[DNM] MCO-2250: AWS Marketplace bootimage update support

[djoshy]

Implementation details can be found in docs/design/aws-marketplace.md attached to this PR. Scrapes from a sample run below:

I0505 20:18:45.393384       1 platform_helpers.go:74] Reconciling MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a on AWS, with arch x86_64
I0505 20:18:45.510309       1 platform_helpers.go:189] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a: detected marketplace AMI ami-0b9620e51a0f7930b (OCP x86_64)
I0505 20:18:45.860315       1 ms_helpers.go:205] No patching required for MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a
I0505 20:18:45.970601       1 platform_helpers.go:74] Reconciling MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b on AWS, with arch x86_64
I0505 20:18:46.099326       1 platform_helpers.go:199] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b: detected ROSA marketplace AMI ami-007eabb43d646b4b3 (ROSA)
I0505 20:18:46.448744       1 ms_helpers.go:202] Patching MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b
I0505 20:18:46.530808       1 boot_image_controller.go:313] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b updated, reconciling enrolled machineset resources
I0505 20:18:46.553467       1 ms_helpers.go:255] Successfully patched machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b

To test:

1. Create an AWS cluster based off this PR via cluster bot.
2. ROSA/Marketplace AMIs can be found via querying the AWS Marketplace(see my gist for specific commands).
3. Inject a marketplace AMI into a MachineSet and examine the controller logs, the correct flavor should be detected and updated if needed.

Note the MCO looks for the newst image whose version matches the RHCOS version described in the coreos-bootimages configmap, if one is not found the update is skipped. Also, I don't think scaling would work with these marketplace AMIs unless your cluster's AWS creds have entitlements to those subscriptions. (Haven't tested scaling myself)

Summary by CodeRabbit

• New Features

  • Added AWS Marketplace boot image support to the Machine Config Operator, enabling automatic detection and updates of marketplace-sourced AMIs
  • Implements proper classification and detection of boot images from AWS Marketplace, standard RHCOS, and ROSA sources
  • Automatically resolves and applies the correct marketplace AMI updates during reconciliation cycles

• Documentation

  • Added design documentation describing AWS Marketplace boot image handling and version resolution workflows

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@djoshy: This pull request references MCO-2250 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Implementation details can be found in docs/design/aws-marketplace.md attached to this PR. Scrapes from a sample run below:

I0505 20:18:45.393384       1 platform_helpers.go:74] Reconciling MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a on AWS, with arch x86_64
I0505 20:18:45.510309       1 platform_helpers.go:189] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a: detected marketplace AMI ami-0b9620e51a0f7930b (OCP x86_64)
I0505 20:18:45.860315       1 ms_helpers.go:205] No patching required for MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1a
I0505 20:18:45.970601       1 platform_helpers.go:74] Reconciling MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b on AWS, with arch x86_64
I0505 20:18:46.099326       1 platform_helpers.go:199] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b: detected ROSA marketplace AMI ami-007eabb43d646b4b3 (ROSA)
I0505 20:18:46.448744       1 ms_helpers.go:202] Patching MAPI machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b
I0505 20:18:46.530808       1 boot_image_controller.go:313] MachineSet ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b updated, reconciling enrolled machineset resources
I0505 20:18:46.553467       1 ms_helpers.go:255] Successfully patched machineset ci-ln-grfh1nk-76ef8-9cs95-worker-us-east-1b

To test:

1. Create an AWS cluster based off this PR via cluster bot.
2. ROSA/Marketplace AMIs can be found via querying the AWS Marketplace(see my gist for specific commands).
3. Inject a marketplace AMI into a MachineSet and examine the controller logs, the correct flavor should be detected and updated if needed.

Note the MCO looks for the newst image whose version matches the RHCOS version described in the coreos-bootimages configmap, if one is not found the update is skipped. Also, I don't think scaling would work with these marketplace AMIs unless your cluster's AWS creds have entitlements to those subscriptions. (Haven't tested scaling myself)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR adds AWS Marketplace support to the Machine Config Operator's boot image reconciliation. It introduces AMI classification (standard, marketplace, ROSA), marketplace product ID extraction, version token derivation from RHCOS release strings, and region-scoped DescribeImages filtering to resolve updated marketplace AMIs. New AWS SDK v2 dependencies are pinned, and the reconcileAWSProviderSpec flow is refactored to detect AMI origin and resolve targets accordingly.

Changes

AWS Marketplace Boot Image Resolution

Layer / File(s)	Summary
Design & Dependencies docs/design/aws-marketplace.md, go.mod	Design doc outlines AMI classification by owner ID, product ID extraction, marketplace version token derivation, and DescribeImages filtering logic. AWS SDK for Go v2 modules (EC2, config, credentials, smithy) are added to indirect dependencies.
AMI Classification & Constants pkg/controller/bootimage/aws_helpers.go (lines 21–53, 63–122)	Marketplace and RHCOS ownership/product ID constants defined. amiKind enum (unknown/standard/marketplace/ROSA) and detectAMIKind function classify AMIs by owner; product ID extraction (extractProductID, isProductID) identifies ROSA and marketplace variants from AMI names.
AWS Client & AMI Lookup pkg/controller/bootimage/aws_helpers.go (lines 73–105)	getAWSEC2Client loads EC2 credentials from a Kubernetes secret and creates a region-scoped client. describeAMI wraps EC2 DescribeImages and errors on missing images.
Marketplace Version & Filtering Logic pkg/controller/bootimage/aws_helpers.go (lines 124–245)	marketplaceVersionToken parses RHCOS release strings into two-component version tokens. resolveMarketplaceAMI orchestrates version token derivation. findMarketplaceAMI queries EC2 by product ID owner alias and name, filters by version-token presence in description (descriptionMatchesVersion), and returns the newest AMI by creation date.
Reconciliation Integration pkg/controller/bootimage/platform_helpers.go (lines 150–226)	reconcileAWSProviderSpec refactored to fetch the current AMI, detect its kind, resolve a target AMI via the new classification-aware flow, and skip updates when resolution fails or target matches current. Previous stream-data-only logic replaced by kind-detection and resolution branching.

Sequence Diagram

sequenceDiagram
    participant MCO as Machine Config<br/>Operator
    participant K8s as Kubernetes<br/>(Secrets)
    participant EC2 as AWS EC2<br/>API
    
    MCO->>MCO: Start AMI reconciliation
    MCO->>K8s: Fetch aws-cloud-credentials<br/>secret
    K8s-->>MCO: AWS access keys
    MCO->>EC2: DescribeImages<br/>(current AMI ID)
    EC2-->>MCO: Current AMI details<br/>(owner, name, description)
    
    MCO->>MCO: Detect AMI kind<br/>(extract product ID<br/>from name if marketplace)
    
    alt Marketplace/ROSA AMI
        MCO->>MCO: Derive version token<br/>from target OCP<br/>release string
        MCO->>EC2: DescribeImages<br/>(owner alias,<br/>product ID filter)
        EC2-->>MCO: List marketplace AMIs
        MCO->>MCO: Filter by version token<br/>in description,<br/>sort by CreationDate
        MCO-->>MCO: Select newest<br/>matching AMI
    else Standard RHCOS
        MCO->>MCO: Resolve from stream<br/>regional mapping
    end
    
    MCO->>MCO: Compare current<br/>vs. target AMI
    
    alt Target differs
        MCO->>K8s: Update ProviderSpec<br/>with new AMI ID
        K8s-->>MCO: Update complete
    else Same AMI
        MCO-->>MCO: Skip update
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[DNM] MCO-2250: AWS Marketplace bootimage update support' directly describes the main change: adding AWS Marketplace bootimage update support to the MCO, matching the core objective of the pull request.
Docstring Coverage	✅ Passed	Docstring coverage is 93.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not introduce any Ginkgo tests. The changes consist of documentation, dependencies, and code implementations. No test files were added or modified. Check is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo test code exists in this PR. The PR adds AWS marketplace support (aws_helpers.go, platform_helpers.go changes, docs, go.mod) but includes no test files. The check is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. PR only includes documentation, dependency updates, and controller code. Check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to documentation, go.mod dependencies, and implementation code. The SNO compatibility check applies only when e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints introduced. Changes are controller logic only; no deployment manifests, pod specs, affinity rules, nodeSelectors, or topology constraints were added or modified.
Ote Binary Stdout Contract	✅ Passed	PR modifies controller code (aws_helpers.go, platform_helpers.go), not OTE binaries. No process-level stdout writes found—only klog calls. OTE binary unaffected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are to controller implementation, documentation, and dependencies only. The check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Microsoft Presidio Analyzer (2.2.362)

docs/design/aws-marketplace.md

Microsoft Presidio Analyzer failed to scan this file

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [djoshy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[djoshy]

I'm a bit conflicted on this, if a RHEL version match isn't found in the marketplace, it likely means that the latest RHEL version hasn't been mirrored yet.

Would it make sense to just use the latest published value for that flavor? The only issue I can see if the marketplace skips a RHEL minor for some reason, and an older y stream could accidentally do a boot image update to a newer RHEL release than appropriate. Still - I think a RHEL minor not being published would be quite unlikely?

For now, the controller just skips the update if the bootimage for that RHEL version isn't found in the marketplace.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/aws-marketplace.md`:
- Around line 13-15: Several fenced code blocks are missing language tags
(causing MD040); add appropriate languages: for the AMI/name example blocks such
as the string
"RHEL-9.4-RHCOS-4.18_HVM_GA-20251119-x86_64-0-59ead7de-2540-4653-a8b0-fa7926d5c845"
mark the fence as ```text, and for the AWS DescribeImages command block mark the
fence as ```bash (apply the same change to the other untyped fences noted around
lines with similar AMI/name examples and the DescribeImages snippet).

In `@pkg/controller/bootimage/aws_helpers.go`:
- Around line 113-118: The awsMarketplaceOwnerID branch currently treats any
image as marketplace even when extractProductID(aws.ToString(image.Name))
returns "", which causes findMarketplaceAMI to match overly broad AMIs; update
the branch in pkg/controller/bootimage/aws_helpers.go (the case handling
awsMarketplaceOwnerID) to detect an empty productID and treat it as unsupported
instead of amiKindMarketplace—i.e., if productID == "" return an
unsupported/invalid kind (or nil/empty indicator used elsewhere) along with the
productID, otherwise keep the existing rosaProductID -> amiKindROSA and
non-empty productID -> amiKindMarketplace behavior so downstream
findMarketplaceAMI never receives an empty product ID.
- Around line 81-90: The current EC2 client loader in aws_helpers.go only uses
static keys (accessKeyID/secretAccessKey) and fails for STS/web-identity
secrets; update the logic in the function that builds the ec2.Options (the
section using accessKeyID, secretAccessKey and
credentials.NewStaticCredentialsProvider) to detect STS format (presence of
role_arn and web_identity_token_file) and, when present, construct a
WebIdentity/ST S credentials provider from the token file and role_arn and set
that as the Credentials in ec2.New; if both static keys and STS fields are
missing return a clear error referencing awsCredentialsSecretName. Ensure the
new branch populates ec2.New(ec2.Options{Region: region, Credentials:
<web-identity provider>}) while keeping the existing static-credentials branch
using credentials.NewStaticCredentialsProvider(accessKeyID, secretAccessKey,
"").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 44b4faa6-fc82-4bea-ab8f-f48e9b912740

📥 Commits

Reviewing files that changed from the base of the PR and between f9d91f6 and 722d6d1.

⛔ Files ignored due to path filters (296)

• go.sum is excluded by !**/*.sum
• vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/NOTICE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/credential_cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/configuration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/defaultsmode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/from_ptr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/logging_generate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname_go115.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/recursion_detection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id_retriever.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/ec2query/error_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_bucket.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_rate_limit.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_ratelimit.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_token_bucket.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/attempt_metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/jitter_backoff.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/throttle_error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retry/timeout_error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/retryer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/runtime.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/const.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/header_rules.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/hmac.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/host.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/time.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/presign_middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/to_ptr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/content_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error_middleware.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/aws/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/credentials/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/credentials/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/scheme.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_signer_adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/credentials_adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/smithy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/arn.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/generate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/host.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/endpoints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/rand/rand.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/interfaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/time.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/strings/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/docs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/internal/timeconv/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayClientVpnAttachment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamResourceDiscovery.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteServer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSecurityGroupVpc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSubnetCidrBlock.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayMulticastDomain.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayPolicyTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayRouteTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTrunkInterface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateVpcCidrBlock.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachClassicLinkVpc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachInternetGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachNetworkInterface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVerifiedAccessTrustProvider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVolume.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVpnGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeClientVpnIngress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeSecurityGroupEgress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeSecurityGroupIngress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_BundleInstance.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelBundleTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelCapacityReservation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelCapacityReservationFleets.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelConversionTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelDeclarativePoliciesReport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelExportTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelImageLaunchPermission.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelImportTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelReservedInstancesListing.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelSpotFleetRequests.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelSpotInstanceRequests.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ConfirmProductInstance.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyFpgaImage.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyImage.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopySnapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyVolumes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityManagerDataExport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservationBySplitting.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservationFleet.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCarrierGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateClientVpnEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateClientVpnRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCoipCidr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCoipPool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCustomerGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDefaultSubnet.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDefaultVpc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDelegateMacVolumeOwnershipTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateEgressOnlyInternetGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFleet.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFlowLogs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFpgaImage.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateImage.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateImageUsageReport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceExportTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInternetGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInterruptibleCapacityReservationAllocation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpam.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamExternalResourceVerificationToken.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamPolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamPool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamPrefixListResolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamPrefixListResolverTarget.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamResourceDiscovery.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamScope.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateKeyPair.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLaunchTemplate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLaunchTemplateVersion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayRouteTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayRouteTableVpcAssociation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayVirtualInterface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateLocalGatewayVirtualInterfaceGroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateMacSystemIntegrityProtectionModificationTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateManagedPrefixList.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNatGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkAcl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkAclEntry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkInsightsAccessScope.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkInsightsPath.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkInterface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateNetworkInterfacePermission.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreatePlacementGroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreatePublicIpv4Pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateReplaceRootVolumeTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateReservedInstancesListing.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRestoreImageTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRouteServer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRouteServerEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRouteServerPeer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateRouteTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSecondaryNetwork.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSecondarySubnet.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSecurityGroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSnapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSnapshots.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSpotDatafeedSubscription.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateStoreImageTask.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSubnet.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateSubnetCidrReservation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTags.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTrafficMirrorFilter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTrafficMirrorFilterRule.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTrafficMirrorSession.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTrafficMirrorTarget.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayConnect.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayConnectPeer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayMeteringPolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayMeteringPolicyEntry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayMulticastDomain.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayPeeringAttachment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayPolicyTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayPrefixListReference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayRouteTable.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayRouteTableAnnouncement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateTransitGatewayVpcAttachment.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVerifiedAccessEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVerifiedAccessGroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVerifiedAccessInstance.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVerifiedAccessTrustProvider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVolume.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcBlockPublicAccessExclusion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcEncryptionControl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcEndpointConnectionNotification.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcEndpointServiceConfiguration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpcPeeringConnection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpnConcentrator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpnConnection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpnConnectionRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateVpnGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteCapacityManagerDataExport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteCarrierGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteClientVpnEndpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteClientVpnRoute.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteCoipCidr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteCoipPool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteCustomerGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteEgressOnlyInternetGateway.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteFleets.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteFlowLogs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DeleteFpgaImage.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• docs/design/aws-marketplace.md
• go.mod
• pkg/controller/bootimage/aws_helpers.go
• pkg/controller/bootimage/platform_helpers.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language tags to the fenced code blocks.

These five fences are currently untyped, which is already tripping markdownlint (MD040). text fits the AMI/name examples, and bash fits the DescribeImages snippet.

Also applies to: 55-57, 102-104, 112-114, 122-125

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 13-13: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/aws-marketplace.md` around lines 13 - 15, Several fenced code
blocks are missing language tags (causing MD040); add appropriate languages: for
the AMI/name example blocks such as the string
"RHEL-9.4-RHCOS-4.18_HVM_GA-20251119-x86_64-0-59ead7de-2540-4653-a8b0-fa7926d5c845"
mark the fence as ```text, and for the AWS DescribeImages command block mark the
fence as ```bash (apply the same change to the other untyped fences noted around
lines with similar AMI/name examples and the DescribeImages snippet).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In OpenShift and ROSA AWS credential flows, what formats can the aws-cloud-credentialssecret created from a CredentialsRequest take? Specifically, can it contain temporary credentials requiringaws_session_tokenor web-identity/role-based configuration instead of onlyaws_access_key_idandaws_secret_access_key?

💡 Result:

In OpenShift and ROSA AWS credential flows, the aws-cloud-credentials secret created from a CredentialsRequest can take two main formats depending on the Cloud Credential Operator (CCO) mode. In mint or passthrough modes (using long-lived credentials), the secret contains aws_access_key_id and aws_secret_access_key as base64-encoded keys [1][2][3]. In manual mode with AWS Security Token Service (STS), which is the default for ROSA and recommended for OpenShift on AWS, the secret uses a credentials key containing an AWS config profile with role_arn (or role_name), web_identity_token_file (typically /var/run/secrets/openshift/serviceaccount/token), and often sts_regional_endpoints = regional. This enables web-identity federation where components assume IAM roles using service account tokens to obtain temporary credentials; it does not store static keys or aws_session_token directly in the secret [4][5][1]. No sources indicate support for temporary credentials with aws_session_token (from AssumeRole etc.) in the secret itself; instead, STS mode uses web-identity config for dynamic temporary creds [6][7][8].

Citations:

• 1: https://docs.openshift.com/container-platform/latest/authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.html
• 2: https://docs.redhat.com/en/documentation/openshift_container_platform/4.8/html/authentication_and_authorization/managing-cloud-provider-credentials
• 3: https://docs.redhat.com/en/documentation/openshift_container_platform/4.7/html/authentication_and_authorization/managing-cloud-provider-credentials
• 4: https://docs.okd.io/4.10/authentication/managing_cloud_provider_credentials/cco-mode-sts.html
• 5: https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md
• 6: https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/security_apis/credentialsrequest-cloudcredential-openshift-io-v1
• 7: https://docs.redhat.com/it/documentation/red_hat_openshift_service_on_aws/4/html/introduction_to_rosa/cloud-experts-rosa-hcp-sts-explained
• 8: https://access.redhat.com/solutions/7031405

---

🏁 Script executed:

cd /tmp && git ls-files | head -20

Repository: openshift/machine-config-operator

Length of output: 146

---

🏁 Script executed:

# Find the file and get full context around the function
find . -name "aws_helpers.go" -path "*/bootimage/*"

Repository: openshift/machine-config-operator

Length of output: 119

---

🏁 Script executed:

# Once we locate it, examine the full function
# First, let's find it
fd -t f aws_helpers.go | grep -i bootimage

Repository: openshift/machine-config-operator

Length of output: 117

---

🏁 Script executed:

wc -l pkg/controller/bootimage/aws_helpers.go

Repository: openshift/machine-config-operator

Length of output: 121

---

🏁 Script executed:

cat -n pkg/controller/bootimage/aws_helpers.go

Repository: openshift/machine-config-operator

Length of output: 11166

---

🏁 Script executed:

# Check if there are comments or context about credential mode support
rg -i "sts|credential.*mode|mint.*mode" pkg/controller/bootimage/ -A 2 -B 2

Repository: openshift/machine-config-operator

Length of output: 9490

---

🏁 Script executed:

# Check README or documentation
find . -name "README*" -o -name "*.md" | xargs grep -l "bootimage\|credential" 2>/dev/null | head -5

Repository: openshift/machine-config-operator

Length of output: 224

---

🏁 Script executed:

# Look for other credential handling patterns in the codebase
rg "aws_access_key_id|aws_secret_access_key" --type go | head -20

Repository: openshift/machine-config-operator

Length of output: 437

---

Add support for AWS STS credentials in the EC2 client.

This loader only handles static key/secret pairs from the aws-cloud-credentials secret. However, OpenShift's Cloud Credential Operator supports multiple credential modes, and STS mode (the default for ROSA) stores AWS config profile data with role_arn and web_identity_token_file instead of static keys. The current code will fail when the secret contains STS-format credentials. If ROSA/STS clusters are in scope for this bootimage controller, this credential format must be supported.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/bootimage/aws_helpers.go` around lines 81 - 90, The current
EC2 client loader in aws_helpers.go only uses static keys
(accessKeyID/secretAccessKey) and fails for STS/web-identity secrets; update the
logic in the function that builds the ec2.Options (the section using
accessKeyID, secretAccessKey and credentials.NewStaticCredentialsProvider) to
detect STS format (presence of role_arn and web_identity_token_file) and, when
present, construct a WebIdentity/ST S credentials provider from the token file
and role_arn and set that as the Credentials in ec2.New; if both static keys and
STS fields are missing return a clear error referencing
awsCredentialsSecretName. Ensure the new branch populates
ec2.New(ec2.Options{Region: region, Credentials: <web-identity provider>}) while
keeping the existing static-credentials branch using
credentials.NewStaticCredentialsProvider(accessKeyID, secretAccessKey, "").

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat marketplace AMIs without a parsed product ID as unsupported.

If extractProductID returns "", this branch still classifies the image as marketplace. Downstream, findMarketplaceAMI turns that into Name=name,Values=*, which can select the newest matching marketplace AMI from the wrong offering.

Suggested fix

 	case awsMarketplaceOwnerID:
 		productID := extractProductID(aws.ToString(image.Name))
+		if productID == "" {
+			return amiKindUnknown, ""
+		}
 		if productID == rosaProductID {
 			return amiKindROSA, productID
 		}
 		return amiKindMarketplace, productID

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	case awsMarketplaceOwnerID:
	productID := extractProductID(aws.ToString(image.Name))
	if productID == rosaProductID {
	return amiKindROSA, productID
	}
	return amiKindMarketplace, productID
	case awsMarketplaceOwnerID:
	productID := extractProductID(aws.ToString(image.Name))
	if productID == "" {
	return amiKindUnknown, ""
	}
	if productID == rosaProductID {
	return amiKindROSA, productID
	}
	return amiKindMarketplace, productID

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/bootimage/aws_helpers.go` around lines 113 - 118, The
awsMarketplaceOwnerID branch currently treats any image as marketplace even when
extractProductID(aws.ToString(image.Name)) returns "", which causes
findMarketplaceAMI to match overly broad AMIs; update the branch in
pkg/controller/bootimage/aws_helpers.go (the case handling
awsMarketplaceOwnerID) to detect an empty productID and treat it as unsupported
instead of amiKindMarketplace—i.e., if productID == "" return an
unsupported/invalid kind (or nil/empty indicator used elsewhere) along with the
productID, otherwise keep the existing rosaProductID -> amiKindROSA and
non-empty productID -> amiKindMarketplace behavior so downstream
findMarketplaceAMI never receives an empty product ID.