From fc7abfcd0b3b5cf14a21787238041141fc1cf8a0 Mon Sep 17 00:00:00 2001
From: Phil Sheets <p.sheets@fetchrewards.com>
Date: Mon, 29 Jul 2024 15:40:55 -0400
Subject: [PATCH 1/2] solution for issue 17849, adding default fallback to aws
 default credential provider chain

---
 src/connector/src/connector_common/common.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/connector/src/connector_common/common.rs b/src/connector/src/connector_common/common.rs
index 92bb7d9c3067..7dc51729a583 100644
--- a/src/connector/src/connector_common/common.rs
+++ b/src/connector/src/connector_common/common.rs
@@ -104,7 +104,7 @@ impl AwsAuthProps {
         }
     }
 
-    fn build_credential_provider(&self) -> ConnectorResult<SharedCredentialsProvider> {
+    async fn build_credential_provider(&self) -> ConnectorResult<SharedCredentialsProvider> {
         if self.access_key.is_some() && self.secret_key.is_some() {
             Ok(SharedCredentialsProvider::new(
                 aws_credential_types::Credentials::from_keys(
@@ -114,7 +114,9 @@ impl AwsAuthProps {
                 ),
             ))
         } else {
-            bail!("Both \"access_key\" and \"secret_key\" are required.")
+            Ok(SharedCredentialsProvider::new(
+                aws_config::default_provider::credentials::default_provider().await,
+            ))
         }
     }
 
@@ -140,7 +142,7 @@ impl AwsAuthProps {
     pub async fn build_config(&self) -> ConnectorResult<SdkConfig> {
         let region = self.build_region().await?;
         let credentials_provider = self
-            .with_role_provider(self.build_credential_provider()?)
+            .with_role_provider(self.build_credential_provider().await?)
             .await?;
         let mut config_loader = aws_config::from_env()
             .region(region)

From a9f2abc7d604c13e6f5d8e940ec2e776a6f4bee4 Mon Sep 17 00:00:00 2001
From: Eric Fu <eric@singularity-data.com>
Date: Tue, 6 Aug 2024 14:07:33 +0800
Subject: [PATCH 2/2] add an env var to control it

---
 src/connector/src/connector_common/common.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/connector/src/connector_common/common.rs b/src/connector/src/connector_common/common.rs
index 78aeb76fbf7b..1c911c5a3992 100644
--- a/src/connector/src/connector_common/common.rs
+++ b/src/connector/src/connector_common/common.rs
@@ -46,6 +46,10 @@ pub const PRIVATE_LINK_TARGETS_KEY: &str = "privatelink.targets";
 
 const AWS_MSK_IAM_AUTH: &str = "AWS_MSK_IAM";
 
+/// The environment variable to disable using default credential from environment.
+/// It's recommended to set this variable to `false` in cloud hosting environment.
+const DISABLE_DEFAULT_CREDENTIAL: &str = "DISABLE_DEFAULT_CREDENTIAL";
+
 #[derive(Debug, Clone, Deserialize)]
 pub struct AwsPrivateLinkItem {
     pub az_id: Option<String>,
@@ -57,6 +61,7 @@ use aws_config::sts::AssumeRoleProvider;
 use aws_credential_types::provider::SharedCredentialsProvider;
 use aws_types::region::Region;
 use aws_types::SdkConfig;
+use risingwave_common::util::env_var::env_var_is_true;
 
 /// A flatten config map for aws auth.
 #[derive(Deserialize, Debug, Clone, WithOptions)]
@@ -113,10 +118,12 @@ impl AwsAuthProps {
                     self.session_token.clone(),
                 ),
             ))
-        } else {
+        } else if !env_var_is_true(DISABLE_DEFAULT_CREDENTIAL) {
             Ok(SharedCredentialsProvider::new(
                 aws_config::default_provider::credentials::default_provider().await,
             ))
+        } else {
+            bail!("Both \"access_key\" and \"secret_key\" are required.")
         }
     }