IABTechLab · sophia-chen-ttd · Jun 3, 2026 · Jun 5, 2026
diff --git a/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java b/src/main/java/com/uid2/shared/cloud/CloudStorageS3.java
@@ -2,8 +2,8 @@
 
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
-import software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.*;
@@ -74,15 +74,9 @@ public CloudStorageS3(String accessKeyId, String secretAccessKey, String region,
     }
 
     public CloudStorageS3(String region, String bucket, String s3Endpoint) {
-        // In theory `new InstanceProfileCredentialsProvider()` or even omitting credentials provider should work,
-        // but for some unknown reason it doesn't. The credential it provides look realistic, but are not valid.
-        // After a lot of experimentation and help of Abu Abraham and Isaac Wilson the only working solution we've
-        // found was to explicitly extract env vars populated by the service account from the role and to
-        // manually set it on the credentials provider.
-        WebIdentityTokenFileCredentialsProvider credentialsProvider = WebIdentityTokenFileCredentialsProvider.builder()
-                .roleArn(System.getenv("AWS_ROLE_ARN"))
-                .webIdentityTokenFile(Paths.get(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")))
-                .build();
+        // DefaultCredentialsProvider supports IRSA (WebIdentityTokenFile), EKS Pod Identity,
+        // instance profile, and all other standard AWS credential mechanisms automatically.
+        DefaultCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create();
 
         if (s3Endpoint.isEmpty()) {
             this.s3 = S3Client.builder()

diff --git a/src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java b/src/test/java/com/uid2/shared/cloud/CloudStorageS3Test.java
@@ -0,0 +1,15 @@
+package com.uid2.shared.cloud;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+public class CloudStorageS3Test {
+
+    @Test
+    void constructorDoesNotNpeWhenCredentialEnvVarsAbsent() {
+        // Old WebIdentityTokenFileCredentialsProvider called Paths.get(System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),
+        // which NPE'd when the env var was unset. DefaultCredentialsProvider must not throw at construction time.
+        assertDoesNotThrow(() -> new CloudStorageS3("us-east-1", "test-bucket", "http://localhost:9999"));
+    }
+}