From 530d2e3a5e93232b23c472e37859dd56442660ac Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sat, 27 Sep 2025 03:05:34 +0000
Subject: [PATCH 1/3] Fix profile loading when passed an explicit profile

Profiles should be read out of the config file, not credentials file
---
 src/aws_secret.cpp | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/aws_secret.cpp b/src/aws_secret.cpp
index b5a95b6..24ea202 100644
--- a/src/aws_secret.cpp
+++ b/src/aws_secret.cpp
@@ -65,26 +65,25 @@ static unique_ptr<KeyValueSecret> ConstructBaseS3Secret(vector<string> &prefix_p
 
 static Aws::Config::Profile GetProfile(const string &profile_name, const bool require_profile) {
 	Aws::Config::Profile selected_profile;
-	// get file path where aws credentials are stored.
-	// comes from AWS_SHARED_CREDENTIALS_FILE
-	auto credentials_file_path = Aws::Auth::ProfileConfigFileAWSCredentialsProvider::GetCredentialsProfileFilename();
+	// get file path where aws config is stored.
+	// comes from AWS_CONFIG_FILE
+	auto config_file_path = Aws::Auth::GetConfigProfileFilename();
 	// get the profile from within that file
 	Aws::Map<Aws::String, Aws::Config::Profile> profiles;
-	Aws::Config::AWSConfigFileProfileConfigLoader loader(credentials_file_path);
+	Aws::Config::AWSConfigFileProfileConfigLoader loader(config_file_path, true);
 	if (loader.Load()) {
 		profiles = loader.GetProfiles();
 		for (const auto &entry : profiles) {
 			const Aws::String &profileName = entry.first;
 			if (profileName == profile_name) {
 				selected_profile = entry.second;
-				auto &url = selected_profile.GetValue("endpoint");
 				return selected_profile;
 			}
 		}
 	}
 	if (require_profile) {
-		throw InvalidConfigurationException("Secret Validation Failure: no profile '%s' found in credentials file %s",
-		                                    profile_name, credentials_file_path);
+		throw InvalidConfigurationException("Secret Validation Failure: no profile '%s' found in config file %s",
+		                                    profile_name, config_file_path);
 	}
 	return selected_profile; // empty profile
 }
@@ -356,7 +355,7 @@ void CreateAwsSecretFunctions::InitializeCurlCertificates(DatabaseInstance &db)
 		struct stat buf;
 		if (stat(caFile.c_str(), &buf) == 0) {
 			SELECTED_CURL_CERT_PATH = caFile;
-			DUCKDB_LOG_DEBUG(db, "aws.CaCertificateDetection", "CA path: %s", SELECTED_CURL_CERT_PATH);
+			DUCKDB_LOG_DEBUG(db, "aws.CaCertificateDetection: CA path: %s", SELECTED_CURL_CERT_PATH);
 			return;
 		}
 	}

From f47933c62910d527735deac1ad94e6faa1eb6e8d Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sat, 27 Sep 2025 03:05:55 +0000
Subject: [PATCH 2/3] Misc cleanup

---
 src/aws_secret.cpp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/aws_secret.cpp b/src/aws_secret.cpp
index 24ea202..e6e7b06 100644
--- a/src/aws_secret.cpp
+++ b/src/aws_secret.cpp
@@ -44,9 +44,9 @@ static struct {
 
 //! Parse and set the remaining options
 static void ParseCoreS3Config(CreateSecretInput &input, KeyValueSecret &secret) {
-	vector<string> options = {"key_id",    "secret",        "region",
-	                          "endpoint",  "session_token", "endpoint",
-	                          "url_style", "use_ssl",       "s3_url_compatibility_mode"};
+	vector<string> options = {"key_id",   "secret",        "region",
+	                          "endpoint", "session_token", "url_style",
+	                          "use_ssl",  "s3_url_compatibility_mode"};
 	for (const auto &val : options) {
 		auto set_region_param = input.options.find(val);
 		if (set_region_param != input.options.end()) {
@@ -312,7 +312,6 @@ static unique_ptr<BaseSecret> CreateAWSSecretFromCredentialChain(ClientContext &
 		result->secret_map["refresh_info"] = Value::STRUCT(struct_fields);
 	}
 
-	AwsSetCredentialsResult ret;
 	if (!credentials.IsExpiredOrEmpty()) {
 		result->secret_map["key_id"] = Value(credentials.GetAWSAccessKeyId());
 		result->secret_map["secret"] = Value(credentials.GetAWSSecretKey());

From d67aa4674c5d0d2d72cb5b83ab241f56d52686a9 Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Mon, 6 Oct 2025 09:27:25 +0000
Subject: [PATCH 3/3] Maybe fix tests

---
 scripts/create_minio_credential_file.sh | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/scripts/create_minio_credential_file.sh b/scripts/create_minio_credential_file.sh
index 0814285..ab08d71 100755
--- a/scripts/create_minio_credential_file.sh
+++ b/scripts/create_minio_credential_file.sh
@@ -28,17 +28,6 @@ aws_session_token=completelybogussessiontoken
 aws_access_key_id=
 aws_secret_access_key=
 aws_session_token=
-
-[assume-role-arn]
-source_profile = default
-role_arn = arn:aws:iam::840140254803:role/pyiceberg-etl-role
-region = us-east-2
-
-[assume-role-arn-external-id]
-source_profile = default
-role_arn = arn:aws:iam::840140254803:role/pyiceberg-etl-role
-region = us-east-2
-external_id = 128289344
 "
 
 # Write the credentials configuration to the file
@@ -54,8 +43,19 @@ region=eu-west-1
 [profile minio-testing-invalid]
 region=the-moon-123
 
-[minio-testing-empty]
+[profile minio-testing-empty]
 region=
+
+[profile assume-role-arn]
+source_profile = default
+role_arn = arn:aws:iam::840140254803:role/pyiceberg-etl-role
+region = us-east-2
+
+[profile assume-role-arn-external-id]
+source_profile = default
+role_arn = arn:aws:iam::840140254803:role/pyiceberg-etl-role
+region = us-east-2
+external_id = 128289344
 "
 
 # Write the config to the file