fix: support all standard AWS credential sources (#219)

Fixes: #218

Author: isometry

env.go

@@ -199,10 +199,11 @@ func getEcrToken(provider *ecrContext) (username, password string, err error) {
 			_, _ = fmt.Fprintf(os.Stderr, "AWS profile %q (Account: %s)\n", profile, provider.AccountID)
 		}
 		extraOpts = append(extraOpts, config.WithSharedConfigProfile(profile))
-	} else {
-		// If no profile is specified, use the ecrContext provider to load credentials
+	} else if provider.HasAccountSuffixedCredentials() {
+		// Only use custom provider if account-suffixed access-key credentials exist
 		extraOpts = append(extraOpts, config.WithCredentialsProvider(aws.NewCredentialsCache(provider)))
 	}
+	// If neither profile nor account-suffixed credentials, use default AWS credential chain
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
 	defer cancel()

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/aws/smithy-go v1.22.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
 )

go.sum

@@ -47,8 +47,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

provider_aws.go

@@ -24,8 +24,23 @@ type ecrContext struct {
 	Region    string
 }
 
-// Retrieve fetches AWS credentials either from account-specific environment variables
-// or falls back to standard AWS environment variables if account-specific ones are not found.
+// HasAccountSuffixedCredentials checks if account-specific environment variables exist.
+// Returns true if `_ACCOUNT_ID`-suffixed AWS credential environment variables are found.
+func (p *ecrContext) HasAccountSuffixedCredentials() bool {
+	if p.AccountID == "" {
+		return false
+	}
+
+	suffix := "_" + p.AccountID
+
+	// Check for any suffixed environment variables
+	_, hasAccessKey := os.LookupEnv(envAwsAccessKeyID + suffix)
+	_, hasSecretKey := os.LookupEnv(envAwsSecretAccessKey + suffix)
+
+	return hasAccessKey && hasSecretKey
+}
+
+// Retrieve fetches AWS credentials from account-specific environment variables.
 // This method implements the aws.CredentialsProvider interface.
 func (p *ecrContext) Retrieve(_ context.Context) (out aws.Credentials, err error) {
 	if p.AccountID == "" {
@@ -49,44 +64,20 @@ func (p *ecrContext) Retrieve(_ context.Context) (out aws.Credentials, err error
 	secretAccessKey := os.Getenv(envAwsSecretAccessKey + suffix)
 	sessionToken := os.Getenv(envAwsSessionToken + suffix)
 
-	// If ANY suffixed credentials exist, require ALL mandatory suffixed credentials
-	if accessKeyID != "" || secretAccessKey != "" || sessionToken != "" {
-		// If using suffixed credentials, both the access-key and secret key must be present
-		if accessKeyID == "" {
-			return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsAccessKeyID+suffix)
-		}
-		if secretAccessKey == "" {
-			return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsSecretAccessKey+suffix)
-		}
-
-		// Use only the suffixed credentials
-		out = aws.Credentials{
-			AccessKeyID:     accessKeyID,
-			SecretAccessKey: secretAccessKey,
-			SessionToken:    sessionToken, // Session token is optional, can be empty
-			Source:          fmt.Sprintf("Suffixed AWS Environment (Account: %s)", p.AccountID),
-		}
-		return out, nil
-	}
-
-	// No suffixed credentials found, fall back to standard AWS credentials
-	accessKeyID = os.Getenv(envAwsAccessKeyID)
-	secretAccessKey = os.Getenv(envAwsSecretAccessKey)
-	sessionToken = os.Getenv(envAwsSessionToken)
-
-	// Check if standard credentials are available
+	// If using suffixed credentials, both the access-key and secret key must be present
 	if accessKeyID == "" {
-		return aws.Credentials{}, errors.New("ecrContext: no account credentials found and standard AWS_ACCESS_KEY_ID not found")
+		return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsAccessKeyID+suffix)
 	}
 	if secretAccessKey == "" {
-		return aws.Credentials{}, errors.New("ecrContext: no account credentials found and standard AWS_SECRET_ACCESS_KEY not found")
+		return aws.Credentials{}, fmt.Errorf("ecrContext: environment variable %s not found", envAwsSecretAccessKey+suffix)
 	}
 
+	// Use only the suffixed credentials
 	out = aws.Credentials{
 		AccessKeyID:     accessKeyID,
 		SecretAccessKey: secretAccessKey,
-		SessionToken:    sessionToken,
-		Source:          fmt.Sprintf("Standard AWS Environment (Account: %s)", p.AccountID),
+		SessionToken:    sessionToken, // Session token is optional, can be empty
+		Source:          fmt.Sprintf("Suffixed AWS Environment (Account: %s)", p.AccountID),
 	}
 	return out, nil
 }

provider_aws_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"errors"
+	"fmt"
 	"testing"
 )
 
@@ -30,13 +31,13 @@ func TestECRContext_Retrieve(t *testing.T) {
 			},
 		},
 		{
-			name:        "Missing access key with session token present",
-			accountID:   "123456789012",
-			expectedErr: errors.New("ecrContext: environment variable AWS_ACCESS_KEY_ID_123456789012 not found"),
+			name:      "Missing access key with session token present",
+			accountID: "123456789012",
 			envVars: map[string]string{
 				"AWS_SESSION_TOKEN_123456789012":     "AQoEXAMPLEH4...",
 				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
 			},
+			expectedErr: errors.New("ecrContext: environment variable AWS_ACCESS_KEY_ID_123456789012 not found"),
 		},
 		{
 			name:        "Missing secret key with access key present",
@@ -47,25 +48,13 @@ func TestECRContext_Retrieve(t *testing.T) {
 			},
 		},
 		{
-			name:        "Missing both keys - fallback to standard AWS credentials",
-			accountID:   "123456789012",
-			expectedErr: errors.New("ecrContext: no account credentials found and standard AWS_ACCESS_KEY_ID not found"),
-		},
-		{
-			name:      "Valid credentials in FedRAMP",
-			accountID: "123456789012",
-			envVars: map[string]string{
-				"AWS_ACCESS_KEY_ID_123456789012":     "AKIA...",
-				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
-			},
-		},
-		{
-			name:      "Standard AWS credentials when no suffixed vars exist",
+			name:      "No suffixed credentials",
 			accountID: "123456789012",
 			envVars: map[string]string{
 				"AWS_ACCESS_KEY_ID":     "STD-AKIA...",
 				"AWS_SECRET_ACCESS_KEY": "STD-wJalr...",
 			},
+			expectedErr: fmt.Errorf("ecrContext: environment variable %s not found", envAwsAccessKeyID+"_123456789012"),
 		},
 	}
 	for _, tc := range useCases {
@@ -122,3 +111,89 @@ func TestECRContext_Retrieve(t *testing.T) {
 		})
 	}
 }
+
+func TestECRContext_HasAccountSuffixedCredentials(t *testing.T) {
+	useCases := []struct {
+		name      string
+		accountID string
+		envVars   map[string]string
+		expected  bool
+	}{
+		{
+			name:      "Has suffixed credentials for account",
+			accountID: "123456789012",
+			envVars: map[string]string{
+				"AWS_ACCESS_KEY_ID_123456789012":     "AKIA...",
+				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
+			},
+			expected: true,
+		},
+		{
+			name:      "No credentials",
+			accountID: "123456789012",
+			envVars:   map[string]string{},
+			expected:  false,
+		},
+		{
+			name:      "Has suffixed access key only",
+			accountID: "123456789012",
+			envVars: map[string]string{
+				"AWS_ACCESS_KEY_ID_123456789012": "AKIA...",
+			},
+			expected: false,
+		},
+		{
+			name:      "Has suffixed secret key only",
+			accountID: "123456789012",
+			envVars: map[string]string{
+				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
+			},
+			expected: false,
+		},
+		{
+			name:      "Has non-suffixed credentials for account",
+			accountID: "123456789012",
+			envVars: map[string]string{
+				"AWS_ACCESS_KEY_ID":     "AKIA...",
+				"AWS_SECRET_ACCESS_KEY": "wJalr...",
+			},
+			expected: false,
+		},
+		{
+			name:      "Has suffixed credentials for no account",
+			accountID: "",
+			envVars: map[string]string{
+				"AWS_ACCESS_KEY_ID_123456789012":     "AKIA...",
+				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
+			},
+			expected: false,
+		},
+		{
+			name:      "Has suffixed credentials for different account",
+			accountID: "987654321098",
+			envVars: map[string]string{
+				"AWS_ACCESS_KEY_ID_123456789012":     "AKIA...",
+				"AWS_SECRET_ACCESS_KEY_123456789012": "wJalr...",
+			},
+			expected: false,
+		},
+	}
+
+	for _, tc := range useCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Set environment variables
+			for k, v := range tc.envVars {
+				t.Setenv(k, v)
+			}
+
+			provider := &ecrContext{
+				AccountID: tc.accountID,
+			}
+
+			result := provider.HasAccountSuffixedCredentials()
+			if result != tc.expected {
+				t.Errorf("expected %v but got %v", tc.expected, result)
+			}
+		})
+	}
+}