fix(services/s3): environment/config role_arn ignored #4178

[ZachNo]

Fixes #4178, which is a bug where the role_arn set by environment variables or config file is ignored for role assumption.

[Xuanwo]

I remembered that it's by design that role_arn not loaded from env and config because of the different between AssumeRoleArn and AssumeRoleArnWithWebIdentityToken.

Cc @everpcpc do you have comments on this change?

[ZachNo]

Current behavior of AWS_ROLE_ARN envar for AWS CLI does currently only support WebIdentityToken roles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html skip to AWS_ROLE_ARN)

However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.

[Xuanwo]

However role_arn from a config file does support normal assumable roles, so if we want to mimic AWS CLI behavior, it needs to be different between env and config loading.

I'm guessing this is another issue that reqsign doesn't support source_credential yet.

[everpcpc]

But source_credential is already supported by reqsign?

[Xuanwo]

But source_credential is already supported by reqsign?

We only accept source_credential in AssumeRoleLoader. This doesn't work while user have config like:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1

or

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata

[everpcpc]

Maybe we could handle like this:
https://github.com/boto/botocore/blob/7fd4057baac5298fbf594980f618a57dd51b71ad/botocore/credentials.py#L1485

[Xuanwo]

Maybe we could handle like this: boto/botocore@7fd4057/botocore/credentials.py#L1485

Agreed. It's reqsign side work, let's migrate to there instead.