From 6b966f8ab131fdb3d97e98f898903c5131c603ac Mon Sep 17 00:00:00 2001
From: Simon Barendse <simon.barendse@gmail.com>
Date: Fri, 6 Sep 2019 09:42:56 +0200
Subject: [PATCH 1/3] Use AWS identity provider with
 SECRETHUB_IDENTITY_PROVIDER=aws envvar

---
 pkg/secrethub/client.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/pkg/secrethub/client.go b/pkg/secrethub/client.go
index a2d5ce81..606e5c18 100644
--- a/pkg/secrethub/client.go
+++ b/pkg/secrethub/client.go
@@ -19,6 +19,11 @@ const (
 	userAgentPrefix = "SecretHub/v1 secrethub-go/" + ClientVersion
 )
 
+// Errors
+var (
+	ErrUnknownIdentityProvider = errClient.Code("unknown_identity_provider").ErrorPref("%s is not a supported identity provider. Valid options are `aws` and `key`.")
+)
+
 // ClientInterface is an interface that can be used to consume the SecretHub client and is implemented by secrethub.Client.
 type ClientInterface interface {
 	// AccessRules returns a service used to manage access rules.
@@ -110,7 +115,19 @@ func NewClient(with ...ClientOption) (*Client, error) {
 
 	// Try to use default key credentials if none provided explicitly
 	if client.decrypter == nil {
-		err := client.with(WithCredentials(credentials.UseKey(client.DefaultCredential())))
+		identityProvider := os.Getenv("SECRETHUB_IDENTITY_PROVIDER")
+
+		var provider credentials.Provider
+		switch identityProvider {
+		case "key", "":
+			provider = credentials.UseKey(client.DefaultCredential())
+		case "aws":
+			provider = credentials.UseAWS()
+		default:
+			return nil, ErrUnknownIdentityProvider(identityProvider)
+		}
+
+		err := client.with(WithCredentials(provider))
 		// nolint: staticcheck
 		if err != nil {
 			// TODO: log that default credential was not loaded.

From 5df69819c0fe8af28dba567427cb6e4fd5406d8e Mon Sep 17 00:00:00 2001
From: Simon Barendse <simon.barendse@gmail.com>
Date: Fri, 6 Sep 2019 13:28:31 +0200
Subject: [PATCH 2/3] Make identity provider configuration case insensitive

---
 pkg/secrethub/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/secrethub/client.go b/pkg/secrethub/client.go
index 606e5c18..87a0dffd 100644
--- a/pkg/secrethub/client.go
+++ b/pkg/secrethub/client.go
@@ -118,7 +118,7 @@ func NewClient(with ...ClientOption) (*Client, error) {
 		identityProvider := os.Getenv("SECRETHUB_IDENTITY_PROVIDER")
 
 		var provider credentials.Provider
-		switch identityProvider {
+		switch strings.ToLower(identityProvider) {
 		case "key", "":
 			provider = credentials.UseKey(client.DefaultCredential())
 		case "aws":

From 1b6648d86779e7670a4a400ec46a5917febea275 Mon Sep 17 00:00:00 2001
From: Simon Barendse <simon.barendse@gmail.com>
Date: Fri, 6 Sep 2019 13:41:07 +0200
Subject: [PATCH 3/3] Swap "" and "key" when matching the configured identity
 provider

To make "" stand out more, as it might otherwise be overlooked.
---
 pkg/secrethub/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/secrethub/client.go b/pkg/secrethub/client.go
index 87a0dffd..ee9af8a3 100644
--- a/pkg/secrethub/client.go
+++ b/pkg/secrethub/client.go
@@ -119,7 +119,7 @@ func NewClient(with ...ClientOption) (*Client, error) {
 
 		var provider credentials.Provider
 		switch strings.ToLower(identityProvider) {
-		case "key", "":
+		case "", "key":
 			provider = credentials.UseKey(client.DefaultCredential())
 		case "aws":
 			provider = credentials.UseAWS()