Update AWS SDK to enable support for AWS EKS Pod Identities

[danareghis]

Is your feature request related to a problem? Please describe.
We have now the option to deploy a new vault server inside the EKS cluster and we would like to use AWS EKS pod identities feature if possible.

Describe the solution you'd like
I have configured the below:

seal "awskms" {
        region      = "${region}"
        kms_key_id  = "${kms_key_id}"
      }

Also inside the vault pod I have the corresponding environment variables for the pod identities features as AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE and AWS_CONTAINER_CREDENTIALS_FULL_URI.

Unfortunately while starting I have the error:

Error initializing storage of type dynamodb: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
2026-03-27T11:36:09.617Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2026-03-27T11:36:09.617Z [DEBUG] storage.dynamodb: added environment variable credential provider
2026-03-27T11:36:09.617Z [DEBUG] storage.dynamodb: added shared credential provider
**Describe alternatives you've considered**

A clear and concise description of any alternative solutions or features you've considered.

I want to know if this feature is enabled and if so, am I missing other configuration or only IRSA is the working solution to assume AWS credentials for managing the dynamoDB used by vault.

Additional context
I have found the issue #27850 but I see it closed, still there was another used with the same error I received.

[mgriffin13]

I think this is really an issue with the hashicorp/go-secure-lib package. They re-implement the default aws credentials chain for reasons, and they never updated their implementation to support Pod Identities.

Specifically, at https://github.com/hashicorp/go-secure-stdlib/blob/main/awsutil/generate_credentials.go#L79, it supports the old IRSA, but they need to update it to also support AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE. I think in the aws sdk, it's referred to as "endpointcreds", see https://github.com/aws/aws-sdk-go-v2/blob/main/credentials/endpointcreds/provider.go

Ref: https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

[danareghis]

I hope this will be fixed soon then, maybe @heatherezell can take this further as she closed the previous issue.
Thank you for the info @mgriffin13 !

[dosubot]

Thanks for the detailed report. Unfortunately, AWS EKS Pod Identities are not currently supported for the DynamoDB storage backend in Vault.

The root cause is that Vault's credential chain does not recognize AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE (used by Pod Identities). It only handles AWS_WEB_IDENTITY_TOKEN_FILE (used by IRSA). Additionally, the DynamoDB backend uses AWS SDK v1.55.8, which doesn't support Pod Identities—that requires AWS SDK v2 with specific credentials package versions.

Interestingly, the AWS KMS seal uses go-kms-wrapping with AWS SDK v2, so some users have reported success with Pod Identities for KMS auto-unseal. However, DynamoDB consistently fails with your exact error.

Recommended workaround: Use IRSA (IAM Roles for Service Accounts) instead of Pod Identities. IRSA sets AWS_WEB_IDENTITY_TOKEN_FILE, which Vault's credential chain recognizes. While more cumbersome to configure, it's currently the reliable authentication method for Vault's DynamoDB backend in EKS.

This appears to be a gap in issue #27850—it was closed but the DynamoDB backend still lacks Pod Identity support. The fix would require either migrating the DynamoDB backend to AWS SDK v2 or updating the credential chain in go-secure-stdlib/awsutil to recognize the Pod Identity token file.

@heatherezell will get this to product and engineering teams for potential resolutions.

Written by @dosu, edited by heatherezell

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

  

[danareghis]

Hi @heatherezell

Can we leave this open to be notified once this feature is in place ?