fix: address CodeRabbit review feedback for ambient credential support

- Propagate context in AuthenticateStandaloneAmbient instead of using context.Background()
- Reject `via` configuration on aws/ambient identity (fail fast in constructor)
- Preserve SDK-resolved region when no explicit region is configured
- Add pr: 2254 to roadmap milestone

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: osterman

pkg/auth/identities/ambient/ambient.go

@@ -138,7 +138,7 @@ func IsStandaloneAmbientChain(chain []string, identities map[string]schema.Ident
 }
 
 // AuthenticateStandaloneAmbient handles authentication for standalone ambient identities.
-func AuthenticateStandaloneAmbient(_ context.Context, identityName string, identities map[string]types.Identity) (types.ICredentials, error) {
+func AuthenticateStandaloneAmbient(ctx context.Context, identityName string, identities map[string]types.Identity) (types.ICredentials, error) {
 	defer perf.Track(nil, "ambient.AuthenticateStandaloneAmbient")()
 
 	log.Debug("Authenticating ambient identity directly", logKeyIdentityAmbient, identityName)
@@ -149,7 +149,7 @@ func AuthenticateStandaloneAmbient(_ context.Context, identityName string, ident
 	}
 
 	// Ambient identities return nil credentials — they don't manage credentials.
-	credentials, err := identity.Authenticate(context.Background(), nil)
+	credentials, err := identity.Authenticate(ctx, nil)
 	if err != nil {
 		return nil, fmt.Errorf("%w: ambient identity %q authentication failed: %w", errUtils.ErrAuthenticationFailed, identityName, err)
 	}

pkg/auth/identities/aws/ambient.go

@@ -40,6 +40,9 @@ func NewAWSAmbientIdentity(name string, config *schema.Identity) (types.Identity
 	if config.Kind != awsAmbientKind {
 		return nil, fmt.Errorf("%w: invalid identity kind for aws/ambient: %s", errUtils.ErrInvalidIdentityKind, config.Kind)
 	}
+	if config.Via != nil {
+		return nil, fmt.Errorf("%w: aws/ambient identity %q must not define via", errUtils.ErrInvalidIdentityConfig, name)
+	}
 
 	return &awsAmbientIdentity{
 		name:   name,
@@ -90,6 +93,12 @@ func (i *awsAmbientIdentity) Authenticate(ctx context.Context, _ types.ICredenti
 			errUtils.ErrLoadAWSConfig, i.name, err)
 	}
 
+	// Fall back to SDK-resolved region when no explicit region is configured.
+	resolvedRegion := region
+	if resolvedRegion == "" {
+		resolvedRegion = cfg.Region
+	}
+
 	// Retrieve credentials from the resolved config.
 	creds, err := cfg.Credentials.Retrieve(ctx)
 	if err != nil {
@@ -108,7 +117,7 @@ func (i *awsAmbientIdentity) Authenticate(ctx context.Context, _ types.ICredenti
 		AccessKeyID:     creds.AccessKeyID,
 		SecretAccessKey: creds.SecretAccessKey,
 		SessionToken:    creds.SessionToken,
-		Region:          region,
+		Region:          resolvedRegion,
 	}
 
 	// Set expiration if available.

pkg/auth/identities/aws/ambient_test.go

@@ -47,6 +47,16 @@ func TestNewAWSAmbientIdentity(t *testing.T) {
 			wantErr:   true,
 			errSubstr: "invalid identity kind",
 		},
+		{
+			name:   "via is rejected",
+			idName: "bad",
+			config: &schema.Identity{
+				Kind: "aws/ambient",
+				Via:  &schema.IdentityVia{Identity: "base-identity"},
+			},
+			wantErr:   true,
+			errSubstr: "must not define via",
+		},
 	}
 
 	for _, tt := range tests {
@@ -317,9 +327,32 @@ func TestAWSAmbientIdentityAuthenticateWithoutRegion(t *testing.T) {
 	awsCreds, ok := creds.(*types.AWSCredentials)
 	require.True(t, ok)
 	assert.Equal(t, "AKIAIOSFODNN7EXAMPLE", awsCreds.AccessKeyID)
+	// No explicit region and /dev/null config means SDK resolves no region either.
 	assert.Empty(t, awsCreds.Region)
 }
 
+func TestAWSAmbientIdentityAuthenticateSDKResolvedRegion(t *testing.T) {
+	// Set credentials via env vars but region only via AWS_DEFAULT_REGION
+	// (not in principal config). The SDK resolves this region, and it should
+	// be preserved in the returned credentials.
+	t.Setenv("AWS_ACCESS_KEY_ID", "AKIAIOSFODNN7EXAMPLE")
+	t.Setenv("AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")
+	t.Setenv("AWS_DEFAULT_REGION", "ap-southeast-1")
+	t.Setenv("AWS_CONFIG_FILE", "/dev/null")
+	t.Setenv("AWS_SHARED_CREDENTIALS_FILE", "/dev/null")
+
+	identity, err := NewAWSAmbientIdentity("test", &schema.Identity{Kind: "aws/ambient"})
+	require.NoError(t, err)
+
+	creds, err := identity.Authenticate(context.Background(), nil)
+	require.NoError(t, err)
+	require.NotNil(t, creds)
+
+	awsCreds, ok := creds.(*types.AWSCredentials)
+	require.True(t, ok)
+	assert.Equal(t, "ap-southeast-1", awsCreds.Region, "SDK-resolved region should be preserved")
+}
+
 func TestAWSAmbientIdentityCredentialsExist(t *testing.T) {
 	t.Setenv("AWS_ACCESS_KEY_ID", "AKIAIOSFODNN7EXAMPLE")
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")