chore: remove awsenv package and bootstrap cmd#14
Merged
Conversation
The awsenv package loaded AWS credentials by writing oidc2aws output to .aws.env and overloading them into the process environment. Once the SDK picked them up via the env-var provider they became static — the SDK had no way to refresh them, so sessions expired during long-running processes. The replacement is AWS's standard credential_process mechanism: declare the profile in ~/.aws/config with `credential_process = oidc2aws ...` and set AWS_PROFILE. The SDK's CredentialsCache then invokes oidc2aws on demand and auto-refreshes before expiry, with no in-process bookkeeping required. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dorothyyzh
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
awsenv/package andcmd/awsenv-bootstrap/(only purpose was callingawsenv.Ensure).go mod tidydropsgofrs/flock,joho/godotenv, and demotesaws-sdk-go-v2/service/ststo indirect.Why
awsenv.Ensureranoidc2aws -alias <x> --env, wrote the output to a project-root.aws.env, and loaded those values into the process environment viagodotenv.Overload. After that, the AWS SDK sawAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKENas static env-var credentials — the env provider has no notion of expiry, so long-running processes kept using stale tokens until calls started failing.The standard fix is AWS's
credential_processprotocol: declare each profile in~/.aws/configwithand set
AWS_PROFILE/AWS_REGION. The SDK v2'sCredentialsCachethen re-invokesoidc2awson demand and refreshes credentials transparently before expiry — exactly whatawsenvwas trying (and failing) to do.Since the SDK handles this natively, the Go-side bootstrap is dead weight and is removed entirely.
Caller update
github.com/theplant/iamis the only external caller. Its companion PR removes theawsenv.Ensurecall fromiam/cmd/console/local_server_test.go.Test plan
go build ./...go vet ./...iamrepo PR merges its caller-removal change🤖 Generated with Claude Code