CORS-4055: migrate credential provider check to AWS SDK v2

This commit is an incremental step to migrate AWS API calls
to AWS SDK v2. This focuses on handlers that retrieve the source
or provider of credentials, for example, via shared credential file
and via environment variables.

Note: these logics are to determine whether the credential provider
is static, which is safe to transfer to the cluster as-is in Mint and
Passthrough credentialsMode.

pkg/asset/installconfig/aws/session.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 	"sync"
 
 	survey "github.com/AlecAivazis/survey/v2"
@@ -139,19 +138,6 @@ func getCredentialsFromSession(options session.Options) (*credentials.Credential
 	return creds, nil
 }
 
-// IsStaticCredentials returns whether the credentials value provider are
-// static credentials safe for installer to transfer to cluster for use as-is.
-func IsStaticCredentials(credsValue credentials.Value) bool {
-	switch credsValue.ProviderName {
-	case credentials.EnvProviderName, credentials.StaticProviderName, credentials.SharedCredsProviderName, session.EnvProviderName:
-		return credsValue.SessionToken == ""
-	}
-	if strings.HasPrefix(credsValue.ProviderName, "SharedConfigCredentials") {
-		return credsValue.SessionToken == ""
-	}
-	return false
-}
-
 // errCodeEquals returns true if the error matches all these conditions:
 //   - err is of type awserr.Error
 //   - Error.Code() equals code

pkg/asset/installconfig/aws/sessionv2.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -35,6 +36,12 @@ const (
 
 	// RetryBackoffDuration is max duration between retried attempts.
 	RetryBackoffDuration = 300 * time.Second
+
+	// SharedCredsProviderName defines the source name of AWS credentials
+	// from a shared credential file.
+	// Note: The SDK does not expose any constants for this value so
+	// we define one here as a replacement.
+	SharedCredsProviderName = "SharedConfigCredentials" //nolint:gosec
 )
 
 var (
@@ -126,11 +133,21 @@ func getCredentialsV2(ctx context.Context, options ConfigOptions) (aws.Credentia
 	return creds, nil
 }
 
-// IsStaticCredentialsV2 returns whether the credentials value provider are
+// IsStaticCredentials returns whether the credentials value provider are
 // static credentials safe for installer to transfer to cluster for use as-is.
-// TODO: Remove suffix V2 when completing migration aws sdk v2 (i.e. removing session.go).
-func IsStaticCredentialsV2(creds aws.Credentials) bool {
-	if creds.Source == credentials.StaticCredentialsName {
+// Reference: https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials
+func IsStaticCredentials(creds aws.Credentials) bool {
+	switch creds.Source {
+	case
+		credentials.StaticCredentialsName, // Credentials explicitly created via credentials.NewStaticCredentialsProvider()
+		config.CredentialsSourceName:      // Credentials loaded from environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) - "EnvConfigCredentials"
+		return creds.SessionToken == ""
+	}
+
+	// Credentials loaded from ~/.aws/credentials or AWS_SHARED_CREDENTIALS_FILE
+	// When using shared credential file, the AWS SDK defines its credential source as "SharedConfigCredentials: FILENAME"
+	// Reference: https://github.com/aws/aws-sdk-go-v2/blob/de58dc6cdc4c35ac4687d53cff781a6027a0f52f/config/shared_config.go#L1173
+	if strings.HasPrefix(creds.Source, SharedCredsProviderName) {
 		return creds.SessionToken == ""
 	}
 	return false

pkg/asset/manifests/openshift.go

@@ -3,12 +3,14 @@ package manifests
 import (
 	"context"
 	"encoding/base64"
+	"fmt"
 	"os"
 	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/gophercloud/utils/v2/openstack/clientconfig"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -91,20 +93,22 @@ func (o *Openshift) Generate(ctx context.Context, dependencies asset.Parents) er
 	platform := installConfig.Config.Platform.Name()
 	switch platform {
 	case awstypes.Name:
-		ssn, err := installConfig.AWS.Session(ctx)
+		awsconfig, err := installconfigaws.GetConfigWithOptions(ctx, config.WithRegion(installConfig.AWS.Region))
 		if err != nil {
 			return err
 		}
-		creds, err := ssn.Config.Credentials.Get()
+
+		creds, err := awsconfig.Credentials.Retrieve(ctx)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to retrieve aws credentials: %w", err)
 		}
+
 		if !installconfigaws.IsStaticCredentials(creds) {
 			switch {
 			case installConfig.Config.CredentialsMode == "":
-				return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.ProviderName)
+				return errors.Errorf("AWS credentials provided by %s are not valid for default credentials mode", creds.Source)
 			case installConfig.Config.CredentialsMode != types.ManualCredentialsMode:
-				return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.ProviderName, installConfig.Config.CredentialsMode)
+				return errors.Errorf("AWS credentials provided by %s are not valid for %s credentials mode", creds.Source, installConfig.Config.CredentialsMode)
 			}
 		}
 		cloudCreds = cloudCredsSecretData{