fix(rt): ignore empty env variable and system properties for AWS credentials (#1080)

Author: aajtodd

.changes/1691b2fe-15ba-4bf8-8f27-382b59c792c8.json

@@ -0,0 +1,5 @@
+{
+    "id": "1691b2fe-15ba-4bf8-8f27-382b59c792c8",
+    "type": "bugfix",
+    "description": "Ignore empty environment variable and system property strings when evaluating AWS credentials"
+}

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/EnvironmentCredentialsProvider.kt

@@ -27,7 +27,7 @@ public class EnvironmentCredentialsProvider(
 ) : CredentialsProvider {
 
     private fun requireEnv(variable: String): String =
-        getEnv(variable) ?: throw ProviderConfigurationException("Missing value for environment variable `$variable`")
+        getEnv(variable)?.takeIf(String::isNotBlank) ?: throw ProviderConfigurationException("Missing value for environment variable `$variable`")
 
     override suspend fun resolve(attributes: Attributes): Credentials {
         coroutineContext.trace<EnvironmentCredentialsProvider> {

aws-runtime/aws-config/common/src/aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProvider.kt

@@ -27,7 +27,7 @@ public class SystemPropertyCredentialsProvider(
 ) : CredentialsProvider {
 
     private fun requireProperty(variable: String): String =
-        getProperty(variable) ?: throw ProviderConfigurationException("Missing value for system property `$variable`")
+        getProperty(variable)?.takeIf(String::isNotBlank) ?: throw ProviderConfigurationException("Missing value for system property `$variable`")
 
     override suspend fun resolve(attributes: Attributes): Credentials {
         coroutineContext.trace<SystemPropertyCredentialsProvider> {

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/EnvironmentCredentialsProviderTest.kt

@@ -17,7 +17,7 @@ class EnvironmentCredentialsProviderTest {
     private fun provider(vararg vars: Pair<String, String>) = EnvironmentCredentialsProvider((vars.toMap())::get)
 
     @Test
-    fun `it should read from environment variables (incl session token)`() = runTest {
+    fun testReadFromEnvironmentIncludingSessionToken() = runTest {
         val provider = provider(
             AwsSdkSetting.AwsAccessKeyId.envVar to "abc",
             AwsSdkSetting.AwsSecretAccessKey.envVar to "def",
@@ -27,7 +27,7 @@ class EnvironmentCredentialsProviderTest {
     }
 
     @Test
-    fun `it should read from environment variables (excl session token)`() = runTest {
+    fun testReadFromEnvironmentExcludingSessionToken() = runTest {
         val provider = provider(
             AwsSdkSetting.AwsAccessKeyId.envVar to "abc",
             AwsSdkSetting.AwsSecretAccessKey.envVar to "def",
@@ -36,16 +36,36 @@ class EnvironmentCredentialsProviderTest {
     }
 
     @Test
-    fun `it should throw an exception on missing access key`() = runTest {
+    fun testThrowsWhenMissingAccessKey() = runTest {
         assertFailsWith<ProviderConfigurationException> {
             provider(AwsSdkSetting.AwsSecretAccessKey.envVar to "def").resolve()
         }.message.shouldContain("Missing value for environment variable `AWS_ACCESS_KEY_ID`")
     }
 
     @Test
-    fun `it should throw an exception on missing secret key`() = runTest {
+    fun testThrowsWhenMissingSecretKey() = runTest {
         assertFailsWith<ProviderConfigurationException> {
             provider(AwsSdkSetting.AwsAccessKeyId.envVar to "abc").resolve()
         }.message.shouldContain("Missing value for environment variable `AWS_SECRET_ACCESS_KEY`")
     }
+
+    @Test
+    fun testIgnoresEmptyAccessKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(
+                AwsSdkSetting.AwsAccessKeyId.envVar to "",
+                AwsSdkSetting.AwsSecretAccessKey.envVar to "abc",
+            ).resolve()
+        }.message.shouldContain("Missing value for environment variable `AWS_ACCESS_KEY_ID`")
+    }
+
+    @Test
+    fun testIgnoresEmptySecretKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(
+                AwsSdkSetting.AwsAccessKeyId.envVar to "abc",
+                AwsSdkSetting.AwsSecretAccessKey.envVar to "",
+            ).resolve()
+        }.message.shouldContain("Missing value for environment variable `AWS_SECRET_ACCESS_KEY`")
+    }
 }

aws-runtime/aws-config/common/test/aws/sdk/kotlin/runtime/auth/credentials/SystemPropertyCredentialsProviderTest.kt

@@ -17,7 +17,7 @@ class SystemPropertyCredentialsProviderTest {
     private fun provider(vararg vars: Pair<String, String>) = SystemPropertyCredentialsProvider((vars.toMap())::get)
 
     @Test
-    fun readAllSystemProperties() = runTest {
+    fun testReadAllSystemProperties() = runTest {
         val provider = provider(
             AwsSdkSetting.AwsAccessKeyId.sysProp to "abc",
             AwsSdkSetting.AwsSecretAccessKey.sysProp to "def",
@@ -27,7 +27,7 @@ class SystemPropertyCredentialsProviderTest {
     }
 
     @Test
-    fun readAllSystemPropertiesExceptSessionToken() = runTest {
+    fun testReadAllSystemPropertiesExceptSessionToken() = runTest {
         val provider = provider(
             AwsSdkSetting.AwsAccessKeyId.sysProp to "abc",
             AwsSdkSetting.AwsSecretAccessKey.sysProp to "def",
@@ -36,16 +36,36 @@ class SystemPropertyCredentialsProviderTest {
     }
 
     @Test
-    fun throwsExceptionWhenMissingAccessKey() = runTest {
+    fun testThrowsExceptionWhenMissingAccessKey() = runTest {
         assertFailsWith<ProviderConfigurationException> {
             provider(AwsSdkSetting.AwsSecretAccessKey.sysProp to "def").resolve()
         }.message.shouldContain("Missing value for system property `aws.accessKeyId`")
     }
 
     @Test
-    fun throwsExceptionWhenMissingSecretKey() = runTest {
+    fun testThrowsExceptionWhenMissingSecretKey() = runTest {
         assertFailsWith<ProviderConfigurationException> {
             provider(AwsSdkSetting.AwsAccessKeyId.sysProp to "abc").resolve()
         }.message.shouldContain("Missing value for system property `aws.secretAccessKey`")
     }
+
+    @Test
+    fun testIgnoresEmptyAccessKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(
+                AwsSdkSetting.AwsAccessKeyId.sysProp to "",
+                AwsSdkSetting.AwsSecretAccessKey.sysProp to "abc",
+            ).resolve()
+        }.message.shouldContain("Missing value for system property `aws.accessKeyId`")
+    }
+
+    @Test
+    fun testIgnoresEmptySecretKey() = runTest {
+        assertFailsWith<ProviderConfigurationException> {
+            provider(
+                AwsSdkSetting.AwsAccessKeyId.sysProp to "abc",
+                AwsSdkSetting.AwsSecretAccessKey.sysProp to "",
+            ).resolve()
+        }.message.shouldContain("Missing value for system property `aws.secretAccessKey`")
+    }
 }