fix(aws-secrets): resolve named profiles via full node provider chain

[theoephraim]

Summary

Fixes #772.

@initAws(profile=...) resolved credentials with fromIni({ profile }), which does not fully handle credential_source entries in ~/.aws/config (e.g. EcsContainer, Ec2InstanceMetadata). Profiles backed by container/instance roles — like CodeBuild's credential_source = EcsContainer on AWS GovCloud — failed with Authentication failed with provided credentials, even though the same profile works with the AWS CLI and the SDK's default credential chain.

Change

Switch the profile branch in getCredentials() from fromIni to fromNodeProviderChain({ profile }). This scopes resolution to the named profile while delegating to the container/instance-metadata providers, matching the behavior of the AWS CLI and the SDK's default credential resolution.

-import { fromIni } from '@aws-sdk/credential-providers';
+import { fromNodeProviderChain } from '@aws-sdk/credential-providers';

   if (this.profile) {
     return {
-      credentials: fromIni({ profile: this.profile }),
+      credentials: fromNodeProviderChain({ profile: this.profile }),
       credentialDescription: `AWS profile: ${this.profile}`,
     };
   }

Notes

• fromNodeProviderChain accepts the same profile init property and respects it, so explicit/OIDC/default-chain code paths are unchanged.
• Patch changeset added for @varlock/aws-secrets-plugin.
• typecheck, build, and lint pass. No existing unit tests for this plugin to update.

🤖 Generated with Claude Code

[github-actions]

The changes in this PR will be included in the next version bump.

Patch releases

• @varlock/aws-secrets-plugin 1.2.0 → 1.2.1

Bump files in this PR

• fix-aws-profile-credential-source.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.