pr feedback

Author: SEANDOUGHTY

pkg/env/env.go

@@ -24,7 +24,9 @@ type Config struct {
 	RenderAPIKey       string   `required:"true" split_words:"true"`
 	AWSRegion          string   `required:"true" split_words:"true"`
 
-	// If AWSRoleARN is empty, the AWS SDK falls back to access keys from the environment
+	// OIDC is used if the web identity token file exists on disk (mounted by
+	// Render when OIDC is enabled). Otherwise the AWS SDK's default credential
+	// chain falls back to AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY.
 	AWSRoleARN              string `required:"false" split_words:"true"`
 	AWSWebIdentityTokenFile string `required:"false" split_words:"true" default:"/var/lib/render/oidc/aws.jwt"`
 
@@ -49,7 +51,8 @@ func LoadConfig(ctx context.Context, config *Config) error {
 		return err
 	}
 
-	if config.AWSRoleARN != "" {
+	if _, err := os.Stat(config.AWSWebIdentityTokenFile); err == nil {
+		logger.FromContext(ctx).Info("Using OIDC authentication")
 		awscfg.Credentials = aws.NewCredentialsCache(stscreds.NewWebIdentityRoleProvider(
 			sts.NewFromConfig(awscfg),
 			config.AWSRoleARN,