Support GOBUILDCACHE_-prefixed AWS env vars to prevent env leakage#15
Merged
richardartoul merged 1 commit intorichardartoul:mainfrom Apr 6, 2026
Conversation
When gobuildcache is used as GOCACHEPROG, standard AWS env vars (AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) set in the shell are inherited by all child processes, including test binaries spawned by go test. This causes issues when test code reads these vars and gets unexpected values (e.g., SRG component tests seeing AWS_REGION=us-west-2 from the build cache config). This adds support for GOBUILDCACHE_AWS_REGION, GOBUILDCACHE_AWS_ACCESS_KEY_ID, GOBUILDCACHE_AWS_SECRET_ACCESS_KEY, and GOBUILDCACHE_AWS_SESSION_TOKEN, using the existing getEnvWithPrefix convention. Users can now set only the prefixed vars, keeping standard AWS_* vars out of the environment entirely so other processes are unaffected. Also adds: - Validation that access key and secret key are both set or both unset - AWS_SESSION_TOKEN support for temporary credentials (STS, SSO) - S3Config struct to keep env var resolution in main.go
richardartoul
approved these changes
Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When gobuildcache is used as
GOCACHEPROG, standard AWS env vars (AWS_REGION,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) set in the shell are inherited by all child processes, including test binaries spawned bygo test. This causes issues when test code reads these vars and gets unexpected values — for example, SRG component tests seeingAWS_REGION=us-west-2from the build cache config rather than their expected value.This PR adds support for
GOBUILDCACHE_-prefixed AWS env vars, using the existinggetEnvWithPrefixconvention already established for all other gobuildcache configuration. Users can now set only the prefixed vars (e.g.,GOBUILDCACHE_AWS_REGION), keeping standardAWS_*vars out of the environment entirely so other processes are unaffected.Changes
pkg/backends/s3.go:NewS3now accepts anS3Configstruct with region, access key, secret key, and session token. The backend no longer reads env vars directly — that responsibility stays inmain.gowith all other config resolution.main.go: AddedresolveS3Config()using the existinggetEnvWithPrefixhelper. Includes validation that errors if only one of access key / secret key is set (catches misconfiguration instead of silently falling back to the default credential chain).env_test.go: AddedTestResolveS3Configwith 6 test cases covering prefix precedence, unprefixed fallback, partial credential errors, and optional session token.README.md: Updated S3 usage example and config table to document the new prefixed AWS vars includingGOBUILDCACHE_AWS_SESSION_TOKEN.Why this is safe
AWS_*vars still work as fallbacks whenGOBUILDCACHE_*vars aren't set.getEnvWithPrefixconvention is already established and well-tested for all other gobuildcache config vars — this just extends it to AWS vars.GOBUILDCACHE_AWS_SESSION_TOKEN) enables users with temporary credentials (STS AssumeRole, SSO) to use the prefixed env var flow.Test plan
TestResolveS3Configcovers: empty config, prefix precedence, unprefixed fallback, partial credential errors (both directions), optional session token