;
+    attempts++;
+  } while (credentials.IsEmpty() && attempts < MAX_IAM_CONSISTENCY_RETRIES);
+  EXPECT_FALSE(credentials.IsEmpty());
+}
+
+TEST_F(STSWebIdentityProviderIntegrationTest, ShouldWorkWithEnvVarBackwardsCompat) {
+  CognitoIdentitySetup testResourcesRAII{UUID::RandomUUID()};
+  dumpEnv();
+  const EnvironmentRAII environmentRAII{{{"AWS_IAM_ROLE_ARN", testResourcesRAII.GetRoleArn()},
+                                          {"AWS_IAM_ROLE_SESSION_NAME", UUID::RandomUUID()},
+                                          {"AWS_WEB_IDENTITY_TOKEN_FILE", testResourcesRAII.GetTokenFileName()}}};
+  const ClientConfiguration config{};
+  dumpCredsConfig(config.credentialProviderConfig);
   STSAssumeRoleWebIdentityCredentialsProvider provider{config.credentialProviderConfig};
   AWSCredentials credentials{};
   size_t attempts = 0;
