SecretsManagerClient fails being initialized only in Github Actions in 3.2.0

[ofir-popowski]

We have a relatively simple Spring Boot (3.3.4) app. We're using awspring only with Secrets Manager at the moment, and only when using a specific Spring profile (staging/production). Both of these profiles are the only ones that have spring.config.import=aws-secretsmanager...
(we have no other properties or anything, no AWS credentials, etc)

All of the tests we have run the entire app @SpringBootTest, and using dev profile (so, no config imports, no using AWS at all, no Secrets Manager). This profile is used for all tests, both locally and in Github Actions

Everything was working fine until I upgraded awspring from 3.1.1 -> 3.2.0, at which point tests started failing only when running in Github Actions. I enabled debug logs for the action and saw the following:

    2024-10-14 12:49:18.366 [ForkJoinPool-1-worker-3] WARN  software.amazon.awssdk.regions.internal.util.EC2MetadataUtils - {}: Unable to retrieve the requested metadata.
    2024-10-14 12:49:18.367 [ForkJoinPool-1-worker-3] WARN  org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext - {}: Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'secretsManagerClient' defined in class path resource [io/awspring/cloud/autoconfigure/config/secretsmanager/SecretsManagerAutoConfiguration.class]: Failed to instantiate [software.amazon.awssdk.services.secretsmanager.SecretsManagerClient]: Factory method 'secretsManagerClient' threw exception with message: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain@6f32ce7a: [software.amazon.awssdk.regions.providers.SystemSettingsRegionProvider@2a85e7e4: Unable to load region from system settings. Region must be specified either via environment variable (AWS_REGION) or  system property (aws.region)., software.amazon.awssdk.regions.providers.AwsProfileRegionProvider@769a9aca: No region provided in profile: default, software.amazon.awssdk.regions.providers.InstanceProfileRegionProvider@6309d7ad: Unable to retrieve region information from EC2 Metadata service. Please make sure the application is running on EC2.]

I suspected that something changed in regards to how SecretsManagerClient is getting configured, so browsed the repo and found this commit 1f1acdc which seemed to be the right place to start.

I then tried 3.2.0 again, but explicitly declared spring.cloud.aws.secretsmanager.enabled=false in my dev profile and now the tests stopped failing when running in the Github Action

So I'm really confused as to why would it fail only in Github Actions (without enabled=false), as the tests are running with identical code and configuration between my machine and in the action.
I was also quite surprised about this change, I would not have expected SecretsManagerClient to be initialized when config imports are not used, and there are no properties related to AWS or any classes being used

(Please let me know if the title makes sense, or you need more detailed information about anything)

[maciejwalkowiak]

By default all AWS clients resolve region and credentials using so called default chain which looks into several places - one of which is .aws/config and .aws/credentials - that I believe you have configured on your machine. Since there is no such config on GitHub actions - it cannot resolve configuration. Either set static values or use Localstack or disable integration when running on GitHub actions.

Hope it helps!

[ofir-popowski]

Oh yeah that makes sense, I didn't think about the local credentials I already have, thank you for pointing that out.
Still, I have to say I don't really like having this client being initialized by default without any usages, and having to explicitly disable it. This change also wasn't listed on the release notes for 3.2.0 (it does appear on the release notes for 3.2.0.M1, but I would have expected the notes for the official release to include all changes, not just diff between pre-release and official)

[maciejwalkowiak]

At the top of release notes for 3.2.0:

Spring Cloud AWS 3.2.0 brings compatibility with Spring Boot 3.3.x and contains all changes introduced in version 3.2.0-M1.

We've added autoconfig for client because config import is not the only use case for secrets manager.