remove source check during role assume

Author: onyxraven

.nvmrc

@@ -0,0 +1 @@
+22

packages/nodes-base/credentials/common/aws/system-credentials-utils.ts

@@ -3,15 +3,15 @@ import { Container } from '@n8n/di';
 import { ApplicationError } from 'n8n-workflow';
 
 type Resolvers = 'environment' | 'podIdentity' | 'containerMetadata' | 'instanceMetadata';
-type RetrunData = {
+type ReturnData = {
 	accessKeyId: string;
 	secretAccessKey: string;
 	sessionToken?: string;
 };
 
 export const envGetter = (key: string): string | undefined => process.env[key];
 
-export const credentialsResolver: Record<Resolvers, () => Promise<RetrunData | null>> = {
+export const credentialsResolver: Record<Resolvers, () => Promise<ReturnData | null>> = {
 	environment: getEnvironmentCredentials,
 	instanceMetadata: getInstanceMetadataCredentials,
 	containerMetadata: getContainerMetadataCredentials,

packages/nodes-base/credentials/common/aws/utils.test.ts

@@ -37,7 +37,7 @@ describe('assumeRole', () => {
 	});
 
 	describe('with system credentials', () => {
-		it('should successfully assume role using system credentials', async () => {
+		it('should successfully assume role using system credentials by environment', async () => {
 			const credentials: AwsAssumeRoleCredentialsType = {
 				region: 'us-east-1',
 				customEndpoints: false,
@@ -113,6 +113,82 @@ describe('assumeRole', () => {
 			);
 		});
 
+		it('should successfully assume role using system credentials by instanceMetadata', async () => {
+			const credentials: AwsAssumeRoleCredentialsType = {
+				region: 'us-east-1',
+				customEndpoints: false,
+				useSystemCredentialsForRole: true,
+				roleArn: 'arn:aws:iam::123456789012:role/TestRole',
+				roleSessionName: 'test-session',
+			};
+
+			const mockSystemCredentials = {
+				accessKeyId: 'system-access-key',
+				secretAccessKey: 'system-secret-key',
+				sessionToken: 'system-session-token',
+				source: 'instanceMetadata' as const,
+			};
+
+			jest
+				.spyOn(systemCredentialsUtils, 'getSystemCredentials')
+				.mockResolvedValue(mockSystemCredentials);
+
+			const mockResponse = {
+				ok: true,
+				text: jest.fn().mockResolvedValue(`<?xml version="1.0" encoding="UTF-8"?>
+					<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+						<AssumeRoleResult>
+							<Credentials>
+								<AccessKeyId>assumed-access-key</AccessKeyId>
+								<SecretAccessKey>assumed-secret-key</SecretAccessKey>
+								<SessionToken>assumed-session-token</SessionToken>
+							</Credentials>
+						</AssumeRoleResult>
+					</AssumeRoleResponse>`),
+			};
+
+			mockFetch.mockResolvedValue(mockResponse as any);
+
+			mockParseString.mockImplementation((_xml, _options, callback) => {
+				callback(null, {
+					AssumeRoleResponse: {
+						AssumeRoleResult: {
+							Credentials: {
+								AccessKeyId: 'assumed-access-key',
+								SecretAccessKey: 'assumed-secret-key',
+								SessionToken: 'assumed-session-token',
+							},
+						},
+					},
+				});
+			});
+
+			const result = await assumeRole(credentials, 'us-east-1');
+
+			expect(result).toEqual({
+				accessKeyId: 'assumed-access-key',
+				secretAccessKey: 'assumed-secret-key',
+				sessionToken: 'assumed-session-token',
+			});
+
+			expect(systemCredentialsUtils.getSystemCredentials).toHaveBeenCalled();
+			expect(mockSign).toHaveBeenCalledWith(
+				expect.objectContaining({
+					method: 'POST',
+					path: '/',
+					region: 'us-east-1',
+				}),
+				mockSystemCredentials,
+			);
+			expect(mockFetch).toHaveBeenCalledWith(
+				'https://sts.us-east-1.amazonaws.com',
+				expect.objectContaining({
+					method: 'POST',
+					body: expect.stringContaining('Action=AssumeRole'),
+				}),
+			);
+		});
+
 		it('should throw error when system credentials are not available', async () => {
 			const credentials: AwsAssumeRoleCredentialsType = {
 				region: 'us-east-1',

packages/nodes-base/credentials/common/aws/utils.ts

@@ -252,13 +252,7 @@ export async function assumeRole(
 				'System AWS credentials are required for role assumption. Please ensure AWS credentials are available via environment variables, instance metadata, or container role.',
 			);
 		}
-		if (systemCredentials.source !== 'environment') {
-			return {
-				accessKeyId: systemCredentials.accessKeyId,
-				secretAccessKey: systemCredentials.secretAccessKey,
-				sessionToken: systemCredentials.sessionToken as string,
-			};
-		}
+
 		stsCallCredentials = systemCredentials;
 	} else {
 		if (!credentials.stsAccessKeyId || credentials.stsAccessKeyId.trim() === '') {