discovery/ec2: Fix AWS SDK v2 credentials handling for EC2 and Lightsail discovery

After the upgrade to AWS SDK v2, the EC2 and Lightsail service discovery
stopped working when using the default AWS credential chain (environment
variables, IAM roles, EC2 instance metadata, etc.).

The issue was that the code unconditionally created a StaticCredentialsProvider
with empty credentials when access_key and secret_key were not configured. In
AWS SDK v2, this causes a "static credentials are empty" error and prevents
the SDK from falling back to its default credential chain.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

discovery/aws/ec2.go

@@ -197,7 +197,6 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 	if d.ec2 != nil {
 		return d.ec2, nil
 	}
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
 
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "ec2_sd")
@@ -205,14 +204,25 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}

discovery/aws/lightsail.go

@@ -161,22 +161,31 @@ func (d *LightsailDiscovery) lightsailClient(ctx context.Context) (*lightsail.Cl
 		return d.lightsail, nil
 	}
 
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
-
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "lightsail_sd")
 	if err != nil {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}