aws_credentials: make IRSA authoritative in credentials chain

[edsiper]

Fixes #11255

• Added explicit constants for IRSA environment variables to clarify detection of pod-level AWS authentication settings.

• Updated the standard AWS credential chain to treat IRSA as authoritative, failing fast if the EKS provider cannot initialize and skipping ECS/EC2 fallbacks when IRSA is configured.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added support for AWS IAM Roles for Service Accounts (IRSA) when running on Amazon EKS, enabling automatic credential discovery in container environments.

• Bug Fixes

  • Enhanced error handling in AWS credential provider initialization to gracefully handle provider setup failures.
  • Improved credential provider selection to prioritize IRSA when available.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7708c2e-c35a-4b17-b298-988c5ea96102

📥 Commits

Reviewing files that changed from the base of the PR and between c88c545 and af15441.

📒 Files selected for processing (1)

• src/aws/flb_aws_credentials.c

---

📝 Walkthrough

Walkthrough

Modified AWS credential provider chain in flb_aws_credentials.c to detect and prioritize IRSA (IAM Roles for Service Accounts) by reading AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables. When IRSA is detected, the function now uses the EKS provider exclusively and returns immediately, preventing fallback to ECS or EC2 IMDS providers. Includes error handling for failed EKS provider creation when IRSA is enabled.

Changes

Cohort / File(s)

Summary

IRSA Credential Detection & Provider Chain Fix src/aws/flb_aws_credentials.c

Added AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variable constants; implemented IRSA detection in standard_chain_create() to check for these env vars; modified control flow to immediately return after successful EKS provider initialization when IRSA is present, preventing fallback to ECS and EC2 providers; added error handling to destroy and return NULL when EKS provider creation fails with IRSA enabled; added type cast for profile parameter in flb_aws_client_generator() call.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• cosmo0920

Poem

🐰 Hop, hop, the IRSA hops,
No more fallback, the chain never stops!
Pod tokens shine, no IMDS strays,
Fluent credentials dance in better ways! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: making IRSA (EKS provider) authoritative in the credentials chain by detecting IRSA env vars and failing fast if EKS initialization fails, rather than falling back to ECS/EC2 providers.
Linked Issues check	✅ Passed	The changes directly address issue #11255 by preventing fallback to EC2 IMDS when IRSA is configured; the code now returns immediately after EKS provider initialization if IRSA env vars are present, and returns NULL if EKS creation fails, ensuring IRSA is authoritative.
Out of Scope Changes check	✅ Passed	All changes are directly related to IRSA authoritative detection and credential chain handling: environment variable constants, IRSA detection logic, and error handling for failed EKS provider initialization. A minor type cast addition for the profile parameter appears necessary for consistency.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aws-irsa-issue

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[edsiper]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".