feat: support standard AWS env vars and default credential chain#395
feat: support standard AWS env vars and default credential chain#395purva-8 wants to merge 3 commits intousesend:mainfrom
Conversation
Replace non-standard AWS_ACCESS_KEY / AWS_SECRET_KEY with the AWS-standard AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY. The old names are kept as fallbacks in the runtimeEnv for backward compatibility. Both vars are now optional. When omitted, the credentials object is not passed to SESv2Client, STSClient, or SNSClient — the AWS SDK then falls back to its default provider chain (IAM roles, ECS task roles, instance profiles, etc.), which is the recommended approach for cloud-native deployments. Closes usesend#316 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@purva-8 is attempting to deploy a commit to the kmkoushik's projects Team on Vercel. A member of the Team first needs to authorize it. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
WalkthroughThis pull request updates AWS credential variable naming conventions across the codebase. Environment configuration files ( 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 6/8 reviews remaining, refill in 9 minutes and 41 seconds.Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the web app’s AWS credential handling to support standard AWS environment variable names and to allow the AWS SDK default credential provider chain when static credentials aren’t provided (fixing #316).
Changes:
- Renames
AWS_ACCESS_KEY/AWS_SECRET_KEYtoAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY(with legacy fallback). - Makes AWS credential env vars optional and conditionally omits the
credentialsoverride for AWS SDK clients. - Updates test setup and example env files to reflect the new variable names.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| apps/web/src/env.js | Updates env schema keys and adds legacy fallback in runtimeEnv. |
| apps/web/src/server/aws/ses.ts | Conditionally passes credentials to STSClient and SESv2Client. |
| apps/web/src/server/aws/sns.ts | Conditionally passes credentials to SNSClient. |
| apps/web/src/test/setup/setup-env.ts | Updates test env defaults to new AWS credential keys. |
| apps/web/.env.test.example | Updates example AWS credential keys for tests. |
| .env.example | Updates example AWS credential keys for local/dev. |
| .env.selfhost.example | Updates example keys and clarifies optional credential chain usage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
apps/web/src/server/aws/ses.ts (1)
33-35: ⚡ Quick winExtract the repeated credential-options construction to a shared helper.
The same conditional spread appears three times: STS client (Line 33–35), SES client (Line 52–54), and the SNS client in
sns.ts(Line 13–15). If the logic ever needs to addsessionTokenor change the guard condition, all three sites must be updated in sync.♻️ Proposed refactor
Add a shared helper (e.g. in
apps/web/src/server/aws/credentials.ts):import { env } from "~/env"; export function getAwsCredentialOptions() { if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) { return { credentials: { accessKeyId: env.AWS_ACCESS_KEY_ID, secretAccessKey: env.AWS_SECRET_ACCESS_KEY, }, }; } return {}; }Then in
ses.ts:- ...(env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY - ? { credentials: { accessKeyId: env.AWS_ACCESS_KEY_ID, secretAccessKey: env.AWS_SECRET_ACCESS_KEY } } - : {}), + ...getAwsCredentialOptions(),Apply the same replacement in the second occurrence in
ses.tsand insns.ts.Also applies to: 52-54
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/web/src/server/aws/ses.ts` around lines 33 - 35, Extract the repeated conditional credential spread into a shared helper (e.g. getAwsCredentialOptions) that reads env.AWS_ACCESS_KEY_ID and env.AWS_SECRET_ACCESS_KEY and returns either { credentials: { accessKeyId, secretAccessKey } } or {}; then replace the inline conditional spread used when constructing the STS client, SES client (the block containing ...(env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY ? { credentials: { accessKeyId: env.AWS_ACCESS_KEY_ID, secretAccessKey: env.AWS_SECRET_ACCESS_KEY } } : {}) in ses.ts) and the SNS client in sns.ts with a call to getAwsCredentialOptions(), ensuring the helper is exported from a common module (e.g. credentials.ts) and imported where needed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@apps/web/src/server/aws/ses.ts`:
- Around line 33-35: Extract the repeated conditional credential spread into a
shared helper (e.g. getAwsCredentialOptions) that reads env.AWS_ACCESS_KEY_ID
and env.AWS_SECRET_ACCESS_KEY and returns either { credentials: { accessKeyId,
secretAccessKey } } or {}; then replace the inline conditional spread used when
constructing the STS client, SES client (the block containing
...(env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY ? { credentials: {
accessKeyId: env.AWS_ACCESS_KEY_ID, secretAccessKey: env.AWS_SECRET_ACCESS_KEY }
} : {}) in ses.ts) and the SNS client in sns.ts with a call to
getAwsCredentialOptions(), ensuring the helper is exported from a common module
(e.g. credentials.ts) and imported where needed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 59ef1c51-59a4-4cf8-9644-0f3ad9c00c0f
📒 Files selected for processing (7)
.env.example.env.selfhost.exampleapps/web/.env.test.exampleapps/web/src/env.jsapps/web/src/server/aws/ses.tsapps/web/src/server/aws/sns.tsapps/web/src/test/setup/setup-env.ts
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/web/src/env.js`:
- Around line 34-35: The environment schema currently allows AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY to be set independently which lets code in
apps/web/src/server/aws/ses.ts and apps/web/src/server/aws/sns.ts silently fall
back to the default provider when only one credential is present; update the zod
schema for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to validate they are
either both present or both absent (e.g., using a .refine or a custom validator)
so the app fails fast with a clear error when only one credential is provided,
and ensure any code that reads these vars (SES/SNS initialization) relies on
that validated pair rather than tolerating partial config.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d7aa3fb3-6172-4517-80bd-b5a93802008a
📒 Files selected for processing (1)
apps/web/src/env.js
…al-config guard - Move the credential spread logic into a single credentials.ts helper so SESv2Client, STSClient, and SNSClient all share one implementation - Throw a clear error if only one of AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY is set, preventing silent fallback to the default provider chain with a half-configured environment Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/web/src/server/aws/credentials.ts`:
- Around line 4-19: The credentials helper currently only returns accessKeyId
and secretAccessKey, which breaks temporary AWS creds; add support for
AWS_SESSION_TOKEN by adding AWS_SESSION_TOKEN to your env.js schema and
runtimeEnv, then update the return object in
apps/web/src/server/aws/credentials.ts to conditionally include sessionToken
(e.g., when env.AWS_SESSION_TOKEN is present, add credentials.sessionToken =
env.AWS_SESSION_TOKEN) alongside accessKeyId and secretAccessKey, and update
test fixtures and .env.example to include an optional AWS_SESSION_TOKEN entry so
temporary credential flows are exercised.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2d02e951-f64f-4566-99ee-986b878bc362
📒 Files selected for processing (3)
apps/web/src/server/aws/credentials.tsapps/web/src/server/aws/ses.tsapps/web/src/server/aws/sns.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- apps/web/src/server/aws/sns.ts
- apps/web/src/server/aws/ses.ts
| const hasKey = !!env.AWS_ACCESS_KEY_ID; | ||
| const hasSecret = !!env.AWS_SECRET_ACCESS_KEY; | ||
|
|
||
| if (hasKey !== hasSecret) { | ||
| throw new Error( | ||
| "AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must both be set or both be omitted" | ||
| ); | ||
| } | ||
|
|
||
| if (hasKey) { | ||
| return { | ||
| credentials: { | ||
| accessKeyId: env.AWS_ACCESS_KEY_ID!, | ||
| secretAccessKey: env.AWS_SECRET_ACCESS_KEY!, | ||
| }, | ||
| }; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether AWS_SESSION_TOKEN is modeled and propagated in current PR surface.
# Expected: references in env schema/mapping + credentials helper + (optionally) env examples.
rg -n -C3 '\bAWS_SESSION_TOKEN\b' \
apps/web/src/env.js \
apps/web/src/server/aws/credentials.ts \
apps/web/src/server/aws/ses.ts \
apps/web/src/server/aws/sns.ts \
.env.example \
.env.selfhost.example \
apps/web/.env.test.example || trueRepository: usesend/useSend
Length of output: 41
🏁 Script executed:
# First, let's find the actual env schema/configuration file
fd -e js -e ts -e json apps/web/src/ | grep -i env | head -20Repository: usesend/useSend
Length of output: 417
🏁 Script executed:
# Let's examine the credentials.ts file in full
cat -n apps/web/src/server/aws/credentials.tsRepository: usesend/useSend
Length of output: 713
🏁 Script executed:
# Check the env.js or env schema structure
fd -type f -name "env*" apps/web/src/ | head -10Repository: usesend/useSend
Length of output: 230
🏁 Script executed:
# Find env configuration files more carefully
find apps/web/src -name "env*" -type f | head -20Repository: usesend/useSend
Length of output: 79
🏁 Script executed:
# Also search for where env is exported from
rg -l "export.*env" apps/web/src --type ts --type js | head -10Repository: usesend/useSend
Length of output: 196
🏁 Script executed:
# Look for AWS configuration in existing code
rg "AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY" apps/web/src --type ts --type js -A 2 -B 2Repository: usesend/useSend
Length of output: 2484
🏁 Script executed:
# Read the full env.js file
cat -n apps/web/src/env.jsRepository: usesend/useSend
Length of output: 7193
🏁 Script executed:
# Check AWS SDK documentation expectations for sessionToken
# Look for any existing usage or patterns of sessionToken in the codebase
rg "sessionToken|session_token" apps/web --type ts --type jsRepository: usesend/useSend
Length of output: 41
🏁 Script executed:
# Check how AWS SDK is being used for SES and SNS
cat -n apps/web/src/server/aws/ses.ts | head -50Repository: usesend/useSend
Length of output: 1938
🏁 Script executed:
# Look for any auth-related issues or comments in AWS files
rg "auth|sign|credential|temporary|session" apps/web/src/server/aws/ --type ts -iRepository: usesend/useSend
Length of output: 781
🏁 Script executed:
# Check AWS SDK version/package being used
rg "@aws-sdk|aws-sdk" apps/web/package.jsonRepository: usesend/useSend
Length of output: 265
Add AWS_SESSION_TOKEN support to credentials helper for temporary AWS credentials.
AWS SDK v3 requires sessionToken when using temporary credentials (from STS, IAM roles, or AssumeRole). The current implementation only handles accessKeyId and secretAccessKey, which works for long-lived IAM credentials but will fail with temporary credentials.
Add AWS_SESSION_TOKEN as an optional environment variable in env.js schema and runtimeEnv, then conditionally include it in the returned credentials object in credentials.ts. Update test setup and .env.example files as needed.
Suggested patch
export function getAwsCredentialOptions() {
const hasKey = !!env.AWS_ACCESS_KEY_ID;
const hasSecret = !!env.AWS_SECRET_ACCESS_KEY;
+ const hasSessionToken = !!env.AWS_SESSION_TOKEN;
if (hasKey !== hasSecret) {
throw new Error(
"AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must both be set or both be omitted"
);
}
if (hasKey) {
return {
credentials: {
accessKeyId: env.AWS_ACCESS_KEY_ID!,
secretAccessKey: env.AWS_SECRET_ACCESS_KEY!,
+ ...(hasSessionToken ? { sessionToken: env.AWS_SESSION_TOKEN! } : {}),
},
};
}
return {};
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@apps/web/src/server/aws/credentials.ts` around lines 4 - 19, The credentials
helper currently only returns accessKeyId and secretAccessKey, which breaks
temporary AWS creds; add support for AWS_SESSION_TOKEN by adding
AWS_SESSION_TOKEN to your env.js schema and runtimeEnv, then update the return
object in apps/web/src/server/aws/credentials.ts to conditionally include
sessionToken (e.g., when env.AWS_SESSION_TOKEN is present, add
credentials.sessionToken = env.AWS_SESSION_TOKEN) alongside accessKeyId and
secretAccessKey, and update test fixtures and .env.example to include an
optional AWS_SESSION_TOKEN entry so temporary credential flows are exercised.
Summary
Fixes #316
AWS_ACCESS_KEY→AWS_ACCESS_KEY_IDandAWS_SECRET_KEY→AWS_SECRET_ACCESS_KEYto match the AWS standard naming convention used by the SDK, CLI, and IAM toolingz.string().optional()in the env schemacredentialsobject is omitted fromSESv2Client,STSClient, andSNSClient— the AWS SDK automatically falls back to its default provider chain (IAM roles, ECS/EKS task roles, EC2 instance profiles,~/.aws/credentials, etc.)runtimeEnvfalls back to the old names (?? process.env.AWS_ACCESS_KEY) so existing deployments don't break without a config changeFiles changed
apps/web/src/env.jsapps/web/src/server/aws/ses.tscredentialstoSESv2Client/STSClientapps/web/src/server/aws/sns.tscredentialstoSNSClientapps/web/src/test/setup/setup-env.tsapps/web/.env.test.example.env.example.env.selfhost.exampleTest plan
AWS_ACCESS_KEY/AWS_SECRET_KEYnames continue to work (backward-compat fallback)AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYnames workpnpm test)Summary by cubic
Switches to AWS-standard env vars
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYand uses the AWS default credential chain when unset. Adds a shared credential helper that errors on partial configs; keeps backward compatibility and only passes credentials toSESv2,STS, andSNSwhen both vars are set.New Features
getAwsCredentialOptionscentralizes logic forSESv2Client,STSClient, andSNSClient.AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYis set.Migration
AWS_ACCESS_KEY→AWS_ACCESS_KEY_IDandAWS_SECRET_KEY→AWS_SECRET_ACCESS_KEY.Written for commit 5c816be. Summary will update on new commits.
Summary by CodeRabbit