From 59a030ca515d5e0c55473dbdbe409ded724a2ea2 Mon Sep 17 00:00:00 2001
From: christophrj <137199105+christophrj@users.noreply.github.com>
Date: Tue, 3 Dec 2024 10:24:16 +0100
Subject: [PATCH] fix(aws-sdk-v1): web identity with injected identity

Signed-off-by: christophrj <137199105+christophrj@users.noreply.github.com>
(cherry picked from commit 36d0046de795b3c08bee8380e755e2b775688997)
---
 pkg/utils/connect/aws/config.go | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/pkg/utils/connect/aws/config.go b/pkg/utils/connect/aws/config.go
index 0ce76212a1..d1660a8e1d 100644
--- a/pkg/utils/connect/aws/config.go
+++ b/pkg/utils/connect/aws/config.go
@@ -32,6 +32,7 @@ import (
 	stscredstypesv2 "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	awsv1 "github.com/aws/aws-sdk-go/aws"
 	credentialsv1 "github.com/aws/aws-sdk-go/aws/credentials"
+	stscredsv1 "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	defaultsv1 "github.com/aws/aws-sdk-go/aws/defaults"
 	endpointsv1 "github.com/aws/aws-sdk-go/aws/endpoints"
 	requestv1 "github.com/aws/aws-sdk-go/aws/request"
@@ -672,8 +673,21 @@ func GetDefaultConfigV1() (*awsv1.Config, error) {
 	muV1.Lock()
 	defer muV1.Unlock()
 	if defaultConfigV1 == nil {
-		// use the sdk's default config
-		defaultConfigV1 = defaultsv1.Get().Config
+		envCfg, err := config.NewEnvConfig()
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load default AWS env config")
+		}
+		if len(envCfg.WebIdentityTokenFilePath) > 0 {
+			cfg := awsv1.NewConfig()
+			sess, err := GetSessionV1(cfg)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to load default AWS config")
+			}
+			creds := stscredsv1.NewWebIdentityCredentials(sess, envCfg.RoleARN, envCfg.RoleSessionName, envCfg.WebIdentityTokenFilePath) //nolint:staticcheck
+			defaultConfigV1 = cfg.WithCredentials(creds)
+		} else {
+			defaultConfigV1 = defaultsv1.Get().Config
+		}
 	}
 	return defaultConfigV1.Copy(), nil
 }