specgen SSM resolver: stale static keys in ~/.aws/credentials shadow SSO profile #137
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#137
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The generated consumer's
ssmTokenResolverloads the aws-sdk-go-v2 default config chain, which prefers static keys in~/.aws/credentialsover an SSO profile of the same name in~/.aws/config. A stale static[default]silently shadows SSO: the API rejects the dead key while the aws CLI (which resolves SSO) keeps working, so only the SDK path breaks and the failure is confusing.Fix: retry the SSM fetch once with the credentials file excluded (
WithSharedCredentialsFiles([]string{})- non-nil empty slice means "read no credentials file") so the config-file SSO profile can resolve, and print a one-line note naming the shadowing file. Static-only users never reach the retry.