fix(aws): do not load creds from env vars (#2509)

migmartri · web-flow · commit 186888f335d4 · 2025-11-03T20:16:59.000+01:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	entgo.io/ent v0.14.4
 	github.com/adrg/xdg v0.4.0
 	github.com/aws/aws-sdk-go-v2 v1.39.4
-	github.com/aws/aws-sdk-go-v2/config v1.31.15
+	github.com/aws/aws-sdk-go-v2/config v1.31.15 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.19
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6
 	github.com/aws/aws-sdk-go-v2/service/sso v1.29.8
diff --git a/pkg/blobmanager/s3/backend.go b/pkg/blobmanager/s3/backend.go
@@ -26,7 +26,6 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
@@ -72,16 +71,11 @@ func NewBackend(creds *Credentials) (*Backend, error) {
 		return nil, fmt.Errorf("failed to parse bucket name: %w", err)
 	}
 
-	// Configure AWS config with v2 SDK
-	cfg, err := config.LoadDefaultConfig(
-		context.TODO(),
-		config.WithRegion(region),
-		config.WithCredentialsProvider(
-			credentials.NewStaticCredentialsProvider(creds.AccessKeyID, creds.SecretAccessKey, ""),
-		),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load AWS config: %w", err)
+	// Using AWS config directly instead of using config.LoadDefaultConfig
+	// to avoid the default credential chain and use only the static credentials
+	cfg := aws.Config{
+		Region:      region,
+		Credentials: credentials.NewStaticCredentialsProvider(creds.AccessKeyID, creds.SecretAccessKey, ""),
 	}
 
 	// Create S3 client with custom options if needed
diff --git a/pkg/credentials/aws/secretmanager.go b/pkg/credentials/aws/secretmanager.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,7 +24,6 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/config"
 	awscreds "github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/sso/types"
@@ -67,15 +66,11 @@ func NewManager(opts *NewManagerOpts) (*Manager, error) {
 	logger := servicelogger.ScopedHelper(l, "credentials/aws-secrets-manager")
 	logger.Infow("msg", "configuring secrets-manager", "region", opts.Region, "role", opts.Role, "prefix", opts.SecretPrefix)
 
-	config, err := config.LoadDefaultConfig(
-		context.TODO(),
-		config.WithRegion(opts.Region),
-		config.WithCredentialsProvider(
-			awscreds.NewStaticCredentialsProvider(opts.AccessKey, opts.SecretKey, ""),
-		),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("loading AWS config: %w", err)
+	// Using AWS config directly instead of using config.LoadDefaultConfig
+	// to avoid the default credential chain and use only the static credentials
+	config := aws.Config{
+		Region:      opts.Region,
+		Credentials: awscreds.NewStaticCredentialsProvider(opts.AccessKey, opts.SecretKey, ""),
 	}
 
 	return &Manager{
