[Bug]: IRSA can no longer default to the node role

[vibe]

Is there an existing issue for this?

• I have searched the existing issues

Affected Resource(s)

No response

Resource MRs required to reproduce the bug

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: IRSA

Steps to Reproduce

• Deploy AWS Provider with a default config with credentials source set to IRSA.

What happened?

Related to Issue #1252

Versions prior to 1.3, allowed configuring IRSA with no further annotations, which defaulted to the using the node role.

Not sure I quite follow the "why", but the new cache implementation requires AWS_WEB_IDENTITY_TOKEN_FILE to exist otherwise it will fail.

provider-upjet-aws/internal/clients/creds_cache.go

Lines 188 to 189 in dedf656

	tokenHash, err := hashTokenFile(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"))
	if err != nil {

Relevant Error Output Snippet

No response

Crossplane Version

1.6

Provider Version

1.11

Kubernetes Version

No response

Kubernetes Distribution

No response

Additional Info

EKS

[vibe]

I understand there is additional configuration that can be applied to restore functionality, but seems like an oversight to introduce breaking changes to default behavior.

[haarchri]

i talked about this behaviour with @erhancagirici when implementing #1459 we falling back to the default chain before 1.3 with IRSA and we will do it now with new PodIdentity feature when we don't find the expected behaviours in the environment / files etc.

https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials

think it would be better we force IRSA, PodIdentity and implement an additional type for EC2 / Node Credentials