From 8ef66aa76d309ad431a245105d7e557e13e8a428 Mon Sep 17 00:00:00 2001
From: Ben Koska <ben@koska.at>
Date: Mon, 29 Sep 2025 14:45:20 -0700
Subject: [PATCH] fix: retrieveAwsSecurityCredentials

---
 src/auth/defaultawssecuritycredentialssupplier.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/auth/defaultawssecuritycredentialssupplier.ts b/src/auth/defaultawssecuritycredentialssupplier.ts
index a59818be..34753c26 100644
--- a/src/auth/defaultawssecuritycredentialssupplier.ts
+++ b/src/auth/defaultawssecuritycredentialssupplier.ts
@@ -175,6 +175,9 @@ export class DefaultAwsSecurityCredentialsSupplier
       metadataHeaders,
       context.transporter,
     );
+    if (awsCreds == null || awsCreds.AccessKeyId == null || awsCreds.SecretAccessKey == null || awsCreds.Token == null) {
+      throw new Error("Retrieved invalid aws credentials, expected fields `AccessKeyId`, `SecretAccessKey` and `Token` to be non-null but one or more are null.");
+    }
     return {
       accessKeyId: awsCreds.AccessKeyId,
       secretAccessKey: awsCreds.SecretAccessKey,
@@ -243,6 +246,9 @@ export class DefaultAwsSecurityCredentialsSupplier
       ...this.additionalGaxiosOptions,
       url: `${this.securityCredentialsUrl}/${roleName}`,
       headers: headers,
+      // NOTE: Do not remove this. AWS returns `Content-Type: text/plain` even though
+      // the response is a json, so it is necessary to have this.
+      responseType: 'json'
     } as GaxiosOptions;
     AuthClient.setMethodName(opts, '#retrieveAwsSecurityCredentials');
     const response =