Skip to content

fix(Aws): Remove SystemCredentials source check during AWS role assume #22859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
onyxraven wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(Aws): Remove SystemCredentials source check during AWS role assume #22859

onyxraven wants to merge 1 commit into from
+80 −10

Conversation

@onyxraven
Copy link

@onyxraven onyxraven commented Dec 5, 2025
edited
Loading

Summary

This removes the 'source === "environment"' check done during the role assume for AWS SystemCredentials.

In every case of the SystemCredentials usage for AWS, it is supposed to assume the role required during credential setup (with the given externalId as well). The previous conditional would only do that assume if it was via environment. This left out the (recently added) pod, container, and instance sources, and those would return the system credentials instead (unintended, I think, and a potential security risk). These sources should act the same way.

I added a test using one of the other sources, and red-green tested. I've also tested this "in practice" along with my other PR (#22316) in our environment.

Related Linear tickets, Github issues, and Community forum posts

Fixes #21961

(https://linear.app/n8n/issue/GHC-5527)

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

onyxraven
onyxraven commented Dec 5, 2025
View reviewed changes
packages/nodes-base/credentials/common/aws/system-credentials-utils.ts

type Resolvers = 'environment' | 'podIdentity' | 'containerMetadata' | 'instanceMetadata';
type RetrunData = {
type ReturnData = {
Copy link
Author

@onyxraven onyxraven Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While stepping through understanding, noticed this misspelling. This type is not exported and only used below.

packages/nodes-base/credentials/common/aws/utils.test.ts
);
});

it('should successfully assume role using system credentials by instanceMetadata', async () => {
Copy link
Author

@onyxraven onyxraven Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ultimately, this could (should?) iterate through each source type and ensure it behaves as intended.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@n8n-assistant n8n-assistant bot added community Authored by a community member node/improvement New feature or request in linear Issue or PR has been created in Linear for internal review labels Dec 5, 2025
@n8n-assistant
Copy link

n8n-assistant bot commented Dec 5, 2025

Hey @onyxraven,

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email [email protected] and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-5801". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

community Authored by a community member in linear Issue or PR has been created in Linear for internal review node/improvement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AWS (Assume Role) Credential Not Working in Workflows

1 participant

@onyxraven