Role arn not read from profile in config when using config file with web_identity_token_file

[imcdo]

When using amazon-ecr-credential-helper to pull from ECR, it fails to pull credentials from the default profile with the following stack trace:

Unable to find image '<account>.dkr.ecr.us-west-2.amazonaws.com/<image>' locally 37:21
panic: role ARN is not set 37:21
goroutine 1 [running]: 37:21
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00002bf9d?, 0x0?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/api/factory.go:84 +0x190 37:21
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x8aa120?, 0xb28ba0?}, 0xaf2cc0?}, {0xc000028f30, 0x2c}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/ecr.go:101 +0x113 37:21
 github.com/docker/docker-credential-helpers/credentials.Get({0x8a9d30, 0xc000012108}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0, 0xc00005e030}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:154 +0x1fa 37:21
 github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x8a9d30?, 0xc000012108?}, {0x7ffc942bad3e, 0x3}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0?, 0xc00005e030?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:96 +0x97 37:21
 github.com/docker/docker-credential-helpers/credentials.Serve({0x8a9d30, 0xc000012108}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:80 +0x325 37:21
 main.main() 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/cli/docker-credential-ecr-login/main.go:52 +0x154 37:21
 docker: Error response from daemon: Head "https://<accoun>.dkr.ecr.us-west-2.amazonaws.com/v2/<image>": no basic auth credentials.

The default profile in the ~/.aws/config file is simply:

[profile default]
role_arn = arn:aws:iam::<account>:role/<role-name>
web_identity_token_file=<absolute path to existing token>

the panic originally coming from this projects call here.

eventually throwing the error here

Expected Behavior

It reads the default profile as it was not specified in the environment variables, and reads the role name specified there.

Current Behavior

It fails to find the specified role name even though it is specified in the config.
Reproduction Steps

create a .aws/config file that has a default profile that assumes a role via a web_identity_token_file
configure docker to use amazon-ecr-credential-helper
attempt to pull an image

Operating System and version

Ubuntu 20.04

also opened a similar issue here that was closed as I was asked to redirect here.
aws/aws-sdk-go-v2#2469

[a523]

I have this same issue

[Kern--]

I'm not able to reproduce this issue as far back as v0.8.0 (including commit 88cfadc80e8f mentioned in the original report) without setting AWS_WEB_IDENTITY_TOKEN_FILE in my environment without also setting AWS_ROLE_ARN. From a bit of debugging and reading through the AWS SDK code, I don't see how this could happen without some extra, incomplete config that overrides ~/.aws/config.

Can you provide any additional setup info? Is AWS_WEB_IDENTITY_TOKEN_FILE defined in your environment? Does it work if you unset it?

Where is this running? Is it an EC2 instance? EKS pod? Something else?