aws-sdk-go-v2's default credential chain behaviour differs from botocore

[bhops]

Acknowledgements

• I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
• I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

I ran into an interesting set of behaviour trying to debug why something using the aws-sdk-go-v2 was resulting in different AWS credentials being used under identical circumstances as awscliv2. After some pretty extensive debugging I found this particular section of code in botocore.

This code appears to disable the Environment Variables provider in the Python SDK when AWS_PROFILE is set. This does not happen in aws-sdk-go-v2. It's not clear to me which SDK is performing the correct behaviour.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Setting AWS_PROFILE should take precedence over AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE as it does with botocore and awscli when using the default credential chains.

Current Behavior

Setting AWS_PROFILE has no effect when AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are both set, and no warning or error is displayed warning the user that the usage of AWS_PROFILE was ineffective.

Reproduction Steps

This can be reproduced with code like the following

cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
  return nil, err
}

and setting the AWS_ROLE_ARN, AWS_PROFILE and AWS_WEB_IDENTITY_TOKEN_FILE environment variables. Regardless of what AWS_PROFILE is set to, the Web Identity credentials will be used and no error will be raised.

Possible Solution

The go SDK should mirror the behaviour of botocore, allowing AWS_PROFILE to override other credentials set via environment variables.

Additional Information/Context

I was able to address this by changing the code to

	var loadOptions = []func(*config.LoadOptions) error{}
	awsProfile := os.Getenv("AWS_PROFILE")
	if awsProfile != "" {
		loadOptions = append(loadOptions, config.WithSharedConfigProfile(awsProfile))
	}
	cfg, err := config.LoadDefaultConfig(context.TODO(), loadOptions...)
	if err != nil {
		return nil, err
	}

but it feels like the different SDKs should have similar behaviour

AWS Go SDK V2 Module Versions Used

go.mod contents for github.com/aws/*

github.com/aws/aws-sdk-go-v2 v1.30.5
github.com/aws/aws-sdk-go-v2/config v1.27.33
github.com/aws/aws-sdk-go-v2/service/cloudformation v1.53.7
github.com/aws/smithy-go v1.20.4
github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect

Compiler and Version used

go1.22.1

Operating System and version

n/a

[bhavya2109sharma]

Hello @bhops

Thanks for reaching out.
You are right in making this point but there is no default behavior which SDK's should follow. For the botocore it might be the case to give more precedence to AWS_PROFILE but it is not a universal said rule for other SDK's.
It will stay the same until any further communication.

Thanks
~Bhavya

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.