From adc6349b28f441cebce69f10bb4e191f5649567c Mon Sep 17 00:00:00 2001
From: Bertrand Paquet <bertrand.paquet@gmail.com>
Date: Fri, 19 May 2023 15:37:14 +0200
Subject: [PATCH] Fix AWS Authentication when mixing static creds and IAM
 profile

When the user supply static creds, we must not enrich them with a
session token which is unrelated.

Signed-off-by: Bertrand Paquet <bertrand.paquet@gmail.com>
---
 util/buildflags/cache.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/util/buildflags/cache.go b/util/buildflags/cache.go
index 061614db..866ed0ff 100644
--- a/util/buildflags/cache.go
+++ b/util/buildflags/cache.go
@@ -88,6 +88,12 @@ func addAwsCredentials(ci *controllerapi.CacheOptionsEntry) {
 	if ci.Type != "s3" {
 		return
 	}
+	_, okAccessKeyID := ci.Attrs["access_key_id"]
+	_, okSecretAccessKey := ci.Attrs["secret_access_key"]
+	// If the user provides access_key_id, secret_access_key, do not override the session token.
+	if okAccessKeyID && okSecretAccessKey {
+		return
+	}
 	ctx := context.TODO()
 	awsConfig, err := awsconfig.LoadDefaultConfig(ctx)
 	if err != nil {
@@ -97,10 +103,10 @@ func addAwsCredentials(ci *controllerapi.CacheOptionsEntry) {
 	if err != nil {
 		return
 	}
-	if _, ok := ci.Attrs["access_key_id"]; !ok && credentials.AccessKeyID != "" {
+	if !okAccessKeyID && credentials.AccessKeyID != "" {
 		ci.Attrs["access_key_id"] = credentials.AccessKeyID
 	}
-	if _, ok := ci.Attrs["secret_access_key"]; !ok && credentials.SecretAccessKey != "" {
+	if !okSecretAccessKey && credentials.SecretAccessKey != "" {
 		ci.Attrs["secret_access_key"] = credentials.SecretAccessKey
 	}
 	if _, ok := ci.Attrs["session_token"]; !ok && credentials.SessionToken != "" {