Skip to content

feat(aws): support keyless authentication (IRSA / instance profile)#751

Merged
Mzack9999 merged 2 commits into
projectdiscovery:devfrom
hsagnik:feat/aws-keyless-irsa
Jun 17, 2026
Merged

feat(aws): support keyless authentication (IRSA / instance profile)#751
Mzack9999 merged 2 commits into
projectdiscovery:devfrom
hsagnik:feat/aws-keyless-irsa

Conversation

@hsagnik

@hsagnik hsagnik commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

The AWS provider currently requires aws_access_key and aws_secret_key in the provider-config, which prevents keyless authentication such as IRSA (IAM Roles for Service Accounts) on EKS. This PR makes both fields optional and falls back to the AWS SDK default credential chain when they are omitted.

Changes

  • pkg/providers/aws/aws.go
    • ParseOptionBlock: aws_access_key / aws_secret_key are now optional. Added paired validation — if exactly one of the two is provided, it errors (a half-configured pair is almost always a mistake).
    • New: static credentials are only set when both keys are present. Otherwise config.Credentials is left nil so session.NewSession resolves credentials via the SDK default chain.
  • PROVIDERS.md: marked the keys optional and added a "Keyless Authentication" section.
  • README.md: added a keyless-auth feature bullet.

Why this works

aws-sdk-go v1's session.NewSession(config) runs its internal resolveCredentials only when config.Credentials == nil. That resolver automatically detects AWS_WEB_IDENTITY_TOKEN_FILE / AWS_ROLE_ARN (injected by the EKS pod-identity webhook) and assumes the web-identity role — so IRSA, EC2/ECS instance profiles, AWS_* env vars and shared config all work without injecting static creds into the config file. The previous hard-coded NewStaticCredentials short-circuited that path.

This composes with existing role-assumption flows (assume_role_arn, assume_role_name, org_discovery_role_arn), which build STS sessions on top of the now-keyless base session.

Backward compatibility

Fully backward compatible — existing static-key configs behave exactly as before.

Testing

  • go build ./..., go vet ./pkg/providers/aws/, and go test ./pkg/providers/aws/ all pass.

Summary by CodeRabbit

  • New Features
    • AWS provider now supports keyless authentication using IRSA, EC2/ECS instance profiles, environment variables, and shared AWS configuration.
  • Changes
    • If either aws_access_key or aws_secret_key is set, the other must also be provided; otherwise configuration falls back to the SDK’s default credential chain.
    • Assume-role settings build on top of keyless credentials.
  • Documentation
    • Updated provider docs and README with keyless auth guidance and a zero-key YAML example.
  • Tests
    • Added unit coverage for AWS option parsing around keyless vs static credentials.

@hsagnik hsagnik force-pushed the feat/aws-keyless-irsa branch from f3e18a4 to 1d14571 Compare June 11, 2026 13:56
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1538a790-8f15-4dc5-9ffd-b2fbfa30ad40

📥 Commits

Reviewing files that changed from the base of the PR and between ef682e2 and 3c530cd.

📒 Files selected for processing (3)
  • PROVIDERS.md
  • pkg/providers/aws/aws.go
  • pkg/providers/aws/aws_test.go
✅ Files skipped from review due to trivial changes (1)
  • PROVIDERS.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/providers/aws/aws.go

Walkthrough

AWS provider now accepts omitted aws_access_key/aws_secret_key; when both are omitted, the AWS SDK default credential chain (IRSA, instance profiles, environment variables, shared config) supplies credentials. Docs and validation enforce that if either key is set, both must be provided.

Changes

Keyless Authentication Support

Layer / File(s) Summary
Keyless authentication feature documentation
README.md, PROVIDERS.md
README highlights keyless authentication support; PROVIDERS.md marks aws_access_key/aws_secret_key optional, adds a "Keyless Authentication" section explaining AWS SDK default chain resolution (IRSA/instance profiles/environment/shared config), includes a zero-key YAML example, and documents the requirement that both keys must be provided together when either is set.
AWS provider keyless credential implementation
pkg/providers/aws/aws.go
ParseOptionBlock treats access key and secret key as optional metadata and validates they are provided as a complete pair, returning an error if only one is set. New conditionally applies static credentials only when both are present, otherwise leaving credentials unset to trigger the AWS SDK default credential chain. Minor formatting adjustment at worker goroutine boundary.
Credential parsing tests
pkg/providers/aws/aws_test.go
Table-driven TestParseOptionBlock validates four cases: both keys present (no error, values populated), both omitted (no error, keyless mode), only access key (error), and only secret key (error).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Where keys once required, now none are needed,
The SDK seeks secrets where profiles are seated.
IRSA hums, instance roles reply,
Env and shared files give wings to my sigh.
Keyless we hop — into clouds we glide! ☁️

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding support for keyless AWS authentication via IRSA and instance profiles, which is the primary objective of this PR.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Make aws_access_key/aws_secret_key optional. When omitted, fall back to
the AWS SDK default credential chain so IRSA, EC2/ECS instance profiles,
env vars and shared config work without injecting static creds into the
provider config.
@hsagnik hsagnik force-pushed the feat/aws-keyless-irsa branch from 1d14571 to ef682e2 Compare June 12, 2026 05:44
@Mzack9999 Mzack9999 self-requested a review June 16, 2026 20:41
@Mzack9999 Mzack9999 merged commit 952ca94 into projectdiscovery:dev Jun 17, 2026
9 checks passed
@hsagnik

hsagnik commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Hey @Mzack9999 and @dogancanbakir would this be treated as a feature enhancement?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

AWS provider should support keyless authentication (IRSA / instance profile)

2 participants