Partial upgrade of AWS SDK Go packages from V1 to V2

[gargipanatula]

What this PR does / why we need it:
Upgrades some packages of the AWS SDK Go from V1 to V2. The AWS SDK Go V1 is being deprecated on July 31, 2025: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/.

This PR upgrades all packages except the github.com/aws/aws-sdk-go/aws/endpoints package, which is used in partition verification. Given that upgrading that particular functionality will require larger changes, its changes will be pushed out in a separate PR.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Addresses #736, but does not fully close it.

[k8s-ci-robot]

Welcome @gargipanatula!

It looks like this is your first PR to kubernetes-sigs/aws-iam-authenticator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-iam-authenticator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @gargipanatula. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gargipanatula
Once this PR has been reviewed and has the lgtm label, please assign wongma7 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gargipanatula]

No longer setting SharedConfigState, as its behavior when set to SharedConfigEnable is now default in V2:

In V1, SharedConfigEnable sets AWS_SDK_LOAD_CONFIG to a truthy value, so that it loads from the shared config (/.aws/config) and shared credentials (/.aws/credentials) files. (V1 docs)

In V2, using LoadDefaultConfig will load from all supported sources including /.aws/config and /.aws/credentials. (V2 docs).

[gargipanatula]

Note: V2 now uses middleware to add headers, added a test for this.

[bryantbiggs]

/ok-to-test

[kmala]

This is not handled correctly as we are overriding the default region if region is provided in the options right ?

[gargipanatula]

Oh yep, this should've been changed to

if options.Region != "" {
	cfg.Region = options.Region
}

thank you

[kmala]

can we have context passed to the function ?

[kmala]

i think session.Must would panic if error, this would just log the error and continue right?

[gargipanatula]

Ah yes ty - will fix so it also panics.

[kmala]

can we pass context to this function since we are using it multiple places?

[kmala]

why this function if we are adding the ctx parameter as there is a function RetrieveWithContext?

[gargipanatula]

Thank you - that ctx was supposed to be passed into RetrieveWithContext().

FileCacheProvider implements aws.CredentialsProvider, so it needs to implement Retrieve(ctx context.Context) (Credentials, error).

[kmala]

where is this logic moved to?

[gargipanatula]

This was used to convert between V1 and V2 credentials, and now that we've fully switched to V2, we can get rid of it.

Initial commit that added this file: 9cdf38d

[gargipanatula]

/retest

[kmala]

shouldn't we fail the test in this case ?

[kmala]

what's the difference between this and RetrieveWithContext function, can we remove this?

[gargipanatula]

Not totally sure why both exist. Looks like it just used to be Retrieve, but the RetrieveWithContext was introduced when some packages were upgraded a few months ago (9cdf38d)

Retrieve() is necessary for the aws.CredentialsProvider interface, maybe we can just merge the functions.

[kmala]

did you get a chance to test the cache file provider feature?

[gargipanatula]

I was just relying on the existing tests since there weren't major changes to the functionality. I might be missing something though, so if there's something we should test then I can take a look and add that in.

[kmala]

why this additional logic?

[gargipanatula]

If AWS_REGION is not set, then we have to get the region from the instance metadata. Without this, calls will fail because the client won't be configured with a region (sample error from previous e2e test runs: could not get token: operation error STS: GetCallerIdentity, get identity: get credentials: operation error STS: AssumeRole, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region)

V2 documentation link: https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-the-aws-region

[kmala]

isn't the behavior same before in v1 that we set it as empty?

[gargipanatula]

After digging a bit, it looks like this actually stems from STS. In AWS SDK Go V1, if a region was not configured, it would fallback to the global endpoint. In V2, it causes the request to fail (documentation here)

Given this, I'm thinking we should panic if we can't find a region through imds, since it means that GetCallerIdentity will fail.

[kmala]

the function has ctx param, can we use it?

[kmala]

can we use the constant requestPresignParam instead of 60?

[kmala]

this func signature is same as RetrieveWithContext right?

[kmala]

can you get this as input param as the caller stack has it

[kmala]

this should be cfg.region right?

[kmala]

also can we copy/duplicate the cfg and override the http client instead of LoadDefaultConfig again as if something is changed in the original cfg, it has to be done here also?

[kmala]

can we get ctx as param?

[kmala]

i don't see headerSourceAccount is used, can we remove it?

[kmala]

can we get the ctx passed as a param since it called from the handler which already has it?

[kmala]

isn't the behavior same before in v1 that we set it as empty?

[kmala]

did you get a chance to test the cache file provider feature?

[kmala]

this should have the headerSourceAccount also right?

[kmala]

this can just be a string right?

[gargipanatula]

Since we're working with multiple values, I personally find it easier to parse/use them if they're in a data structure. However, if it's more status quo to use a string for the args then I can take a look into that.

[kmala]

Can we pass the context as the function param

[kmala]

this err check is not needed right?