config.LoadDefaultConfig doesn't honor env variables

[jylitalo]

Describe the bug
I've done AWS Assume Role to different account and I have set:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

Yet, when I execute binary that does:

	fmt.Println("AWS_ACCESS_KEY_ID=" + os.Getenv("AWS_ACCESS_KEY_ID"))
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
	fmt.Println(cfg.Credentials)

AWS Access Key ID from os.Getenv and cfg.Credentials don't match.

Version of AWS SDK for Go?
github.com/aws/aws-sdk-go-v2/config v1.1.0

Version of Go (go version)?
go1.15.7 darwin/amd64

To Reproduce (observed behavior)
Use awscli to assume role on another account.
Set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_KEY
Execute code that does:

	fmt.Println("AWS_ACCESS_KEY_ID=" + os.Getenv("AWS_ACCESS_KEY_ID"))
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
	fmt.Println(cfg.Credentials)

Output will be something like:

AWS_ACCESS_KEY_ID=ASIA...KQNC
&{{{AKIA...5CLY SBcw...KyON SharedConfigCredentials: /Users/jylitalo/.aws/credentials false {0 0 }}} {0 0} {} {{0 0} map[]}}

Where AKIA...5CLY is my aws_access_key_id in ~/.aws/credentials (instead of the temporary credential from assumed role).

Expected behavior
Output should be something like:

AWS_ACCESS_KEY_ID=ASIA...KQNC
&{{{ASIA...KQNC ...}}

If the environment variables are set, they should override all the settings in ~/.aws.

[jylitalo]

I decided to do bit more extensive study and found out that:

	fmt.Println("AWS_ACCESS_KEY_ID=" + os.Getenv("AWS_ACCESS_KEY_ID"))
	fmt.Printf("len(AWS_SECRET_ACCESS_KEY)=%v\n", len(os.Getenv("AWS_SECRET_ACCESS_KEY")))
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
	if err != nil {
		log.Fatal(err)
	}
	provider, err := cfg.Credentials.Retrieve(context.TODO())
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println("creds.AccessKeyID=" + provider.AccessKeyID)
	fmt.Println("creds.Source=" + provider.Source)
	envcfg, err := config.NewEnvConfig()
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println("env.AccessKeyID=" + envcfg.Credentials.AccessKeyID)
	fmt.Println("env.SessionToken=" + envcfg.Credentials.SessionToken)
	fmt.Printf("env.HasKeys=%v\n", envcfg.Credentials.HasKeys())
	client := eks.NewFromConfig(cfg)
	resp, err := client.DescribeCluster(
		context.TODO(),
		&eks.DescribeClusterInput{Name: &clusterName},
	)

outputs:

% ./main
AWS_ACCESS_KEY_ID=ASIA...NWI2
len(AWS_SECRET_ACCESS_KEY)=40
creds.AccessKeyID=AKIA...5CLY
creds.Source=SharedConfigCredentials: /Users/jylitalo/.aws/credentials
env.AccessKeyID=ASIA...NWI2
env.SessionToken=Fwo...bRQe
env.HasKeys=true

so it looks like it gets proper information from env config but decides to override it with SharedConfigCredentials.

[jylitalo]

After one more round of experiments, this issue seems to be about AWS_PROFILE.
If I have AWS_PROFILE set, it will ignore my EnvConfig (ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN).
If I unset AWS_PROFILE, then it uses my EnvConfig instead of credentials from ~/.aws.
This is first time, when I've encountered AWS SDK (go v1, ruby v3, boto3, etc.) where AWS_PROFILE as env variable makes application ignore ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.

[skmcgrail]

Hey @jylitalo this issue will be fixed in our next release. This was caught and fixed as part of PR #1103.

[jylitalo]

Excellent!
I'll close this one since there is already a merged pull request on issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.