From b168eaab7aa04f8fc300b38bf67f9c26bf02c28a Mon Sep 17 00:00:00 2001
From: George Fu <kuhe@users.noreply.github.com>
Date: Mon, 28 Nov 2022 15:33:49 -0500
Subject: [PATCH] fix(event_listeners): check identity type in
 VALIDATE_CREDENTIALS (#4287)

---
 .../bugfix-event-listeners-44cd040f.json      |  5 +++
 lib/event_listeners.js                        | 35 ++++++++++++++-----
 2 files changed, 31 insertions(+), 9 deletions(-)
 create mode 100644 .changes/next-release/bugfix-event-listeners-44cd040f.json

diff --git a/.changes/next-release/bugfix-event-listeners-44cd040f.json b/.changes/next-release/bugfix-event-listeners-44cd040f.json
new file mode 100644
index 0000000000..4f8bac8ca4
--- /dev/null
+++ b/.changes/next-release/bugfix-event-listeners-44cd040f.json
@@ -0,0 +1,5 @@
+{
+  "type": "bugfix",
+  "category": "event_listeners",
+  "description": "differentiate identity type in VALIDATE_CREDENTIALS listener"
+}
\ No newline at end of file
diff --git a/lib/event_listeners.js b/lib/event_listeners.js
index 1dbee1d3b4..094eb98b5c 100644
--- a/lib/event_listeners.js
+++ b/lib/event_listeners.js
@@ -92,16 +92,33 @@ function getIdentityType(req) {
 
 AWS.EventListeners = {
   Core: new SequentialExecutor().addNamedListeners(function(add, addAsync) {
-    addAsync('VALIDATE_CREDENTIALS', 'validate',
-        function VALIDATE_CREDENTIALS(req, done) {
-      if (!req.service.api.signatureVersion && !req.service.config.signatureVersion) return done(); // none
-      req.service.config.getCredentials(function(err) {
-        if (err) {
-          req.response.error = AWS.util.error(err,
-            {code: 'CredentialsError', message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1'});
+    addAsync(
+      'VALIDATE_CREDENTIALS', 'validate',
+      function VALIDATE_CREDENTIALS(req, done) {
+        if (!req.service.api.signatureVersion && !req.service.config.signatureVersion) return done(); // none
+
+        var identityType = getIdentityType(req);
+        if (identityType === 'bearer') {
+          req.service.config.getToken(function(err) {
+            if (err) {
+              req.response.error = AWS.util.error(err, {code: 'TokenError'});
+            }
+            done();
+          });
+          return;
         }
-        done();
-      });
+
+        req.service.config.getCredentials(function(err) {
+          if (err) {
+            req.response.error = AWS.util.error(err,
+              {
+                code: 'CredentialsError',
+                message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1'
+              }
+            );
+          }
+          done();
+        });
     });
 
     add('VALIDATE_REGION', 'validate', function VALIDATE_REGION(req) {