Improve error messages for authentication setup and credentials (#6098)

* fix: improve error messages in auth setup and credentials parsing

* chore: copy core change into root changelog

---------

Co-authored-by: cgoetz-inovex <carlo.goetz@inovex.de>

Author: avanderbergh

CHANGELOG.md

@@ -101,9 +101,11 @@
   - **Dependencies:** Bump STACKIT SDK core module from `v0.21.1` to `v0.24.0`
 - `vpn`: [v0.4.1](services/vpn/CHANGELOG.md#v041)
   - **Dependencies:** Bump STACKIT SDK core module from `v0.23.0` to `v0.24.0`
-
-- `core`: [v0.24.0](core/CHANGELOG.md#v0240) 
-  - **Bugfix:** Allow setting waiter timeouts via context, that are longer than the default timeout.
+- `core`:
+  - [v0.24.1](core/CHANGELOG.md#v0241)
+    - **Improvement:** Fix misleading error messages in authentication setup and credentials parsing.
+  - [v0.24.0](core/CHANGELOG.md#v0240)
+    - **Bugfix:** Allow setting waiter timeouts via context, that are longer than the default timeout.
 
 ## Release (2026-03-27)
 - `alb`: 

core/CHANGELOG.md

@@ -1,3 +1,6 @@
+## v0.24.1
+- **Improvement:** Fix misleading error messages in authentication setup and credentials parsing.
+
 ## v0.24.0
 - **Bugfix:** Allow setting waiter timeouts via context, that are longer than the default timeout.
 

core/VERSION

@@ -1 +1 @@
-v0.24.0
+v0.24.1

core/auth/auth.go

@@ -54,7 +54,7 @@ func SetupAuth(cfg *config.Configuration) (rt http.RoundTripper, err error) {
 	} else if cfg.WorkloadIdentityFederation {
 		wifRoundTripper, err := WorkloadIdentityFederationAuth(cfg)
 		if err != nil {
-			return nil, fmt.Errorf("configuring no auth client: %w", err)
+			return nil, fmt.Errorf("configuring workload identity federation client: %w", err)
 		}
 		return wifRoundTripper, nil
 	} else if cfg.ServiceAccountKey != "" || cfg.ServiceAccountKeyPath != "" {
@@ -278,7 +278,7 @@ func readCredentialsFile(path string) (*Credentials, error) {
 	var credentials Credentials
 	err = json.Unmarshal(credentialsRaw, &credentials)
 	if err != nil {
-		return nil, fmt.Errorf("unmaPrivateKeyrshalling credentials: %w", err)
+		return nil, fmt.Errorf("unmarshalling credentials: %w", err)
 	}
 	return &credentials, nil
 }

core/auth/auth_test.go

@@ -367,6 +367,18 @@ func TestReadCredentials(t *testing.T) {
 	}
 }
 
+func TestReadCredentialsFileErrorMessage(t *testing.T) {
+	setTemporaryHome(t)
+
+	_, err := readCredentialsFile("test_resources/test_invalid_structure.json")
+	if err == nil {
+		t.Fatalf("error expected")
+	}
+	if !strings.Contains(err.Error(), "unmarshalling credentials") {
+		t.Fatalf("expected unmarshalling credentials error, got %s", err)
+	}
+}
+
 func TestDefaultAuth(t *testing.T) {
 	privateKey, err := generatePrivateKey()
 	if err != nil {
@@ -768,6 +780,23 @@ func TestKeyAuthPemInsteadOfJsonKeyErrorHandling(t *testing.T) {
 	}
 }
 
+func TestSetupAuthWorkloadIdentityErrorMessage(t *testing.T) {
+	setTemporaryHome(t)
+	t.Setenv("STACKIT_SERVICE_ACCOUNT_EMAIL", "")
+	t.Setenv("STACKIT_FEDERATED_TOKEN_FILE", "")
+
+	_, err := SetupAuth(&config.Configuration{WorkloadIdentityFederation: true})
+	if err == nil {
+		t.Fatalf("error expected")
+	}
+	if !strings.Contains(err.Error(), "configuring workload identity federation client") {
+		t.Fatalf("expected workload identity federation error, got %s", err)
+	}
+	if strings.Contains(err.Error(), "configuring no auth client") {
+		t.Fatalf("unexpected no auth error message: %s", err)
+	}
+}
+
 func TestNoAuth(t *testing.T) {
 	for _, test := range []struct {
 		desc string