Default authentication flow should fail if invalid profile name is passed

[gdavison]

Describe the bug

When the default authentication flow is used with config.LoadDefaultConfig(), providing an invalid profile name, either with config.WithSharedConfigProfile() or by setting AWS_PROFILE, does not cause an error, but falls back to trying IMDS.

Previously reported as #1591, but the proposed fix did not resolve the issue

Expected Behavior

In the AWS CLI, I get

$ AWS_PROFILE=no-such-profile aws sts get-caller-identity

The config profile (no-such-profile) could not be found

The SDK should fail with a config.SharedConfigProfileNotExistError error, or at least have the option to do so.

Current Behavior

The AWS SDK falls back to calling IMDS

Reproduction Steps

cfg, err := config.LoadDefaultConfig(ctx)

and set AWS_PROFILE to an invalid profile name

or

cfg, err := config.LoadDefaultConfig(ctx, config.WithSharedConfigProfile("no-such-profile"))

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.13.0, github.com/aws/aws-sdk-go-v2/config v1.13.1

and

github.com/aws/aws-sdk-go-v2 v1.17.6, github.com/aws/aws-sdk-go-v2/config v1.18.18

Compiler and Version used

go version go1.20.2 darwin/arm64

Operating System and version

N/A

[RanVaknin]

Hi @gdavison ,

Thanks for opening the issue. I'm able to reproduce the error.

I believe this is happening because the ResolveCredentialsFromProfile function does not have a case handling loading of non-existent profiles, and falls back to resolveEC2RoleCredentials.
Then it would constructs an ec2RoleCredProvider with the user input as the role arn. When the client checks the cache for credentials, it treats it as an EC2provider and fails with an IMDS error:

failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, http response error StatusCode: 403, request to EC2 IMDS failed

I'll mark it needs-review and will discuss it with the team.
Thanks,
Ran~

[lucix-aws]

FYI we've decided that this is safe to do by default since the caller is explicitly asking for something that isn't in their config. Additionally the only "success" scenario here with the current behavior would be if you happen to have IMDS available beyond the misconfiguration, which we think is both unlikely and also probably not desired.