fix(sdk-config): drop web identity usage from v1 default config

[christophrj]

Description of your changes

Fixes web identity usage when using providerconfig.spec.credentials.source InjectedIdentity.

Sample config:

apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: InjectedIdentity

Sample error message when not providing a web identity token file, e.g. via AWS_WEB_IDENTITY_TOKEN_FILE, in the provider-aws pod with InjectedIdentity:

failed to describe DBParameterGroup: WebIdentityErr: failed fetching WebIdentity token: 
caused by: WebIdentityErr: unable to read file at 
caused by: open : no such file or directory

This fix enables (config v1) services to use any credential provider via the default credential provider chain.
As a result v1 services can be used with container credential providers like pod identity.

I have:

• Read and followed Crossplane's contribution process.
• Run make test to ensure this PR is ready for review.

How has this code been tested

make test

[MisterMX]

LGTM. Thank you very much @christophrj!

[github-actions]

Successfully created backport PR #2131 for release-0.50.

[geoffreyme]

Hi @MisterMX I noticed some errors present in v0.50.6 which are not in the v0.50.5, hence suspecting this PR.

    message: "observe failed: failed to describe Secret: NoCredentialProviders: no
      valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"

In the provider-aws we are using AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN

provider-aws-6cb0a8c7d55f-74c6d5f775-26t97 package-runtime 2024-12-02T15:05:47.280Z	DEBUG	provider-aws	Cannot observe external resource	{"controller": "managed/secret.secretsmanager.aws.crossplane.io", "request": {"name":"lama-dev-internal-dev-mendix-app-secrets"}, "uid": "128c5684-ccd1-4a74-8d71-0bfc8c2fd76d", "version": "27774647", "external-name": "lama/dev/internal-dev/mendix-app-secrets", "error": "failed to describe Secret: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors", "errorVerbose": "NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors\nfailed to describe Secret\ngithub.com/crossplane-contrib/provider-aws/pkg/utils/errors.Wrap\n\tgithub.com/crossplane-contrib/provider-aws/pkg/utils/errors/error.go:49\ngithub.com/crossplane-contrib/provider-aws/pkg/controller/secretsmanager/secret.(*external).Observe\n\tgithub.com/crossplane-contrib/provider-aws/pkg/controller/secretsmanager/secret/zz_controller.go:85\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:914\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227\nruntime.goexit\n\truntime/asm_amd64.s:1650"}
provider-aws-6cb0a8c7d55f-74c6d5f775-26t97 package-runtime 2024-12-02T15:05:47.280Z	DEBUG	events	failed to describe Secret: NoCredentialProviders: no valid providers in chain. Deprecated.

Would it be possible to revert this PR or provide a workaround?

Thank you.

[christophrj]

the 'workaround' is to use the web identity credential provider via the provider config. so instead of using injected identity you should use AssumeRoleWithWebIdentity in the provider config: https://github.com/crossplane-contrib/provider-aws/blob/master/pkg/utils/connect/aws/config.go#L125

[geoffreyme]

Thanks for your answer @christophrj
Yes I noticed that specifying the roleARN with AssumeRoleWithWebIdentity is working fine as it's also present in the AUTHENTICATION doc.

Just want to mention that now using source: InjectedIdentity alone seems broken, which correspond to this part of the doc.

[christophrj]

Thanks for pointing that out, I wasn't aware of that. I will provide a fix that supports AWS_WEB_IDENTITY_TOKEN_FILE (basically the old behavior) and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE tomorrow