From c4c60d1f0991ffd24ca0aa16e4db19f64b081235 Mon Sep 17 00:00:00 2001
From: Cyril Rohr <cyril.rohr@gmail.com>
Date: Wed, 28 Feb 2024 08:26:48 +0000
Subject: [PATCH] Unset existing credentials when running from RunsOn

---
 src/custom/backend.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/custom/backend.ts b/src/custom/backend.ts
index d872afa..be9caf4 100644
--- a/src/custom/backend.ts
+++ b/src/custom/backend.ts
@@ -24,6 +24,16 @@ export interface ArtifactCacheEntry {
     archiveLocation?: string;
 }
 
+// if executing from RunsOn, unset any existing AWS env variables so that we can use the IAM instance profile for credentials
+// see unsetCredentials() in https://github.com/aws-actions/configure-aws-credentials/blob/v4.0.2/src/helpers.ts#L44
+if (process.env.RUNS_ON_RUNNER_NAME) {
+    delete process.env.AWS_ACCESS_KEY_ID;
+    delete process.env.AWS_SECRET_ACCESS_KEY;
+    delete process.env.AWS_SESSION_TOKEN;
+    delete process.env.AWS_REGION;
+    delete process.env.AWS_DEFAULT_REGION;
+}
+
 const versionSalt = "1.0";
 const bucketName = process.env.RUNS_ON_S3_BUCKET_CACHE;
 const region =