Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Bugfix: auth identities should default load the AWS Environment vars (if AWS based identities) #1623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

Bugfix: auth identities should default load the AWS Environment vars (if AWS based identities) #1623

merged 1 commit into from
Oct 13, 2025

Conversation

@Benbentwo
Copy link
Member

@Benbentwo Benbentwo commented Oct 13, 2025
edited by coderabbitai bot
Loading

what

  • Bugfix: Atmos auth exec and atmos auth env need the default AWS Env variables of AWS to function properly. Main implementation had this feature, but was removed unintentionally from refactoring how the Environment() block was used.

why

  • Allows atmos auth exec -- aws s3 ls and selecting an identity to work as expected.

references

Summary by CodeRabbit

  • New Features

    • Automatically merges AWS file-based environment variables (e.g., profile and config/credentials settings) for Assume Role and Permission Set identities, applied before app-level environment overrides. This improves compatibility with existing AWS CLI configurations.

  • Tests

    • Updated tests to verify inclusion of AWS file-based variables alongside custom configuration variables in the final environment output.

@Benbentwo Benbentwo requested a review from a team as a code owner October 13, 2025 17:07
@github-actions github-actions bot added the size/s Small size PR label Oct 13, 2025
@Benbentwo Benbentwo added patch A minor, backward compatible change bugfix Change that restores intended behavior labels Oct 13, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 13, 2025

📝 Walkthrough

Walkthrough

Adds AWS file-based environment resolution to Environment() for assume-role and permission-set identities. Introduces GetProviderName() to derive provider from Via config. Merges AWS file manager-derived env vars before identity config env. Updates tests to set Via.Provider and assert AWS_* variables.

Changes

Cohort / File(s) Summary
Identity env resolution (runtime)
pkg/auth/identities/aws/assume_role.go, pkg/auth/identities/aws/permission_set.go		 Environment() now: derives provider via new GetProviderName(); constructs awsCloud.AWSFileManager; retrieves provider/identity-scoped env vars; merges them before config Env. Errors are propagated/joined on file manager creation.
Tests
pkg/auth/identities/aws/assume_role_test.go		 Test updated to include Via.Provider and to assert presence/values of AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE, AWS_PROFILE, alongside existing custom envs.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Caller
  participant I as Identity.Environment()
  participant P as GetProviderName()
  participant FM as AWSFileManager
  participant AWS as GetEnvironmentVariables()
  
  C->>I: Environment()
  I->>P: Resolve provider (Via.Provider / Via.Identity)
  P-->>I: providerName or error
  alt provider resolved
    I->>FM: NewAWSFileManager()
    alt created
      I->>AWS: GetEnvironmentVariables(providerName, identityName)
      AWS-->>I: [KEY=VAL...]
      I->>I: Merge AWS env -> env map
    else creation failed
      I-->>C: error (joined with ErrAuthAwsFileManagerFailed)
    end
    I->>I: Overlay config Env
    I-->>C: env map
  else error
    I-->>C: error
  end
  note over I,AWS: Applies to assume-role and permission-set identities
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

patch

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title clearly indicates that this pull request fixes the behavior of auth identities to load AWS environment variables by default, which matches the primary change in the code and the intent described in the PR. It specifies that this is a bugfix and limits the scope to AWS-based identities without extraneous detail. The phrasing is concise, informative, and aligned with the pull request’s objective.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bugfix/env-export

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 13, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
pkg/auth/identities/aws/permission_set.go (1)

166-171: Consider adding Via.Identity fallback for consistency.

The GetProviderName() implementation here only checks Via.Provider, while the assume_role.go version also falls back to Via.Identity for chained identities. This inconsistency may limit permission set identities from chaining through other identities.

Verify if permission set identities need to support chaining via Via.Identity. If so, apply this diff:

 func (i *permissionSetIdentity) GetProviderName() (string, error) {
 	if i.config.Via != nil && i.config.Via.Provider != "" {
 		return i.config.Via.Provider, nil
 	}
+	if i.config.Via != nil && i.config.Via.Identity != "" {
+		return i.config.Via.Identity, nil
+	}
 	return "", fmt.Errorf("%w: permission set identity %q has no valid via configuration", errUtils.ErrInvalidIdentityConfig, i.name)
 }
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e289fee and 9a0de9d.

📒 Files selected for processing (3)
  • pkg/auth/identities/aws/assume_role.go (1 hunks)
  • pkg/auth/identities/aws/assume_role_test.go (1 hunks)
  • pkg/auth/identities/aws/permission_set.go (2 hunks)
🧰 Additional context used
📓 Path-based instructions (5)
pkg/**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Place business logic in pkg rather than in cmd

Files:

  • pkg/auth/identities/aws/assume_role_test.go
  • pkg/auth/identities/aws/assume_role.go
  • pkg/auth/identities/aws/permission_set.go
**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

**/*_test.go: Write unit tests as table-driven tests focused on behavior; prefer high coverage for pkg/ and internal/exec/; comments must end with periods.
Use t.Skipf with a reason instead of t.Skip; never skip without a reason.
Test files must mirror implementation file names (e.g., aws_ssm_store_test.go pairs with aws_ssm_store.go).

Files:

  • pkg/auth/identities/aws/assume_role_test.go
**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

**/*.go: All comments must end with periods across all Go code (godot linter enforced).
Organize imports into three groups (stdlib, 3rd-party, Atmos) separated by blank lines and sorted alphabetically within groups; preserve existing aliases.
Add defer perf.Track(<atmosConfig|nil>, ".")() at the start of all public and critical private functions, followed by a blank line.
All errors must be wrapped using static errors from errors/errors.go; prefer errors.Join for multiple errors, fmt.Errorf with %w for context, and check with errors.Is; never use dynamic errors directly.
Use utils.PrintfMarkdown() to render embedded markdown examples for CLI help output.
Co-locate unit tests with implementation files; integration tests reside under tests/.
Distinguish UI output from logging: UI prompts/status/errors to stderr; data/results to stdout; logging for system/debug info only with structured fields.
Most text UI must go to stderr; only data/results to stdout. Prefer utils.PrintfMessageToTUI for UI messages.
Bind all environment variables with viper.BindEnv(); every env var must have an ATMOS_ alternative binding.
Favor cross-platform code: prefer SDKs over external binaries, use filepath/os/runtime, and handle OS-specific differences or use build tags.
For non-standard execution paths, capture telemetry using telemetry.CaptureCmd or telemetry.CaptureCmdString without collecting user data.
Search for existing methods and utilities (internal/exec, pkg/) before implementing new functionality; prefer reuse/refactoring over duplication.

Files:

  • pkg/auth/identities/aws/assume_role_test.go
  • pkg/auth/identities/aws/assume_role.go
  • pkg/auth/identities/aws/permission_set.go
pkg/**/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

Place unit tests for packages under pkg/ as *_test.go files.

Files:

  • pkg/auth/identities/aws/assume_role_test.go
**/!(*_test).go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Document all exported functions, types, and methods with Go doc comments

Files:

  • pkg/auth/identities/aws/assume_role.go
  • pkg/auth/identities/aws/permission_set.go
🧬 Code graph analysis (3)
pkg/auth/identities/aws/assume_role_test.go (1)
pkg/schema/schema_auth.go (1)
  • IdentityVia (42-45)
pkg/auth/identities/aws/assume_role.go (2)
pkg/auth/cloud/aws/files.go (1)
  • NewAWSFileManager (43-51)
errors/errors.go (1)
  • ErrAuthAwsFileManagerFailed (364-364)
pkg/auth/identities/aws/permission_set.go (2)
pkg/auth/cloud/aws/files.go (1)
  • NewAWSFileManager (43-51)
errors/errors.go (1)
  • ErrAuthAwsFileManagerFailed (364-364)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
  • GitHub Check: Analyze (go)
  • GitHub Check: Lint (golangci)
  • GitHub Check: Lint (golangci)
  • GitHub Check: Analyze (go)
  • GitHub Check: Build (windows-latest, windows)
  • GitHub Check: Analyze (go)
  • GitHub Check: Lint (golangci)
  • GitHub Check: Summary
🔇 Additional comments (4)
pkg/auth/identities/aws/assume_role_test.go (1)

72-82: LGTM! Test coverage validates AWS environment variable integration.

The test now properly validates that Environment() includes AWS file-based environment variables alongside custom config vars. The Via.Provider setup and assertions for AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE, and AWS_PROFILE are correct.

pkg/auth/identities/aws/permission_set.go (1)

5-5: Solid implementation of AWS environment variable integration.

The changes correctly merge AWS file-based environment variables before applying identity config vars. Error handling with errors.Join and ErrAuthAwsFileManagerFailed follows the established patterns.

Also applies to: 139-156

pkg/auth/identities/aws/assume_role.go (2)

172-199: Well-implemented AWS environment variable integration.

The Environment() method now correctly merges AWS file-based environment variables before applying identity config vars. The error handling is robust, and the precedence order ensures custom config vars can override AWS defaults.

201-212: Excellent provider resolution logic with proper fallback.

The GetProviderName() method properly handles both direct provider references and chained identity scenarios. The fallback logic ensures flexibility while maintaining clear error messages when neither is configured.

@codecov
Copy link

codecov bot commented Oct 13, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 60.00000% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.50%. Comparing base (e289fee) to head (9a0de9d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/auth/identities/aws/assume_role.go 60.00% 4 Missing and 2 partials ⚠️
pkg/auth/identities/aws/permission_set.go 60.00% 4 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1623      +/-   ##
==========================================
+ Coverage   64.47%   64.50%   +0.02%     
==========================================
  Files         333      333              
  Lines       37303    37331      +28     
==========================================
+ Hits        24052    24080      +28     
+ Misses      11310    11304       -6     
- Partials     1941     1947       +6
Flag Coverage Δ
unittests 64.50% <60.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
pkg/auth/identities/aws/assume_role.go 84.79% <60.00%> (-2.47%) ⬇️
pkg/auth/identities/aws/permission_set.go 53.61% <60.00%> (+0.32%) ⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@aknysh aknysh merged commit d72c802 into main Oct 13, 2025
67 of 68 checks passed
@aknysh aknysh deleted the bugfix/env-export branch October 13, 2025 17:32
@github-actions
Copy link

github-actions bot commented Oct 13, 2025

These changes were released in v1.194.1.

@coderabbitai coderabbitai bot mentioned this pull request Oct 31, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@osterman osterman osterman approved these changes

@aknysh aknysh aknysh approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

bugfix Change that restores intended behavior patch A minor, backward compatible change size/s Small size PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Benbentwo @osterman @aknysh