Plugin should use AWS SDK Credential Resolution Order

[the-maldridge]

Right now it is impossible to use the AWS plugin without specifying a key via the API. When running boundary controllers on AWS instances this is a documented anti-pattern and the instance profile should be used instead.

What would it take to get this changed? I can put together a patch if there's good documentation around this.

[william00179]

Agreed that this is currently a major issue with this plugin. Our environment prohibits IAM credential creation (via an SCP) so there is no work around possible for us here.

It looks like the fix here should be very simple. It should just be a case of using the default credential provider chain from the included AWS SDK.

This would then allow our instance IAM role to be used.

[jefferai]

See https://github.com/hashicorp/boundary-plugin-host-aws/issues/14#issuecomment-1262536097

It's not that this can't be changed, but it would not be the default, and nobody has had time to work on it.

[jeremy-rescale]

According to the docs, the plugin now supports assuming a role - https://github.com/hashicorp/boundary-plugin-aws#credential-rotation I will be giving it a try shortly.