fix: prevent IRSA credentials from overriding Atmos-managed credentials on EKS pods

[osterman]

what

• Prevent IRSA/pod-injected AWS env vars from overriding Atmos-managed credentials in subprocess execution
• Pass os.Environ() through PrepareShellEnvironment to sanitize it (delete problematic vars), then pass the sanitized env to subprocess via WithBaseEnv — avoiding re-reading os.Environ() which would reintroduce IRSA vars
• Add SanitizedBaseEnv field to ConfigAndStacksInfo to carry sanitized environment through the hooks→terraform/helmfile/packer pipeline
• Add WithBaseEnv variadic option to ExecuteShellCommand for backward-compatible sanitized env injection
• Fix auth exec and auth shell to use sanitized env directly instead of re-reading os.Environ()

why

On EKS pods with IRSA (IAM Roles for Service Accounts), the pod identity webhook injects AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, and AWS_ROLE_SESSION_NAME into the pod environment. When using Atmos auth on ARC (Actions Runner Controller), these IRSA vars leaked into terraform subprocesses because three code paths re-read os.Environ() after auth sanitization:

1. Hooks path (terraform/helmfile/packer): authenticateAndWriteEnv only passed ComponentEnvSection (stack YAML vars) to PrepareShellEnvironment — IRSA vars weren't in the input so delete() was a no-op. Then ExecuteShellCommand re-read os.Environ() as the base.
2. auth exec: executeCommandWithEnv re-read os.Environ() to build subprocess env.
3. auth shell: ExecAuthShellCommand → MergeSystemEnvSimpleWithGlobal re-read os.Environ().

AWS SDK credential chain gives web identity tokens higher precedence than shared credential files, so the pod's runner role was used instead of the Atmos-managed tfplan role, causing AccessDenied errors.

Approach

Instead of setting cleared vars to empty string (which pollutes the subprocess env), we pass a clean, sanitized environment:

1. authenticateAndWriteEnv now passes os.Environ() + ComponentEnvSection to PrepareShellEnvironment, which deletes problematic keys
2. The sanitized result is stored as SanitizedBaseEnv on ConfigAndStacksInfo
3. ExecuteShellCommand accepts WithBaseEnv(info.SanitizedBaseEnv) to use the sanitized env instead of re-reading os.Environ()
4. auth exec and auth shell pass sanitized env directly to subprocess, bypassing the re-read

references

Fixes credential precedence conflict where IRSA vars override Atmos-managed credentials on EKS pods running ARC (DEV-4216)

Summary by CodeRabbit

• Bug Fixes

  • Prevented AWS IRSA env vars from leaking into subprocesses by sanitizing auth-related variables (overridden with empty values) so spawned commands use Atmos credentials.
  • Ensured credential-chain caching no longer skips the final role, forcing proper re-authentication when needed.

• Refactor

  • Preserve and propagate a sanitized environment end-to-end for shell/exec paths so child processes receive the corrected env list.

• Tests

  • Updated and added tests to validate env sanitization and subprocess propagation.

• Documentation

  • Added guidance describing the credential-chain caching fix and expected behavior.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 908093a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds IRSA-related AWS vars to the problematic list and switches PrepareEnvironment to set problematic AWS env vars to empty strings. Propagates a pre-sanitized []string environment through exec plumbing so subprocesses receive the sanitized env unchanged. Tests updated.

Changes

Cohort / File(s)	Summary
AWS IRSA Credential Isolation pkg/auth/cloud/aws/env.go	Adds AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME to problematic AWS vars and changes cleanup to set them to "" instead of deleting keys.
AWS env tests pkg/auth/cloud/aws/env_test.go, pkg/auth/cloud/aws/setup_test.go	Adds IRSA-leak prevention test and updates expectations to assert empty-string overrides for AWS credential and IRSA vars instead of removal.
Auth exec / shell plumbing cmd/auth_exec.go, cmd/auth_shell.go, cmd/auth_exec_test.go	Passes sanitized []string env through auth execution instead of converting to map[string]string; tests updated to use []string subprocess patterns.
Internal exec API & callers internal/exec/shell_utils.go, internal/exec/shell_utils_test.go, internal/exec/...	Introduces WithEnvironment([]string) and processEnv []string; updates ExecuteShellCommand/ExecAuthShellCommand to accept/use sanitized env; forwards info.SanitizedEnv from callers.
Command pipeline changes internal/exec/terraform_execute_helpers.go, internal/exec/terraform_execute_helpers_exec.go	Propagates variadic ShellCommandOption through init/workspace setup, forwards options into ExecuteShellCommand, adds workspace fallback (workspace new) logic.
Exec callers minor updates internal/exec/helmfile.go, internal/exec/packer.go, internal/exec/terraform.go	Pass WithEnvironment(info.SanitizedEnv) into final ExecuteShellCommand calls.
Test runtime helper cmd/testing_main_test.go	Adds early-exit test branch (_ATMOS_TEST_EXIT_ONE) used by subprocess tests.
Docs docs/fixes/2026-03-23-auth-credential-chain-skipping-assume-role.md	New documentation describing credential-chain caching bug and fix (doc-only).
Manifest go.mod	Minor manifest edits.

Sequence Diagram(s)

sequenceDiagram
    rect rgba(0,128,0,0.5)
    participant User
    end
    rect rgba(0,0,255,0.5)
    participant Atmos
    end
    rect rgba(255,165,0,0.5)
    participant AuthMgr
    end
    rect rgba(128,0,128,0.5)
    participant Exec
    end
    rect rgba(255,0,0,0.5)
    participant Subprocess
    end

    User->>Atmos: invoke auth/shell/terraform command
    Atmos->>AuthMgr: PrepareEnvironment() -> sanitizedEnv ([]string)
    AuthMgr-->>Atmos: return sanitizedEnv
    Atmos->>Exec: ExecuteShellCommand / ExecAuthShellCommand(with sanitizedEnv)
    Exec->>Subprocess: start subprocess with Env = sanitizedEnv + ATMOS_* mutations
    Subprocess-->>User: run tool/shell with sanitized environment

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Restore PATH inheritance in workflow shell commands #1719: Related updates to passing sanitized env lists and ExecAuthShellCommand environment handling.
• feat: Add multiple terraform output formats for CI integration #1885: Related changes converting auth env representation from map to []string and plumbing through exec paths.
• Isolate AWS env vars during authentication #1654: Related AWS env isolation logic touching pkg/auth/cloud/aws/env.go.

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix: preventing IRSA credentials from overriding Atmos-managed credentials on EKS pods, which is central to the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 80.95% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch osterman/auth-web-identity-irsa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/auth/cloud/aws/env_test.go (1)

634-641: Replace custom indexOf with strings.IndexByte.

The indexOf function duplicates strings.IndexByte — no need for a custom helper. Your Go version (1.26) supports the for i := range len(s) syntax without issue.

Replace the function and its usage:

• Line 612: change indexOf(entry, '=') to strings.IndexByte(entry, '=')
• Lines 634-641: remove the custom function
• Add "strings" to imports if needed

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/auth/cloud/aws/env_test.go` around lines 634 - 641, The custom indexOf
function duplicates standard library functionality; replace calls to
indexOf(entry, '=') with strings.IndexByte(entry, '=') and delete the indexOf
function definition (function name: indexOf). Ensure the "strings" package is
imported (add to imports if missing) and remove the now-unused indexOf symbol so
the test file builds cleanly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/auth/cloud/aws/env_test.go`:
- Around line 634-641: The custom indexOf function duplicates standard library
functionality; replace calls to indexOf(entry, '=') with
strings.IndexByte(entry, '=') and delete the indexOf function definition
(function name: indexOf). Ensure the "strings" package is imported (add to
imports if missing) and remove the now-unused indexOf symbol so the test file
builds cleanly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 964c0740-0aca-46ba-9c1d-f8be609d9e89

📥 Commits

Reviewing files that changed from the base of the PR and between 6d1f475 and a0ec9e6.

📒 Files selected for processing (3)

• pkg/auth/cloud/aws/env.go
• pkg/auth/cloud/aws/env_test.go
• pkg/auth/cloud/aws/setup_test.go

[github-actions]

These changes were released in v1.208.1-test.0.

[codecov]

Codecov Report

❌ Patch coverage is 86.53846% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.22%. Comparing base (ce67b78) to head (908093a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/shell_utils.go	71.42%	2 Missing and 2 partials ⚠️
internal/exec/helmfile.go	0.00%	1 Missing ⚠️
internal/exec/terraform_execute_helpers_exec.go	85.71%	0 Missing and 1 partial ⚠️
pkg/list/utils/utils.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2143      +/-   ##
==========================================
+ Coverage   77.19%   77.22%   +0.03%     
==========================================
  Files        1015     1015              
  Lines       96065    96087      +22     
==========================================
+ Hits        74158    74204      +46     
+ Misses      17717    17696      -21     
+ Partials     4190     4187       -3     

Flag	Coverage Δ
unittests	77.22% <86.53%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cmd/auth_exec.go	84.00% <100.00%> (-1.33%)	⬇️
cmd/auth_shell.go	57.30% <100.00%> (-2.70%)	⬇️
internal/exec/packer.go	63.75% <100.00%> (+0.24%)	⬆️
internal/exec/terraform.go	79.48% <100.00%> (+0.26%)	⬆️
internal/exec/terraform_execute_helpers.go	75.86% <100.00%> (+0.09%)	⬆️
pkg/auth/cloud/aws/env.go	100.00% <ø> (ø)
pkg/auth/hooks.go	83.84% <100.00%> (+2.10%)	⬆️
pkg/auth/manager_chain.go	89.04% <100.00%> (-0.55%)	⬇️
pkg/schema/schema.go	87.70% <ø> (ø)
internal/exec/helmfile.go	9.52% <0.00%> (-0.05%)	⬇️
... and 3 more

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

These changes were released in v1.208.1-test.1.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[github-actions]

These changes were released in v1.211.1-test.3.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

🧹 Nitpick comments (3)

pkg/list/utils/check_component_test.go (2)

9-13: Add at least one behavior-level test for CheckComponentExists (non-empty path).

Right now most coverage is on componentExistsInStacks. Consider adding a seam (DI/function var) so the exported function can be tested as the contract surface, not just its helper.

Based on learnings "Test behavior, not implementation. Never test stub functions. Avoid tautological tests. Make code testable via dependency injection."

Also applies to: 15-140

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/list/utils/check_component_test.go` around lines 9 - 13, The exported
CheckComponentExists currently only has an empty-name test; add a behavior-level
test for non-empty paths by introducing a seam (e.g., a function variable or
dependency injection) so you can stub componentExistsInStacks during tests and
assert CheckComponentExists returns true/false based on the stub; modify the
implementation to call an injectable function (keep original
componentExistsInStacks as default) and add a test that sets the injected
function to return both true and false to verify the exported contract via
CheckComponentExists (referencing CheckComponentExists and
componentExistsInStacks).

---

15-140: Consolidate these cases into a table-driven test.

The scenarios are solid, but they’re repetitive. A single table-driven test will be shorter and easier to extend.

As per coding guidelines "Use table-driven tests for testing multiple scenarios in Go".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/list/utils/check_component_test.go` around lines 15 - 140, The tests are
repetitive—replace the multiple TestComponentExistsInStacks_* functions with a
single table-driven test named TestComponentExistsInStacks that defines a slice
of test cases (fields: name, stacks map[string]any, component string, want
bool), include all existing scenarios (EmptyMap, InvalidStackData,
NoComponentsKey, InvalidComponentsType, InvalidComponentTypeMap,
ComponentNotFound, ComponentFound, ComponentFoundInSecondStack,
MixedValidInvalidStacks) as cases, iterate cases with t.Run(case.name, func(t
*testing.T) { result := componentExistsInStacks(case.stacks, case.component);
assert.Equal(t, case.want, result) }) and delete the old individual test
functions; keep referencing componentExistsInStacks to locate the logic to test.

pkg/list/utils/utils.go (1)

39-39: Use shared constant for the components key.

Prefer cfg.ComponentsSectionName instead of the string literal "components" so this stays aligned with stack-shape producers in internal/exec.

♻️ Suggested tweak

 import (
+	cfg "github.com/cloudposse/atmos/pkg/config"
 	e "github.com/cloudposse/atmos/internal/exec"
 	"github.com/cloudposse/atmos/pkg/list/errors"
 	"github.com/cloudposse/atmos/pkg/schema"
 )
@@
-		componentsMap, ok := stackMap["components"].(map[string]interface{})
+		componentsMap, ok := stackMap[cfg.ComponentsSectionName].(map[string]interface{})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/list/utils/utils.go` at line 39, Replace the hard-coded "components" key
lookup with the shared constant by using cfg.ComponentsSectionName when
extracting componentsMap from stackMap (the expression that currently reads
stackMap["components"].(map[string]interface{})); update the lookup where
componentsMap is assigned so it uses cfg.ComponentsSectionName to keep key usage
consistent with internal/exec producers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/list/utils/check_component_test.go`:
- Around line 9-13: The exported CheckComponentExists currently only has an
empty-name test; add a behavior-level test for non-empty paths by introducing a
seam (e.g., a function variable or dependency injection) so you can stub
componentExistsInStacks during tests and assert CheckComponentExists returns
true/false based on the stub; modify the implementation to call an injectable
function (keep original componentExistsInStacks as default) and add a test that
sets the injected function to return both true and false to verify the exported
contract via CheckComponentExists (referencing CheckComponentExists and
componentExistsInStacks).
- Around line 15-140: The tests are repetitive—replace the multiple
TestComponentExistsInStacks_* functions with a single table-driven test named
TestComponentExistsInStacks that defines a slice of test cases (fields: name,
stacks map[string]any, component string, want bool), include all existing
scenarios (EmptyMap, InvalidStackData, NoComponentsKey, InvalidComponentsType,
InvalidComponentTypeMap, ComponentNotFound, ComponentFound,
ComponentFoundInSecondStack, MixedValidInvalidStacks) as cases, iterate cases
with t.Run(case.name, func(t *testing.T) { result :=
componentExistsInStacks(case.stacks, case.component); assert.Equal(t, case.want,
result) }) and delete the old individual test functions; keep referencing
componentExistsInStacks to locate the logic to test.

In `@pkg/list/utils/utils.go`:
- Line 39: Replace the hard-coded "components" key lookup with the shared
constant by using cfg.ComponentsSectionName when extracting componentsMap from
stackMap (the expression that currently reads
stackMap["components"].(map[string]interface{})); update the lookup where
componentsMap is assigned so it uses cfg.ComponentsSectionName to keep key usage
consistent with internal/exec producers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 83d5a33c-7d4e-4c1b-9391-8c799f6581d3

📥 Commits

Reviewing files that changed from the base of the PR and between a46a976 and 280f1e4.

📒 Files selected for processing (3)

• internal/exec/describe_dependents.go
• pkg/list/utils/check_component_test.go
• pkg/list/utils/utils.go

[github-actions]

These changes were released in v1.213.0-test.0.

[github-actions]

These changes were released in v1.213.0-test.3.

[github-actions]

These changes were released in v1.213.0-test.4.

[github-actions]

These changes were released in v1.212.1-rc.1.