Do not backfill AWS credential env vars during banner init

architect · Oct 19, 2023 · bd5c4f8 · bd5c4f8
1 parent bf3cec2
commit bd5c4f8
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 22 deletions.
diff --git a/banner/cred-check.js b/banner/cred-check.js
@@ -31,14 +31,4 @@ module.exports = function credCheck ({ checkCreds = true, inventory, needsValidC
   if (creds.error && needsValidCreds) {
     return Error('Valid credentials needed to run this command; missing or invalid credentials')
   }
-  else if (creds.error) {
-    /**
-     * Backfill creds - any creds will do for local service emulation
-     * - Be sure we backfill Lambda's prepopulated env vars
-     * - sessionToken / AWS_SESSION_TOKEN is optional, skip so as not to introduce unintended side-effects
-     */
-    process.env.ARC_AWS_CREDS = 'dummy'
-    process.env.AWS_ACCESS_KEY_ID = 'arc_dummy_access_key'
-    process.env.AWS_SECRET_ACCESS_KEY = 'arc_dummy_secret_key'
-  }
 }
diff --git a/changelog.md b/changelog.md
@@ -8,7 +8,7 @@
 
 - Initializing the Architect banner is now significantly faster by way of relying on `aws-lite` (instead of `aws-sdk`)
 - Breaking change: banner initialization no longer mutates `AWS_PROFILE`, or uses `ARC_AWS_CREDS` as a signal to other modules about credential loading
-  - While credential env vars (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) are still backfilled in certain circumstances, modules relying on the banner for credential-related operations must review the changes and refactor accordingly
+  - Modules relying on the banner for credential-related operations must review the changes and refactor accordingly
 - Breaking change: banner initialization now throws on invalid credentials
 
 ---

diff --git a/test/banner/cred-check-test.js b/test/banner/cred-check-test.js
@@ -51,14 +51,3 @@ test('Credential checks', t => {
   console.log(err)
   reset(t)
 })
-
-test('Credential backfill', t => {
-  t.plan(4)
-  process.env.AWS_PROFILE = 'random_profile_name_that_does_not_exist'
-  let err = credCheck({ inventory })
-  t.notOk(err, 'No credential loading error reported')
-  t.equal(process.env.ARC_AWS_CREDS, 'dummy', 'Mutated ARC_AWS_CREDS')
-  t.equal(process.env.AWS_ACCESS_KEY_ID, 'arc_dummy_access_key', 'Mutated AWS_ACCESS_KEY_ID')
-  t.equal(process.env.AWS_SECRET_ACCESS_KEY, 'arc_dummy_secret_key', 'Mutated AWS_SECRET_ACCESS_KEY')
-  reset(t)
-})