[VAULT-22277] AWS SDK Migration to Version 2#191
Open
bcsamrudh wants to merge 25 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the vault-lambda-extension codebase from AWS SDK for Go v1 to AWS SDK for Go v2, updating runtime client initialization and the Vault AWS IAM login flow (STS request construction/signing), along with associated tests and dependency updates.
Changes:
- Replace AWS SDK v1 session-based initialization with AWS SDK v2
config.LoadDefaultConfigand v2 STS clients. - Refactor Vault IAM login to manually construct and SigV4-sign an STS
GetCallerIdentityrequest using AWS SDK v2 signing utilities. - Update test tooling and local test containers/configuration (Dockerfiles, compose, quick-start defaults) to match the new SDK/tooling direction.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
main.go |
Switches to AWS SDK v2 config loading and passes v2 aws.Config into the Vault client. |
internal/vault/client.go |
Updates client to use v2 STS client; rewrites IAM login request signing and adds STS endpoint resolver helper. |
internal/vault/client_test.go |
Updates unit tests to use v2 config + v2 STS client construction. |
internal/ststest/sts.go |
Refactors FakeSTS helper to configure an aws.Config (v2) instead of a v1 session. |
internal/proxy/proxy_test.go |
Updates proxy tests to use v2 AWS config and updated Vault client constructor signature. |
go.mod / go.sum |
Replaces v1 AWS SDK dependency with AWS SDK v2 modules and updates indirect deps. |
test/lambda/Dockerfile |
Updates Vault base image and Go builder image used for local/integration testing. |
test/api/Dockerfile |
Updates Go builder image used for local API test container build. |
test/docker-compose.yaml |
Updates Vault image version and adds IPC_LOCK capability for the Vault container. |
quick-start/terraform/variables.tf |
Updates default EC2 instance type for the quick-start environment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
arjunkshashicorp
requested changes
May 13, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
stuti-sr
reviewed
May 21, 2026
Balaji2198
reviewed
May 29, 2026
Balaji2198
left a comment
Balaji2198
left a comment
Member
There was a problem hiding this comment.
Thanks for working on this. Added few comments.
For manual testing, could you please use the Quickstart example in hashicorp/vault-lambda-extension to verify these changes if that hasn’t been done already?
….AssumedRoleArn (i.e roleToAssumeArn) are set
Author
Thank you for the suggestion. I have already followed the Quickstart example and tested these changes on my end. |
stuti-sr
requested changes
Jun 2, 2026
arjunkshashicorp
previously approved these changes
Jun 4, 2026
Balaji2198
previously approved these changes
Jun 4, 2026
…e specified instance type does not match the architecture arm64 of the specified AMI'
bcsamrudh
dismissed stale reviews from stuti-sr, Balaji2198, and arjunkshashicorp
via
d580980
arjunkshashicorp
approved these changes
Jun 17, 2026
Balaji2198
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request migrates the project from the legacy AWS SDK for Go (aws-sdk-go) to the modern AWS SDK for Go v2 (aws-sdk-go-v2). This update affects the main application code, tests, and dependencies, and brings the codebase up to date with current AWS SDK.
Key Changes:
Replaced all usage of
github.com/aws/aws-sdk-gowithgithub.com/aws/aws-sdk-go-v2and its submodules throughout the codebase, including main logic, tests, and supporting modules. Refactored how AWS sessions, credentials, and service clients are initialized and used.Vault AWS authentication flows were updated to use SDK v2 configuration and credential provider patterns, including STS client usage and request-signing behavior changes required by v2 APIs.
Updated the Dockerfile to use the latest available base image and dependencies to ensure compatibility with the AWS SDK v2 migration.Additionally, this PR changes the default EC2 instance type in the quick-start Terraform configuration.
Client now uses constructor-provided authConfig (c.authConfig) instead of Config from the environment (config.AuthConfigFromEnv())
Previously, the configuration would always pick the latest Ubuntu AMI, including ARM-based variants. Since the instance type uses the x86_64 architecture, this could result in errors such as:
" Error: creating EC2 Instance: InvalidParameterValue: The architecture 'x86_64' of the specified instance type does not match the architecture 'arm64' of the specified AMI. "
This change ensures that only x86 Ubuntu AMIs are selected, keeping the AMI architecture aligned with the instance architecture.
Testing: Verified stability through unit tests, build checks, and AWS acceptance tests for all updated functionality.
Code Cleanup: Removed deprecated utilities and updated helper functions to use supported Go and AWS SDK v2 methods.
Ticket : VAULT-22277
Testing Evidence: