Skip to content

Fix default profile handling when parsing AWS configuration files #727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
omus merged 7 commits into from
Jul 3, 2025
Merged

Fix default profile handling when parsing AWS configuration files #727

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9ecfe5a
Improve AWS config support for `source_profile`
omus Jul 2, 2025
a30b1b6
fixup
omus Jul 2, 2025
b21f568
Make tests specificially unit tests
omus Jul 2, 2025
06f947c
fixup
omus Jul 2, 2025
b8c5231
fixup
omus Jul 2, 2025
b2a6268
Make resursive profile merging optional
omus Jul 2, 2025
464909b
Inheriting is not supported
omus Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions src/utilities/credentials.jl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,22 @@ function _get_ini_value(
end

function _aws_profile_config(ini::Inifile, profile::AbstractString)
if profile != "default" || !haskey(sections(ini), "default")
profile = "profile $profile"
# Prefer using "profile default" over "default"
section_name = if profile != "default" || haskey(sections(ini), "profile default")
"profile $profile"
else
"default"
end
Copy link
Member Author

@omus omus Jul 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note the previous logic was to prefer default over profile default which deviates from the AWS CLI preference.


content = copy(get(sections(ini), section_name, IniFile.HTSS()))
source_profile = pop!(content, "source_profile", nothing)

# Fallback on settings specified in the source profile
if !isnothing(source_profile)
content = merge(_aws_profile_config(ini, source_profile), content)
end

return get(sections(ini), profile, Dict())
return content
end

function _aws_profile_config(ini::Inifile, profile::Nothing)
Expand Down
3 changes: 2 additions & 1 deletion test/runtests.jl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ using Dates
using Downloads
using GitHub
using HTTP
using IniFile: Inifile
using IniFile: Inifile, sections
using JSON
using OrderedCollections: LittleDict, OrderedDict
using MbedTLS: digest, MD_SHA256, MD_MD5
Expand Down Expand Up @@ -66,6 +66,7 @@ const AWS_CONFIG = Ref{AbstractAWSConfig}()
@testset "Unit Tests" begin
if RUN_UNIT_TESTS
include("unit/AWS.jl")
include("unit/AWSCredentials.jl")
else
@warn "Skipping unit tests"
end
Expand Down
77 changes: 77 additions & 0 deletions test/unit/AWSCredentials.jl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
@testset "_aws_profile_config" begin
using AWS: _aws_profile_config

@testset "source profile" begin
#! format: off
buffer = IOBuffer(
"""
[profile test]
output = json
region = us-east-1

[profile test:dev]
source_profile = test
role_arn = arn:aws:iam::123456789000:role/Dev

[profile test:sub-dev]
Copy link
Collaborator

@maganaluis maganaluis Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this now supports chained roles, the max time for the session is one hour. Would this time limit cause any other issues?

Copy link
Member Author

@omus omus Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We supported role chaining before this change so nothing really changed here. Any issues that existed before would still be present

source_profile = test:dev
role_arn = arn:aws:iam::123456789000:role/SubDev
"""
)
#! format: on
ini = Inifile()
read(ini, buffer)

# Only the fields from profile "test"
config = _aws_profile_config(ini, "test")
@test keys(config) ⊆ Set(["output", "region"])
@test config["output"] == "json"
@test config["region"] == "us-east-1"

# Combine the profile "test:dev" section with fields from profile "test"
config = _aws_profile_config(ini, "test:dev")
@test keys(config) ⊆ Set(["output", "region", "role_arn"])
@test config["output"] == "json"
@test config["region"] == "us-east-1"
@test config["role_arn"] == "arn:aws:iam::123456789000:role/Dev"

# Ensure we haven't mutated the contents of the `ini`
section = sections(ini)["profile test:dev"]
@test !haskey(section, "region")
@test !haskey(section, "output")

# Conflicting keys should use the first defined entry
config = _aws_profile_config(ini, "test:sub-dev")
@test keys(config) ⊆ Set(["output", "region", "role_arn"])
@test config["output"] == "json"
@test config["region"] == "us-east-1"
@test config["role_arn"] == "arn:aws:iam::123456789000:role/SubDev"

# Ensure we haven't mutated the contents of the `ini`
section = sections(ini)["profile test:sub-dev"]
@test !haskey(section, "region")
@test !haskey(section, "output")
end

# AWS CLI (version v2.27.15) will use "profile default" over "default" when both are
# defined within the configuration. This is true when `AWS_PROFILE` is unset or
# `AWS_PROFILE="default".
@testset "default profile" begin
#! format: off
buffer = IOBuffer(
"""
[default]
region = default-1

[profile default]
region = default-2
"""
)
#! format: on
ini = Inifile()
read(ini, buffer)

config = _aws_profile_config(ini, "default")
@test config["region"] == "default-2"
end
end
Loading