From 8b1672bae78d56f6fd868049f3ffacdc6363c8c3 Mon Sep 17 00:00:00 2001 From: TheJenne18 Date: Thu, 4 Jun 2026 11:55:25 +0200 Subject: [PATCH] Allow AWS SDK credential chain for S3 storage When STORAGE_S3_KEY / STORAGE_S3_SECRET are unset, the previous default placeholder strings ('your-key' / 'your-secret') were passed as explicit credentials to the AWS PHP SDK. Because the SDK treats any non-null key+secret as credentials, it never consulted its default credential provider chain, breaking IAM-role-based setups (ECS task role on Fargate/EC2, EKS IRSA, EC2 instance profile, Lambda execution role). Changing the defaults to null lets the SDK fall through to the credential chain when these env vars are omitted, while preserving existing behaviour for users who set them explicitly. --- app/Config/filesystems.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/app/Config/filesystems.php b/app/Config/filesystems.php index facf5f2df2f..aa74d15a8f9 100644 --- a/app/Config/filesystems.php +++ b/app/Config/filesystems.php @@ -53,8 +53,13 @@ 's3' => [ 'driver' => 's3', - 'key' => env('STORAGE_S3_KEY', 'your-key'), - 'secret' => env('STORAGE_S3_SECRET', 'your-secret'), + // When STORAGE_S3_KEY / STORAGE_S3_SECRET are unset, default to null + // so the AWS SDK falls back to its default credential provider chain + // (env vars, ECS/EKS container credentials, EC2 instance profile, ...). + // Providing non-null placeholders here would short-circuit the chain + // and force every call to use the placeholders as explicit credentials. + 'key' => env('STORAGE_S3_KEY'), + 'secret' => env('STORAGE_S3_SECRET'), 'region' => env('STORAGE_S3_REGION', 'your-region'), 'bucket' => env('STORAGE_S3_BUCKET', 'your-bucket'), 'endpoint' => env('STORAGE_S3_ENDPOINT', null),