From c40a57419797faceb549c0fe4af76a77708afc0f Mon Sep 17 00:00:00 2001
From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Date: Fri, 17 Oct 2025 14:16:49 +0200
Subject: [PATCH] discovery/ec2: Fix AWS SDK v2 credentials handling for EC2
 and Lightsail discovery

After the upgrade to AWS SDK v2, the EC2 and Lightsail service discovery
stopped working when using the default AWS credential chain (environment
variables, IAM roles, EC2 instance metadata, etc.).

The issue was that the code unconditionally created a StaticCredentialsProvider
with empty credentials when access_key and secret_key were not configured. In
AWS SDK v2, this causes a "static credentials are empty" error and prevents
the SDK from falling back to its default credential chain.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
---
 discovery/aws/ec2.go       | 24 +++++++++++++++++-------
 discovery/aws/lightsail.go | 25 +++++++++++++++++--------
 2 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/discovery/aws/ec2.go b/discovery/aws/ec2.go
index 539cd84c4f..5fb92559ba 100644
--- a/discovery/aws/ec2.go
+++ b/discovery/aws/ec2.go
@@ -197,7 +197,6 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 	if d.ec2 != nil {
 		return d.ec2, nil
 	}
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
 
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "ec2_sd")
@@ -205,14 +204,25 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}
diff --git a/discovery/aws/lightsail.go b/discovery/aws/lightsail.go
index 5c356c8c45..0220c0ef24 100644
--- a/discovery/aws/lightsail.go
+++ b/discovery/aws/lightsail.go
@@ -161,22 +161,31 @@ func (d *LightsailDiscovery) lightsailClient(ctx context.Context) (*lightsail.Cl
 		return d.lightsail, nil
 	}
 
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
-
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "lightsail_sd")
 	if err != nil {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}