π Enhancements
fix(hooks): store-output hooks inherit the run's default identity @aknysh (#2662)
## what- Make the terraform after-apply
store-outputshook path inherit the run's auto-detected identity for
stores that don't declare their ownidentity, matching the main terraform path. - Add a new
internal/exec.HookStoreDefaultIdentityhelper (auto-detect the active identity from the
auth manager's chain, normalize empty/select/disabledto"");cmd/terraform's
injectHookStoreAuthResolvernow callsSetAuthContextResolverWithDefaultIdentityinstead of the
resolver-only variant. - Fix an adjacent bug:
pkg/store.defaultIdentityForStorewas missing*SecretsManagerStore
(aws/asm), so AWS Secrets Manager stores never inherited a default identity on any path. Added
the case soaws/asmbehaves likeaws/ssm. - Tests:
internal/exec.TestHookStoreDefaultIdentity(new),cmd/terraform
TestInjectHookStoreAuthResolver_InheritsDefaultIdentity(replacesβ¦_ResolverOnly), updated
pkg/storedefault-identity test so identity-lessaws/asmasserts inheritance, and Floci E2E
TestAWSStoreHooks_InheritedIdentity_FlociE2Ewith fixtureaws-store-hooks-floci-inherit. - Fix doc:
docs/fixes/2026-06-27-store-hook-inherit-default-identity.md.
why
-
Hook fix. Under Atmos auth,
atmos terraform applyon a component with astore-outputshook
applied successfully but then failed in the hook when the target store had noidentity:INFO Running hooks event=after.terraform.apply status=success β Fetching <output> from <component> in <stack> Error: failed to assume write role: β¦ get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, β¦ ec2imds: GetMetadata β¦Hooks run in a freshly-loaded config, so the apply-phase store registry (and its injected default
identity) is gone. The hook re-injected the resolver but no default identity, so identity-less
stores fell back to the default AWS SDK credential chain β empty under Atmos auth (credentials live
in the keyring, not the environment) β and dropped to EC2 IMDS. The main terraform path and!store
reads already inherit the run's identity; this removes a surprising asymmetry and completes the
follow-up explicitly deferred in #2625 ("Component-identity inheritance for identity-less stores is
intentionally left for a follow-up design decision"). -
ASM fix.
defaultIdentityForStorehandled*SSMStore,*AzureKeyVaultStore, and*GSMStore
but not*SecretsManagerStore, soaws/asmstores without an explicitidentitycould never
inherit one. This was latent before (and was even codified by the old test); the hook fix's E2E
surfaced it. -
Backward compatible.
HookStoreDefaultIdentityreturns""whenever no identity is resolved
(no auth manager, or empty/select/disabled), andSetAuthContextResolverWithDefaultIdentity("")
is a no-op for the default β so runs without Atmos auth keep their prior ambient/default-SDK
credential behavior, and stores with an explicitidentityare never overridden.
references
- Follow-up to #2625 (AWS stores/secrets auth; deferred identity-less inheritance in the hook path).
- Related fix docs:
docs/fixes/2026-06-17-aws-stores-secrets-auth-and-gists.md,
docs/fixes/2026-05-25-store-hook-missing-backend-role-assumption.md.
Summary by CodeRabbit
- New Features
- Store output hooks now inherit the runβs detected/default identity when a store doesnβt specify an explicit identity.
- AWS Secrets Manager store output identity handling now matches the default-identity behavior of other supported stores.
- Bug Fixes
- Prevents hook-phase authentication failures under Atmos auth when no fallback AWS credentials are available.
- Documentation
- Added a clarification on identity inheritance semantics for store-output hooks.
- Tests
- Added/updated unit tests and a Floci end-to-end test covering identity inheritance for SSM/ASM hook outputs.