@@ -409,8 +409,13 @@ class EKSWorkloadIdentity:
409409 The token is read fresh on each token exchange request, allowing for token rotation
410410 without requiring application restart.
411411
412+ Environment Variable Discovery (when token_file_path is not provided):
413+ 1. KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE - Custom token file path (highest priority)
414+ 2. AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE - AWS EKS default location
415+ 3. AWS_WEB_IDENTITY_TOKEN_FILE - AWS fallback location
416+
412417 Example:
413- # Default configuration (uses AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE env var )
418+ # Default configuration (discovers from environment variables )
414419 provider = EKSWorkloadIdentity()
415420
416421 # Explicit token file path
@@ -423,39 +428,50 @@ class EKSWorkloadIdentity:
423428 env_var_name="MY_CUSTOM_TOKEN_FILE_ENV_VAR"
424429 )
425430 """
426- default_env_var_name = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
431+ default_env_var_names = [ "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE" , "AWS_WEB_IDENTITY_TOKEN_FILE" ]
427432
428433 def __init__ (
429434 self ,
430435 token_file_path : str | None = None ,
431- env_var_name : str = default_env_var_name ,
436+ env_var_name : str | None = None ,
432437 ):
433438 """Initialize EKS workload identity provider.
434439
435440 Args:
436441 token_file_path: Explicit path to the token file. If not provided,
437442 reads from the environment variable specified by env_var_name.
438443 env_var_name: Name of the environment variable containing the token file path.
439- Defaults to AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE.
440444
441445 Raises:
442446 EKSWorkloadIdentityConfigurationError: If token file cannot be read or is empty.
443447 """
444- self .env_var_name = env_var_name
445-
446448 if token_file_path is not None :
447449 self .token_file_path = token_file_path
450+ self .env_var_name = env_var_name # Store the env_var_name even when token_file_path is provided
448451 else :
449- self .token_file_path = os . environ . get (env_var_name )
452+ self .token_file_path , self . env_var_name = self . _get_token_file_path (env_var_name )
450453 if not self .token_file_path :
451454 raise EKSWorkloadIdentityConfigurationError (
452455 token_file_path = None ,
453456 env_var_name = env_var_name ,
454- error_details = f"Environment variable { env_var_name } is not set "
457+ error_details = "Could not find token file path in environment variables "
455458 )
456459
457460 self ._validate_token_file ()
458461
462+ def _get_token_file_path (self , env_var_name : str | None ) -> tuple [str , str ]:
463+ """Get the token file path from the environment variables.
464+
465+ Returns:
466+ Tuple containing the token file path and the environment variable name.
467+ """
468+ env_names = self .default_env_var_names if env_var_name is None else [env_var_name , * self .default_env_var_names ]
469+ return next ((
470+ (os .environ .get (env_name ), env_name )
471+ for env_name in env_names
472+ if os .environ .get (env_name )
473+ ), (None , None ))
474+
459475 def _validate_token_file (self ) -> None :
460476 """Validate that the token file exists and can be read.
461477
0 commit comments