Only send AWS Credentials ENV to indexer when AWS config is enabled

ee/changelogs/unreleased/231528-conditionally-fetching-aws-creds.yml

+---
+title: Only send AWS Credentials ENV to indexer when AWS config is enabled
+merge_request: 37865
+author:
+type: fixed

ee/lib/gitlab/elastic/indexer.rb

@@ -110,7 +110,9 @@ module Gitlab
         }
 
         # Set AWS environment variables for IAM role authentication if present
-        vars = build_aws_credentials_env(vars)
+        if Gitlab::CurrentSettings.elasticsearch_config[:aws]
+          vars = build_aws_credentials_env(vars)
+        end
 
         # Users can override default SSL certificate path via SSL_CERT_FILE SSL_CERT_DIR
         vars.merge(ENV.slice('SSL_CERT_FILE', 'SSL_CERT_DIR'))

ee/spec/lib/gitlab/elastic/indexer_spec.rb

@@ -345,12 +345,26 @@ RSpec.describe Gitlab::Elastic::Indexer do
       allow(Gitlab::Elastic::Client).to receive(:aws_credential_provider).and_return(credentials)
     end
 
-    it 'credentials env vars will be included' do
-      expect(subject).to include({
-        'AWS_ACCESS_KEY_ID' => access_key_id,
-        'AWS_SECRET_ACCESS_KEY' => secret_access_key,
-        'AWS_SESSION_TOKEN' => session_token
-      })
+    context 'when AWS config is not enabled' do
+      it 'credentials env vars will not be included' do
+        expect(subject).not_to include('AWS_ACCESS_KEY_ID')
+        expect(subject).not_to include('AWS_SECRET_ACCESS_KEY')
+        expect(subject).not_to include('AWS_SESSION_TOKEN')
+      end
+    end
+
+    context 'when AWS config is enabled' do
+      before do
+        stub_application_setting(elasticsearch_aws: true)
+      end
+
+      it 'credentials env vars will be included' do
+        expect(subject).to include({
+          'AWS_ACCESS_KEY_ID' => access_key_id,
+          'AWS_SECRET_ACCESS_KEY' => secret_access_key,
+          'AWS_SESSION_TOKEN' => session_token
+        })
+      end
     end
   end