From af154410804b9cbc4764e1acb4016b52633ec9fc Mon Sep 17 00:00:00 2001
From: Eduardo Silva <eduardo@chronosphere.io>
Date: Thu, 4 Dec 2025 17:00:32 -0600
Subject: [PATCH] aws_credentials: make IRSA authoritative in credentials chain

- Added explicit constants for IRSA environment variables to clarify detection
  of pod-level AWS authentication settings.

- Updated the standard AWS credential chain to treat IRSA as authoritative,
  failing fast if the EKS provider cannot initialize and skipping ECS/EC2
  fallbacks when IRSA is configured.

Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
---
 src/aws/flb_aws_credentials.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/aws/flb_aws_credentials.c b/src/aws/flb_aws_credentials.c
index 75f13b111f2..6a917de5a8e 100644
--- a/src/aws/flb_aws_credentials.c
+++ b/src/aws/flb_aws_credentials.c
@@ -37,6 +37,8 @@
 #define AWS_SESSION_TOKEN              "AWS_SESSION_TOKEN"
 
 #define EKS_POD_EXECUTION_ROLE         "EKS_POD_EXECUTION_ROLE"
+#define AWS_ROLE_ARN                   "AWS_ROLE_ARN"
+#define AWS_WEB_IDENTITY_TOKEN_FILE    "AWS_WEB_IDENTITY_TOKEN_FILE"
 
 /* declarations */
 static struct flb_aws_provider *standard_chain_create(struct flb_config
@@ -406,7 +408,7 @@ struct flb_aws_provider *flb_managed_chain_provider_create(struct flb_output_ins
                                                       (char *) sts_endpoint,
                                                       NULL,
                                                       flb_aws_client_generator(),
-                                                      profile);
+                                                      (char *) profile);
     if (!aws_provider) {
         flb_plg_error(ins, "Failed to create AWS Credential Provider");
         goto error;
@@ -529,12 +531,14 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
                                                       int eks_irsa,
                                                       char *profile)
 {
+    int irsa_env_present = FLB_FALSE;
     struct flb_aws_provider *sub_provider;
     struct flb_aws_provider *provider;
     struct flb_aws_provider_chain *implementation;
+    char *role_arn_env = NULL;
+    char *token_file_env = NULL;
 
     provider = flb_calloc(1, sizeof(struct flb_aws_provider));
-
     if (!provider) {
         flb_errno();
         return NULL;
@@ -575,6 +579,14 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
                   "standard chain");
     }
 
+    role_arn_env = getenv(AWS_ROLE_ARN);
+    token_file_env = getenv(AWS_WEB_IDENTITY_TOKEN_FILE);
+
+    /* Check if IRSA environment variables are set */
+    if (role_arn_env && strlen(role_arn_env) > 0 && token_file_env && strlen(token_file_env) > 0) {
+        irsa_env_present = FLB_TRUE;
+    }
+
     if (eks_irsa == FLB_TRUE) {
         sub_provider = flb_eks_provider_create(config, tls, region, sts_endpoint, proxy, generator);
         if (sub_provider) {
@@ -582,6 +594,16 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
             mk_list_add(&sub_provider->_head, &implementation->sub_providers);
             flb_debug("[aws_credentials] Initialized EKS Provider in standard chain");
         }
+        else if (irsa_env_present) {
+            flb_error("[aws_credentials] IRSA environment variables are set but the EKS provider could not be initialized");
+            flb_aws_provider_destroy(provider);
+            return NULL;
+        }
+
+        if (irsa_env_present) {
+            flb_debug("[aws_credentials] IRSA environment detected; skipping ECS and EC2 providers");
+            return provider;
+        }
     }
 
     sub_provider = flb_http_provider_create(config, generator);