Fix: don't try to retrieve credentials before we need them

njvrzm · njvrzm · commit 8a9d409cd39f · 2025-05-27T13:39:27.000+02:00
This was causing an issue in Grafana Cloud.
Also updates CHANGELOG for release
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
+## 0.38.5
+- Fix externalID handling by @njvrzm in [#246](https://github.com/grafana/grafana-aws-sdk/pull/246)
+- Add CloudWatch AWS/EKS metrics and dimensions by @jangaraj in [#242](https://github.com/grafana/grafana-aws-sdk/pull/242)
+- Bump github.com/grafana/grafana-plugin-sdk-go by @dependabot in [#241](https://github.com/grafana/grafana-aws-sdk/pull/241)
+
 ## 0.38.4
 - Add AvailableMemory metric for the DMS service by @andriikushch in [#244](https://github.com/grafana/grafana-aws-sdk/pull/244)
 - Github actions: Add token write permission by @idastambuk in [#243](https://github.com/grafana/grafana-aws-sdk/pull/243)
diff --git a/pkg/awsauth/auth.go b/pkg/awsauth/auth.go
@@ -66,11 +66,6 @@ func (rcp *awsConfigProvider) GetConfig(ctx context.Context, authSettings Settin
 		}
 	}
 
-	_, err = cfg.Credentials.Retrieve(ctx)
-	if err != nil {
-		return aws.Config{}, fmt.Errorf("error retrieving credentials: %w", err)
-	}
-
 	rcp.cache[key] = cfg
 	return cfg, nil
 }
diff --git a/pkg/awsauth/auth_test.go b/pkg/awsauth/auth_test.go
@@ -46,14 +46,18 @@ func (tc testCase) Run(t *testing.T) {
 		require.Error(t, err)
 	} else {
 		require.NoError(t, err)
-		tc.assertConfig(t, cfg)
-		creds, _ := cfg.Credentials.Retrieve(ctx)
-		if tc.authSettings.GetAuthType() == AuthTypeKeys && tc.authSettings.SessionToken != "" {
-			assert.Equal(t, tc.authSettings.SessionToken, creds.SessionToken)
+		creds, err := cfg.Credentials.Retrieve(ctx)
+		if tc.assumeRoleShouldFail {
+			require.Error(t, err)
+		} else {
+			tc.assertConfig(t, cfg)
+			if tc.authSettings.GetAuthType() == AuthTypeKeys && tc.authSettings.SessionToken != "" {
+				assert.Equal(t, tc.authSettings.SessionToken, creds.SessionToken)
+			}
+			accessKey, secret := tc.getExpectedKeyAndSecret(t)
+			assert.Equal(t, accessKey, creds.AccessKeyID)
+			assert.Equal(t, secret, creds.SecretAccessKey)
 		}
-		accessKey, secret := tc.getExpectedKeyAndSecret(t)
-		assert.Equal(t, accessKey, creds.AccessKeyID)
-		assert.Equal(t, secret, creds.SecretAccessKey)
 	}
 	if isStsEndpoint(&tc.authSettings.Endpoint) {
 		assert.Equal(t, tc.authSettings.Endpoint, *client.assumeRoleClient.stsConfig.BaseEndpoint)
@@ -208,7 +212,6 @@ func TestGetAWSConfig_Keys_AssumeRule(t *testing.T) {
 				AssumeRoleARN: "arn:aws:iam::1234567890:role/aws-service-role",
 			},
 			assumeRoleShouldFail: true,
-			shouldError:          true,
 		},
 	}.runAll(t)
 }

Original file line number	Diff line number	Diff line change
`@@ -66,11 +66,6 @@ func (rcp *awsConfigProvider) GetConfig(ctx context.Context, authSettings Settin`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`
`69`		`- _, err = cfg.Credentials.Retrieve(ctx)`
`70`		`- if err != nil {`
`71`		`- return aws.Config{}, fmt.Errorf("error retrieving credentials: %w", err)`
`72`		`- }`
`73`		`-`
`74`	`69`	`rcp.cache[key] = cfg`
`75`	`70`	`return cfg, nil`
`76`	`71`	`}`