From 6a81855e2023d43d0a6fb98e754d5aabef68061c Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Wed, 26 Nov 2025 13:59:33 +0530
Subject: [PATCH 1/7] feat(auth) - support aws sdk v2 for registry auth

---
 .../auth/ecr/AwsSdkAuthConfigFactory.java     |  74 ++-
 .../docker/auth/ecr/AwsSdkAuthHelper.java     |  79 +++
 .../service/docker/auth/ecr/AwsSdkHelper.java | 215 +++++--
 .../docker/auth/ecr/AwsSdkHelperV1.java       | 120 ++++
 .../docker/auth/ecr/AwsSdkHelperV2.java       | 151 +++++
 .../auth/DockerAuthConfigFactoryTest.java     | 562 +++++++++---------
 .../AwsSdkDockerAuthConfigFactoryTest.java    | 129 ++--
 .../docker/auth/ecr/AwsSdkHelperTest.java     | 133 +++++
 .../docker/auth/ecr/AwsSdkHelperV1Test.java   |  98 +++
 .../docker/auth/ecr/AwsSdkHelperV2Test.java   |  98 +++
 10 files changed, 1240 insertions(+), 419 deletions(-)
 create mode 100644 jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthHelper.java
 create mode 100644 jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
 create mode 100644 jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperTest.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java

diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthConfigFactory.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthConfigFactory.java
index f79a642a75..ff985e3277 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthConfigFactory.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthConfigFactory.java
@@ -21,44 +21,52 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+/**
+ * Factory for creating AWS authentication configuration using AWS SDK.
+ * Supports both AWS SDK v1 and v2 through the AwsSdkHelper abstraction.
+ */
 public class AwsSdkAuthConfigFactory {
+  private final KitLogger log;
+  private final AwsSdkHelper awsSdkHelper;
 
-    private final KitLogger log;
-    private final AwsSdkHelper awsSdkHelper;
+  public AwsSdkAuthConfigFactory(KitLogger log, AwsSdkHelper awsSdkHelper) {
+    this.log = log;
+    this.awsSdkHelper = awsSdkHelper;
+  }
 
-    public AwsSdkAuthConfigFactory(KitLogger log, AwsSdkHelper awsSdkHelper) {
-        this.log = log;
-        this.awsSdkHelper = awsSdkHelper;
-    }
+  /**
+   * Create authentication configuration from AWS SDK default credentials provider.
+   * Automatically works with both AWS SDK v1 and v2.
+   *
+   * @return AuthConfig with AWS credentials or null if credentials cannot be retrieved
+   */
+  public AuthConfig createAuthConfig() {
+    try {
+      log.debug("Attempting to get AWS credentials from SDK %s", awsSdkHelper.getSdkVersion());
+      AuthConfig authConfig = awsSdkHelper.getAuthConfigFromDefaultCredentialsProvider();
 
-    public AuthConfig createAuthConfig() {
-        try {
-            Object credentials = awsSdkHelper.getCredentialsFromDefaultAWSCredentialsProviderChain();
-            if (credentials == null) {
-                return null;
-            }
+      if (authConfig == null) {
+        log.debug("No AWS credentials found from SDK default credentials provider");
+        return null;
+      }
 
-            return AuthConfig.builder()
-                    .username(awsSdkHelper.getAWSAccessKeyIdFromCredentials(credentials))
-                    .password(awsSdkHelper.getAwsSecretKeyFromCredentials(credentials))
-                    .email("none")
-                    .auth(awsSdkHelper.getSessionTokenFromCrendentials(credentials))
-                    .build();
-        } catch (Exception t) {
-            String issueTitle = null;
-            try {
-                issueTitle = URLEncoder.encode("Failed calling AWS SDK: " + t.getMessage(), UTF_8.name());
-            } catch (UnsupportedEncodingException ignore) {
-            }
-            log.warn("Failed to fetch AWS credentials: %s", t.getMessage());
-            if (t.getCause() != null) {
-                log.warn("Caused by: %s", t.getCause().getMessage());
-            }
-            log.warn("Please report a bug at https://github.com/eclipse-jkube/jkube/issues/new?%s",
-                    issueTitle == null ? "" : "title=?" + issueTitle);
-            log.warn("%s", t);
-            return null;
-        }
+      log.debug("Successfully retrieved AWS credentials from SDK %s", awsSdkHelper.getSdkVersion());
+      return authConfig;
+    } catch (Exception t) {
+      String issueTitle = null;
+      try {
+        issueTitle = URLEncoder.encode("Failed calling AWS SDK: " + t.getMessage(), UTF_8.name());
+      } catch (UnsupportedEncodingException ignore) {
+      }
+      log.warn("Failed to fetch AWS credentials using SDK %s: %s", awsSdkHelper.getSdkVersion(), t.getMessage());
+      if (t.getCause() != null) {
+        log.warn("Caused by: %s", t.getCause().getMessage());
+      }
+      log.warn("Please report a bug at https://github.com/eclipse-jkube/jkube/issues/new?%s",
+          issueTitle == null ? "" : "title=?" + issueTitle);
+      log.debug("Exception details: %s", t);
+      return null;
     }
+  }
 
 }
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthHelper.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthHelper.java
new file mode 100644
index 0000000000..2a7820dfcb
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkAuthHelper.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+
+/**
+ * Interface for AWS SDK authentication helpers.
+ * Supports both AWS SDK v1 and v2 through reflection to avoid hard dependencies.
+ */
+public interface AwsSdkAuthHelper {
+
+  /**
+   * Check if AWS SDK is present in the classpath.
+   *
+   * @return true if AWS SDK is available, false otherwise
+   */
+  boolean isAwsSdkAvailable();
+
+  /**
+   * Get AWS SDK version.
+   *
+   * @return version string (e.g., "v1", "v2")
+   */
+  String getSdkVersion();
+
+  /**
+   * Get AWS Access Key ID from environment variable.
+   *
+   * @return AWS Access Key ID or null
+   */
+  String getAwsAccessKeyIdEnvVar();
+
+  /**
+   * Get AWS Secret Access Key from environment variable.
+   *
+   * @return AWS Secret Access Key or null
+   */
+  String getAwsSecretAccessKeyEnvVar();
+
+  /**
+   * Get AWS Session Token from environment variable.
+   *
+   * @return AWS Session Token or null
+   */
+  String getAwsSessionTokenEnvVar();
+
+  /**
+   * Get AWS Container Credentials Relative URI from environment variable.
+   *
+   * @return relative URI or null
+   */
+  String getAwsContainerCredentialsRelativeUri();
+
+  /**
+   * Get ECS Metadata Endpoint.
+   *
+   * @return ECS metadata endpoint URL
+   */
+  String getEcsMetadataEndpoint();
+
+  /**
+   * Get AWS credentials using default credentials provider chain.
+   *
+   * @return AuthConfig with credentials or null if not available
+   */
+  AuthConfig getCredentialsFromDefaultCredentialsProvider();
+}
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelper.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelper.java
index 9a51616e3d..14e8921c68 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelper.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelper.java
@@ -15,69 +15,178 @@
 
 import java.lang.reflect.InvocationTargetException;
 
+/**
+ * Factory for AWS SDK helpers that supports both AWS SDK v1 and v2.
+ * Automatically detects which SDK version is available on the classpath.
+ * Maintains backward compatibility with the original AwsSdkHelper API.
+ */
 public class AwsSdkHelper {
-    private static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
-    private static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
-    private static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
-    private static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
-    private static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
-    private static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
-    private static final String DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN = "com.amazonaws.auth.DefaultAWSCredentialsProviderChain";
-    private static final String AWS_SESSION_CREDENTIALS = "com.amazonaws.auth.AWSSessionCredentials";
-    private static final String AWS_CREDENTIALS = "com.amazonaws.auth.AWSCredentials";
-
-    public boolean isDefaultAWSCredentialsProviderChainPresentInClassPath() {
-        try {
-            Class.forName(DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN);
-            return true;
-        } catch (ClassNotFoundException e) {
-            return false;
-        }
-    }
+  private final AwsSdkAuthHelper delegate;
 
-    public String getAwsAccessKeyIdEnvVar() {
-        return System.getenv(ACCESS_KEY_ID);
-    }
+  /**
+   * Creates an AwsSdkHelper that automatically detects the available AWS SDK version.
+   * Tries AWS SDK v2 first, then falls back to v1.
+   */
+  public AwsSdkHelper() {
+    this.delegate = createHelper();
+  }
 
-    public String getAwsSecretAccessKeyEnvVar() {
-        return System.getenv(SECRET_ACCESS_KEY);
-    }
+  /**
+   * Constructor for testing that allows injecting a specific helper implementation.
+   *
+   * @param delegate the helper implementation to use
+   */
+  public AwsSdkHelper(AwsSdkAuthHelper delegate) {
+    this.delegate = delegate;
+  }
 
-    public String getAwsSessionTokenEnvVar() {
-        return System.getenv(SESSION_TOKEN);
+  /**
+   * Creates the appropriate AWS SDK helper based on what's available on the classpath.
+   * Prefers AWS SDK v2 over v1 when both are available.
+   *
+   * @return AWS SDK helper instance
+   */
+  private static AwsSdkAuthHelper createHelper() {
+    // Try v2 first (recommended)
+    AwsSdkHelperV2 v2Helper = new AwsSdkHelperV2();
+    if (v2Helper.isAwsSdkAvailable()) {
+      return v2Helper;
     }
 
-    public String getAwsContainerCredentialsRelativeUri() {
-        return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
+    // Fall back to v1
+    AwsSdkHelperV1 v1Helper = new AwsSdkHelperV1();
+    if (v1Helper.isAwsSdkAvailable()) {
+      return v1Helper;
     }
 
-    public String getEcsMetadataEndpoint() {
-        String endpoint = System.getenv(METADATA_ENDPOINT);
-        if (endpoint == null) {
-            return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
-        }
-        return endpoint;
-    }
+    // Return v1 helper even if not available (for null checks compatibility)
+    return v1Helper;
+  }
 
-    public Object getCredentialsFromDefaultAWSCredentialsProviderChain() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
-        Class<?> credentialsProviderChainClass = Class.forName(DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN);
-        Object credentialsProviderChain = credentialsProviderChainClass.getDeclaredConstructor().newInstance();
-        return credentialsProviderChainClass.getMethod("getCredentials").invoke(credentialsProviderChain);
-    }
+  /**
+   * Get the detected AWS SDK version.
+   *
+   * @return "v1", "v2", or "none" if no SDK is available
+   */
+  public String getSdkVersion() {
+    return delegate.getSdkVersion();
+  }
 
-    public String getSessionTokenFromCrendentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
-        Class<?> sessionCredentialsClass = Class.forName(AWS_SESSION_CREDENTIALS);
-        return sessionCredentialsClass.isInstance(credentials)
-                ? (String) sessionCredentialsClass.getMethod("getSessionToken").invoke(credentials) : null;
-    }
+  /**
+   * Check if AWS SDK credentials provider is present in the classpath.
+   * Works with both AWS SDK v1 and v2.
+   *
+   * @return true if AWS SDK is available
+   */
+  public boolean isDefaultAWSCredentialsProviderChainPresentInClassPath() {
+    return delegate.isAwsSdkAvailable();
+  }
 
-    public String getAWSAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
-        Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
-        return (String) credentialsClass.getMethod("getAWSAccessKeyId").invoke(credentials);
-    }
+  public String getAwsAccessKeyIdEnvVar() {
+    return delegate.getAwsAccessKeyIdEnvVar();
+  }
 
-    public String getAwsSecretKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
-        Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
-        return (String) credentialsClass.getMethod("getAWSSecretKey").invoke(credentials);
-    }
+  public String getAwsSecretAccessKeyEnvVar() {
+    return delegate.getAwsSecretAccessKeyEnvVar();
+  }
+
+  public String getAwsSessionTokenEnvVar() {
+    return delegate.getAwsSessionTokenEnvVar();
+  }
+
+  public String getAwsContainerCredentialsRelativeUri() {
+    return delegate.getAwsContainerCredentialsRelativeUri();
+  }
+
+  public String getEcsMetadataEndpoint() {
+    return delegate.getEcsMetadataEndpoint();
+  }
+
+  /**
+   * Get credentials from the default AWS credentials provider chain.
+   * This method is deprecated - use getAuthConfigFromDefaultCredentialsProvider() instead.
+   *
+   * @return credentials object (AWS SDK specific type)
+   * @throws ClassNotFoundException    if AWS SDK classes not found
+   * @throws NoSuchMethodException     if AWS SDK methods not found
+   * @throws InvocationTargetException if AWS SDK method invocation fails
+   * @throws InstantiationException    if AWS SDK object instantiation fails
+   * @throws IllegalAccessException    if AWS SDK method access fails
+   * @deprecated Use {@link #getAuthConfigFromDefaultCredentialsProvider()} instead
+   */
+  @Deprecated
+  public Object getCredentialsFromDefaultAWSCredentialsProviderChain() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
+    // This method is kept for backward compatibility but we can't return the actual credentials object
+    // since we don't know which SDK version is being used. Callers should use the new method.
+    throw new UnsupportedOperationException(
+        "This method is deprecated. Use getAuthConfigFromDefaultCredentialsProvider() instead, " +
+            "which works with both AWS SDK v1 and v2.");
+  }
+
+  /**
+   * Get session token from credentials object.
+   * This method is deprecated - use getAuthConfigFromDefaultCredentialsProvider() instead.
+   *
+   * @param credentials credentials object
+   * @return session token or null
+   * @throws ClassNotFoundException    if AWS SDK classes not found
+   * @throws NoSuchMethodException     if AWS SDK methods not found
+   * @throws InvocationTargetException if AWS SDK method invocation fails
+   * @throws IllegalAccessException    if AWS SDK method access fails
+   * @deprecated Use {@link #getAuthConfigFromDefaultCredentialsProvider()} instead
+   */
+  @Deprecated
+  public String getSessionTokenFromCrendentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    throw new UnsupportedOperationException(
+        "This method is deprecated. Use getAuthConfigFromDefaultCredentialsProvider() instead, " +
+            "which works with both AWS SDK v1 and v2.");
+  }
+
+  /**
+   * Get AWS access key ID from credentials object.
+   * This method is deprecated - use getAuthConfigFromDefaultCredentialsProvider() instead.
+   *
+   * @param credentials credentials object
+   * @return access key ID
+   * @throws ClassNotFoundException    if AWS SDK classes not found
+   * @throws NoSuchMethodException     if AWS SDK methods not found
+   * @throws InvocationTargetException if AWS SDK method invocation fails
+   * @throws IllegalAccessException    if AWS SDK method access fails
+   * @deprecated Use {@link #getAuthConfigFromDefaultCredentialsProvider()} instead
+   */
+  @Deprecated
+  public String getAWSAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    throw new UnsupportedOperationException(
+        "This method is deprecated. Use getAuthConfigFromDefaultCredentialsProvider() instead, " +
+            "which works with both AWS SDK v1 and v2.");
+  }
+
+  /**
+   * Get AWS secret access key from credentials object.
+   * This method is deprecated - use getAuthConfigFromDefaultCredentialsProvider() instead.
+   *
+   * @param credentials credentials object
+   * @return secret access key
+   * @throws ClassNotFoundException    if AWS SDK classes not found
+   * @throws NoSuchMethodException     if AWS SDK methods not found
+   * @throws InvocationTargetException if AWS SDK method invocation fails
+   * @throws IllegalAccessException    if AWS SDK method access fails
+   * @deprecated Use {@link #getAuthConfigFromDefaultCredentialsProvider()} instead
+   */
+  @Deprecated
+  public String getAwsSecretKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    throw new UnsupportedOperationException(
+        "This method is deprecated. Use getAuthConfigFromDefaultCredentialsProvider() instead, " +
+            "which works with both AWS SDK v1 and v2.");
+  }
+
+  /**
+   * Get AuthConfig from the default AWS credentials provider.
+   * Works with both AWS SDK v1 and v2.
+   *
+   * @return AuthConfig with credentials or null if not available
+   */
+  public org.eclipse.jkube.kit.build.api.auth.AuthConfig getAuthConfigFromDefaultCredentialsProvider() {
+    return delegate.getCredentialsFromDefaultCredentialsProvider();
+  }
 }
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
new file mode 100644
index 0000000000..a7b26ca09a
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+
+import java.lang.reflect.InvocationTargetException;
+
+/**
+ * AWS SDK v1 authentication helper.
+ * Uses reflection to avoid hard dependency on AWS SDK v1.
+ */
+public class AwsSdkHelperV1 implements AwsSdkAuthHelper {
+  private static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
+  private static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
+  private static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
+  private static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+  private static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
+  private static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
+  private static final String DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN = "com.amazonaws.auth.DefaultAWSCredentialsProviderChain";
+  private static final String AWS_SESSION_CREDENTIALS = "com.amazonaws.auth.AWSSessionCredentials";
+  private static final String AWS_CREDENTIALS = "com.amazonaws.auth.AWSCredentials";
+
+  @Override
+  public boolean isAwsSdkAvailable() {
+    try {
+      Class.forName(DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN);
+      return true;
+    } catch (ClassNotFoundException e) {
+      return false;
+    }
+  }
+
+  @Override
+  public String getSdkVersion() {
+    return "v1";
+  }
+
+  @Override
+  public String getAwsAccessKeyIdEnvVar() {
+    return System.getenv(ACCESS_KEY_ID);
+  }
+
+  @Override
+  public String getAwsSecretAccessKeyEnvVar() {
+    return System.getenv(SECRET_ACCESS_KEY);
+  }
+
+  @Override
+  public String getAwsSessionTokenEnvVar() {
+    return System.getenv(SESSION_TOKEN);
+  }
+
+  @Override
+  public String getAwsContainerCredentialsRelativeUri() {
+    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
+  }
+
+  @Override
+  public String getEcsMetadataEndpoint() {
+    String endpoint = System.getenv(METADATA_ENDPOINT);
+    if (endpoint == null) {
+      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
+    }
+    return endpoint;
+  }
+
+  @Override
+  public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
+    try {
+      Object credentials = getCredentialsFromDefaultAWSCredentialsProviderChain();
+      if (credentials == null) {
+        return null;
+      }
+
+      return AuthConfig.builder()
+          .username(getAWSAccessKeyIdFromCredentials(credentials))
+          .password(getAwsSecretKeyFromCredentials(credentials))
+          .email("none")
+          .auth(getSessionTokenFromCredentials(credentials))
+          .build();
+    } catch (Exception e) {
+      // Return null if credentials cannot be retrieved
+      return null;
+    }
+  }
+
+  private Object getCredentialsFromDefaultAWSCredentialsProviderChain() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
+    Class<?> credentialsProviderChainClass = Class.forName(DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN);
+    Object credentialsProviderChain = credentialsProviderChainClass.getDeclaredConstructor().newInstance();
+    return credentialsProviderChainClass.getMethod("getCredentials").invoke(credentialsProviderChain);
+  }
+
+  private String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> sessionCredentialsClass = Class.forName(AWS_SESSION_CREDENTIALS);
+    return sessionCredentialsClass.isInstance(credentials)
+        ? (String) sessionCredentialsClass.getMethod("getSessionToken").invoke(credentials) : null;
+  }
+
+  private String getAWSAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
+    return (String) credentialsClass.getMethod("getAWSAccessKeyId").invoke(credentials);
+  }
+
+  private String getAwsSecretKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
+    return (String) credentialsClass.getMethod("getAWSSecretKey").invoke(credentials);
+  }
+}
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
new file mode 100644
index 0000000000..70cf39671a
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+/**
+ * AWS SDK v2 authentication helper.
+ * Uses reflection to avoid hard dependency on AWS SDK v2.
+ */
+public class AwsSdkHelperV2 implements AwsSdkAuthHelper {
+  private static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
+  private static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
+  private static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
+  private static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+  private static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
+  private static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
+
+  // AWS SDK v2 class names
+  private static final String DEFAULT_CREDENTIALS_PROVIDER = "software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider";
+  private static final String AWS_SESSION_CREDENTIALS = "software.amazon.awssdk.auth.credentials.AwsSessionCredentials";
+  private static final String AWS_CREDENTIALS = "software.amazon.awssdk.auth.credentials.AwsCredentials";
+
+  @Override
+  public boolean isAwsSdkAvailable() {
+    try {
+      Class.forName(DEFAULT_CREDENTIALS_PROVIDER);
+      return true;
+    } catch (ClassNotFoundException e) {
+      return false;
+    }
+  }
+
+  @Override
+  public String getSdkVersion() {
+    return "v2";
+  }
+
+  @Override
+  public String getAwsAccessKeyIdEnvVar() {
+    return System.getenv(ACCESS_KEY_ID);
+  }
+
+  @Override
+  public String getAwsSecretAccessKeyEnvVar() {
+    return System.getenv(SECRET_ACCESS_KEY);
+  }
+
+  @Override
+  public String getAwsSessionTokenEnvVar() {
+    return System.getenv(SESSION_TOKEN);
+  }
+
+  @Override
+  public String getAwsContainerCredentialsRelativeUri() {
+    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
+  }
+
+  @Override
+  public String getEcsMetadataEndpoint() {
+    String endpoint = System.getenv(METADATA_ENDPOINT);
+    if (endpoint == null) {
+      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
+    }
+    return endpoint;
+  }
+
+  @Override
+  public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
+    try {
+      Object credentials = getCredentialsFromDefaultProvider();
+      if (credentials == null) {
+        return null;
+      }
+
+      return AuthConfig.builder()
+          .username(getAccessKeyIdFromCredentials(credentials))
+          .password(getSecretAccessKeyFromCredentials(credentials))
+          .email("none")
+          .auth(getSessionTokenFromCredentials(credentials))
+          .build();
+    } catch (Exception e) {
+      // Return null if credentials cannot be retrieved
+      return null;
+    }
+  }
+
+  /**
+   * Get credentials from AWS SDK v2 DefaultCredentialsProvider.
+   * Uses reflection to call:
+   * DefaultCredentialsProvider.create().resolveCredentials()
+   */
+  private Object getCredentialsFromDefaultProvider() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> providerClass = Class.forName(DEFAULT_CREDENTIALS_PROVIDER);
+
+    // Call DefaultCredentialsProvider.create()
+    Method createMethod = providerClass.getMethod("create");
+    Object provider = createMethod.invoke(null);
+
+    // Call provider.resolveCredentials()
+    Method resolveMethod = provider.getClass().getMethod("resolveCredentials");
+    return resolveMethod.invoke(provider);
+  }
+
+  /**
+   * Get session token from AWS SDK v2 credentials if they are session credentials.
+   * Returns null if credentials don't have a session token.
+   */
+  private String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> sessionCredentialsClass = Class.forName(AWS_SESSION_CREDENTIALS);
+    if (sessionCredentialsClass.isInstance(credentials)) {
+      Method sessionTokenMethod = sessionCredentialsClass.getMethod("sessionToken");
+      return (String) sessionTokenMethod.invoke(credentials);
+    }
+    return null;
+  }
+
+  /**
+   * Get access key ID from AWS SDK v2 credentials.
+   * Calls credentials.accessKeyId()
+   */
+  private String getAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
+    Method accessKeyIdMethod = credentialsClass.getMethod("accessKeyId");
+    return (String) accessKeyIdMethod.invoke(credentials);
+  }
+
+  /**
+   * Get secret access key from AWS SDK v2 credentials.
+   * Calls credentials.secretAccessKey()
+   */
+  private String getSecretAccessKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+    Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
+    Method secretAccessKeyMethod = credentialsClass.getMethod("secretAccessKey");
+    return (String) secretAccessKeyMethod.invoke(credentials);
+  }
+}
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/DockerAuthConfigFactoryTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/DockerAuthConfigFactoryTest.java
index a71accd739..8ec1c9f626 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/DockerAuthConfigFactoryTest.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/DockerAuthConfigFactoryTest.java
@@ -22,6 +22,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+
 import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
 import org.eclipse.jkube.kit.build.api.helper.DockerFileUtil;
 import org.eclipse.jkube.kit.build.api.helper.KubernetesConfigAuthUtil;
@@ -54,311 +55,312 @@
 import static org.mockito.Mockito.when;
 
 class DockerAuthConfigFactoryTest {
-    static final String ECR_NAME = "123456789012.dkr.ecr.bla.amazonaws.com";
-    private DockerAuthConfigFactory factory;
-    private GsonBuilder gsonBuilder;
-    private KitLogger log;
-    private AwsSdkHelper awsSdkHelper;
-    private HttpServer httpServer;
-
-    @BeforeEach
-    void containerSetup() {
-        log = new KitLogger.SilentLogger();
-        awsSdkHelper = mock(AwsSdkHelper.class);
-        factory = new DockerAuthConfigFactory(log, awsSdkHelper);
-        gsonBuilder = new GsonBuilder();
-    }
-
-    @AfterEach
-    void shutdownHttpServer() {
-        if (httpServer != null) {
-            httpServer.stop();
-            httpServer = null;
-        }
+  static final String ECR_NAME = "123456789012.dkr.ecr.bla.amazonaws.com";
+  private DockerAuthConfigFactory factory;
+  private GsonBuilder gsonBuilder;
+  private KitLogger log;
+  private org.eclipse.jkube.kit.build.service.docker.auth.ecr.AwsSdkAuthHelper mockAwsSdkAuthHelper;
+  private HttpServer httpServer;
+
+  @BeforeEach
+  void containerSetup() {
+    log = new KitLogger.SilentLogger();
+    mockAwsSdkAuthHelper = mock(org.eclipse.jkube.kit.build.service.docker.auth.ecr.AwsSdkAuthHelper.class);
+    AwsSdkHelper awsSdkHelper = new AwsSdkHelper(mockAwsSdkAuthHelper);
+    factory = new DockerAuthConfigFactory(log, awsSdkHelper);
+    gsonBuilder = new GsonBuilder();
+  }
+
+  @AfterEach
+  void shutdownHttpServer() {
+    if (httpServer != null) {
+      httpServer.stop();
+      httpServer = null;
     }
-
-    @Test
-    void getAuthConfigFromSystemProperties() throws IOException {
-        // Given
-        System.setProperty("jkube.docker.username", "testuser");
-        System.setProperty("jkube.docker.password", "testpass");
-        try {
-            // When
-            AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromSystemProperties(DockerAuthConfigFactory.LookupMode.DEFAULT, s -> s);
-            // Then
-            assertAuthConfig(authConfig, "testuser", "testpass");
-        } finally {
-            System.clearProperty("jkube.docker.username");
-            System.clearProperty("jkube.docker.password");
-        }
+  }
+
+  @Test
+  void getAuthConfigFromSystemProperties() throws IOException {
+    // Given
+    System.setProperty("jkube.docker.username", "testuser");
+    System.setProperty("jkube.docker.password", "testpass");
+    try {
+      // When
+      AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromSystemProperties(DockerAuthConfigFactory.LookupMode.DEFAULT, s -> s);
+      // Then
+      assertAuthConfig(authConfig, "testuser", "testpass");
+    } finally {
+      System.clearProperty("jkube.docker.username");
+      System.clearProperty("jkube.docker.password");
     }
-
-    @Test
-    void getAuthConfigFromOpenShiftConfig() {
-        // Given
-        System.setProperty("jkube.docker.useOpenShiftAuth", "true");
-        Map<String, Object> authConfigMap = new HashMap<>();
-        try (MockedStatic<KubernetesConfigAuthUtil> mockStatic = Mockito.mockStatic(KubernetesConfigAuthUtil.class)) {
-            mockStatic.when(KubernetesConfigAuthUtil::readKubeConfigAuth).thenReturn(AuthConfig.builder()
-                    .username("test")
-                    .password("sometoken")
-                    .build());
-            // When
-            AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromOpenShiftConfig(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap);
-            // Then
-            assertAuthConfig(authConfig, "test", "sometoken");
-        } finally {
-            System.clearProperty("jkube.docker.useOpenShiftAuth");
-        }
-    }
-
-    @Test
-    void getAuthConfigFromOpenShiftConfigWithAuthConfigMap() {
-        // Given
-        Map<String, Object> authConfigMap = new HashMap<>();
-        authConfigMap.put("useOpenShiftAuth", "true");
-        try (MockedStatic<KubernetesConfigAuthUtil> mockStatic = Mockito.mockStatic(KubernetesConfigAuthUtil.class)) {
-            mockStatic.when(KubernetesConfigAuthUtil::readKubeConfigAuth).thenReturn(AuthConfig.builder()
-                .username("test")
-                .password("sometoken")
-                .build());
-            // When
-            AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromOpenShiftConfig(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap);
-
-            // Then
-            assertAuthConfig(authConfig, "test", "sometoken");
-        }
-    }
-
-    @Test
-    void getAuthConfigFromPluginConfiguration() {
-        // Given
-        Map<String, Object> authConfigMap = new HashMap<>();
-        authConfigMap.put("username", "testuser");
-        authConfigMap.put("password", "testpass");
-        authConfigMap.put("email", "test@example.com");
-
-        // When
-        AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromPluginConfiguration(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap, s -> s);
-
-        // Then
-        assertAuthConfig(authConfig, "testuser", "testpass");
-        assertThat(authConfig).hasFieldOrPropertyWithValue("email", "test@example.com");
-    }
-
-    @Test
-    void getAuthConfigFromSettings() {
-        // Given
-        List<RegistryServerConfiguration> settings = new ArrayList<>();
-        settings.add(RegistryServerConfiguration.builder()
-                .id("testregistry.io")
-                .username("testuser")
-                .password("testpass")
-                .build());
-        // When
-        AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromSettings(settings, "testuser", "testregistry.io", s -> s);
-
-        // Then
-        assertAuthConfig(authConfig, "testuser", "testpass");
+  }
+
+  @Test
+  void getAuthConfigFromOpenShiftConfig() {
+    // Given
+    System.setProperty("jkube.docker.useOpenShiftAuth", "true");
+    Map<String, Object> authConfigMap = new HashMap<>();
+    try (MockedStatic<KubernetesConfigAuthUtil> mockStatic = Mockito.mockStatic(KubernetesConfigAuthUtil.class)) {
+      mockStatic.when(KubernetesConfigAuthUtil::readKubeConfigAuth).thenReturn(AuthConfig.builder()
+          .username("test")
+          .password("sometoken")
+          .build());
+      // When
+      AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromOpenShiftConfig(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap);
+      // Then
+      assertAuthConfig(authConfig, "test", "sometoken");
+    } finally {
+      System.clearProperty("jkube.docker.useOpenShiftAuth");
     }
-
-    @Test
-    void getAuthConfigFromDockerConfig(@TempDir Path dockerConfig) throws IOException {
-        // Given
-        Files.write(dockerConfig.resolve("config.json"),
-          "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"dGVzdHVzZXI6dGVzdHBhc3M=\"}}}".getBytes());
-        final Map<String, String> env = Collections.singletonMap("DOCKER_CONFIG", dockerConfig.toFile().getAbsolutePath());
-        try {
-            EnvUtil.overrideEnvGetter(env::get);
-            // When
-            AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromDockerConfig("https://index.docker.io/v1/", log);
-            // Then
-            assertAuthConfig(authConfig, "testuser", "testpass");
-        } finally {
-            EnvUtil.overrideEnvGetter(System::getenv);
-        }
+  }
+
+  @Test
+  void getAuthConfigFromOpenShiftConfigWithAuthConfigMap() {
+    // Given
+    Map<String, Object> authConfigMap = new HashMap<>();
+    authConfigMap.put("useOpenShiftAuth", "true");
+    try (MockedStatic<KubernetesConfigAuthUtil> mockStatic = Mockito.mockStatic(KubernetesConfigAuthUtil.class)) {
+      mockStatic.when(KubernetesConfigAuthUtil::readKubeConfigAuth).thenReturn(AuthConfig.builder()
+          .username("test")
+          .password("sometoken")
+          .build());
+      // When
+      AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromOpenShiftConfig(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap);
+
+      // Then
+      assertAuthConfig(authConfig, "test", "sometoken");
     }
-
-    @Test
-    void getStandardAuthConfigFromProperties() throws IOException {
-        // Given
-        System.setProperty("jkube.docker.username", "testuser");
-        System.setProperty("jkube.docker.password", "testpass");
-        try {
-            // When
-            DockerAuthConfigFactory authConfigFactory = new DockerAuthConfigFactory(log);
-            AuthConfig authConfig = authConfigFactory.createAuthConfig(true, true, Collections.emptyMap(), Collections.emptyList(), "testuser", "testregistry.io", s -> s);
-            // Then
-            assertAuthConfig(authConfig, "testuser", "testpass");
-        } finally {
-            System.clearProperty("jkube.docker.username");
-            System.clearProperty("jkube.docker.password");
-        }
+  }
+
+  @Test
+  void getAuthConfigFromPluginConfiguration() {
+    // Given
+    Map<String, Object> authConfigMap = new HashMap<>();
+    authConfigMap.put("username", "testuser");
+    authConfigMap.put("password", "testpass");
+    authConfigMap.put("email", "test@example.com");
+
+    // When
+    AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromPluginConfiguration(DockerAuthConfigFactory.LookupMode.DEFAULT, authConfigMap, s -> s);
+
+    // Then
+    assertAuthConfig(authConfig, "testuser", "testpass");
+    assertThat(authConfig).hasFieldOrPropertyWithValue("email", "test@example.com");
+  }
+
+  @Test
+  void getAuthConfigFromSettings() {
+    // Given
+    List<RegistryServerConfiguration> settings = new ArrayList<>();
+    settings.add(RegistryServerConfiguration.builder()
+        .id("testregistry.io")
+        .username("testuser")
+        .password("testpass")
+        .build());
+    // When
+    AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromSettings(settings, "testuser", "testregistry.io", s -> s);
+
+    // Then
+    assertAuthConfig(authConfig, "testuser", "testpass");
+  }
+
+  @Test
+  void getAuthConfigFromDockerConfig(@TempDir Path dockerConfig) throws IOException {
+    // Given
+    Files.write(dockerConfig.resolve("config.json"),
+        "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"dGVzdHVzZXI6dGVzdHBhc3M=\"}}}".getBytes());
+    final Map<String, String> env = Collections.singletonMap("DOCKER_CONFIG", dockerConfig.toFile().getAbsolutePath());
+    try {
+      EnvUtil.overrideEnvGetter(env::get);
+      // When
+      AuthConfig authConfig = DockerAuthConfigFactory.getAuthConfigFromDockerConfig("https://index.docker.io/v1/", log);
+      // Then
+      assertAuthConfig(authConfig, "testuser", "testpass");
+    } finally {
+      EnvUtil.overrideEnvGetter(System::getenv);
     }
-
-    @Test
-    void getStandardAuthConfigFromMavenSettings() throws IOException {
-        // Given
-        List<RegistryServerConfiguration> settings = new ArrayList<>();
-        settings.add(RegistryServerConfiguration.builder()
-                .id("testregistry.io")
-                .username("testuser")
-                .password("testpass")
-                .build());
-
-        // When
-        DockerAuthConfigFactory authConfigFactory = new DockerAuthConfigFactory(log);
-        AuthConfig authConfig = authConfigFactory.createAuthConfig(true, true, Collections.emptyMap(), settings, "testuser", "testregistry.io", s -> s);
-
-        // Then
-        assertAuthConfig(authConfig, "testuser", "testpass");
+  }
+
+  @Test
+  void getStandardAuthConfigFromProperties() throws IOException {
+    // Given
+    System.setProperty("jkube.docker.username", "testuser");
+    System.setProperty("jkube.docker.password", "testpass");
+    try {
+      // When
+      DockerAuthConfigFactory authConfigFactory = new DockerAuthConfigFactory(log);
+      AuthConfig authConfig = authConfigFactory.createAuthConfig(true, true, Collections.emptyMap(), Collections.emptyList(), "testuser", "testregistry.io", s -> s);
+      // Then
+      assertAuthConfig(authConfig, "testuser", "testpass");
+    } finally {
+      System.clearProperty("jkube.docker.username");
+      System.clearProperty("jkube.docker.password");
     }
-
-    @Test
-    void getAuthConfigViaAwsSdk() throws IOException {
-        String accessKeyId = randomUUID().toString();
-        String secretAccessKey = randomUUID().toString();
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(AuthConfig.builder()
+  }
+
+  @Test
+  void getStandardAuthConfigFromMavenSettings() throws IOException {
+    // Given
+    List<RegistryServerConfiguration> settings = new ArrayList<>();
+    settings.add(RegistryServerConfiguration.builder()
+        .id("testregistry.io")
+        .username("testuser")
+        .password("testpass")
+        .build());
+
+    // When
+    DockerAuthConfigFactory authConfigFactory = new DockerAuthConfigFactory(log);
+    AuthConfig authConfig = authConfigFactory.createAuthConfig(true, true, Collections.emptyMap(), settings, "testuser", "testregistry.io", s -> s);
+
+    // Then
+    assertAuthConfig(authConfig, "testuser", "testpass");
+  }
+
+  @Test
+  void getAuthConfigViaAwsSdk() throws IOException {
+    String accessKeyId = randomUUID().toString();
+    String secretAccessKey = randomUUID().toString();
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(AuthConfig.builder()
             .username(accessKeyId)
             .password(secretAccessKey)
             .build()))
-        ) {
-            when(awsSdkHelper.isDefaultAWSCredentialsProviderChainPresentInClassPath()).thenReturn(true);
+    ) {
+      when(mockAwsSdkAuthHelper.isAwsSdkAvailable()).thenReturn(true);
 
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
 
-            verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, null);
-        }
+      verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, null);
     }
-
-    @Test
-    void ecsTaskRole() throws IOException {
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(null))
-        ) {
-            String containerCredentialsUri = "/v2/credentials/" + randomUUID();
-            String accessKeyId = randomUUID().toString();
-            String secretAccessKey = randomUUID().toString();
-            String sessionToken = randomUUID().toString();
-            givenEcsMetadataService(containerCredentialsUri, accessKeyId, secretAccessKey, sessionToken);
-            setupEcsMetadataConfiguration(httpServer, containerCredentialsUri);
-
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
-
-            verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
-        }
+  }
+
+  @Test
+  void ecsTaskRole() throws IOException {
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(null))
+    ) {
+      String containerCredentialsUri = "/v2/credentials/" + randomUUID();
+      String accessKeyId = randomUUID().toString();
+      String secretAccessKey = randomUUID().toString();
+      String sessionToken = randomUUID().toString();
+      givenEcsMetadataService(containerCredentialsUri, accessKeyId, secretAccessKey, sessionToken);
+      setupEcsMetadataConfiguration(httpServer, containerCredentialsUri);
+
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+
+      verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
     }
-
-    @Test
-    void fargateTaskRole() throws IOException {
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(null))
-        ) {
-            String containerCredentialsUri = "v2/credentials/" + randomUUID();
-            String accessKeyId = randomUUID().toString();
-            String secretAccessKey = randomUUID().toString();
-            String sessionToken = randomUUID().toString();
-            givenEcsMetadataService("/" + containerCredentialsUri, accessKeyId, secretAccessKey, sessionToken);
-            setupEcsMetadataConfiguration(httpServer, containerCredentialsUri);
-
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
-
-            verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
-        }
+  }
+
+  @Test
+  void fargateTaskRole() throws IOException {
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(null))
+    ) {
+      String containerCredentialsUri = "v2/credentials/" + randomUUID();
+      String accessKeyId = randomUUID().toString();
+      String secretAccessKey = randomUUID().toString();
+      String sessionToken = randomUUID().toString();
+      givenEcsMetadataService("/" + containerCredentialsUri, accessKeyId, secretAccessKey, sessionToken);
+      setupEcsMetadataConfiguration(httpServer, containerCredentialsUri);
+
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+
+      verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
     }
-
-    @Test
-    void awsTemporaryCredentialsArePickedUpFromEnvironment() throws IOException {
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(null))
-        ) {
-            String accessKeyId = randomUUID().toString();
-            String secretAccessKey = randomUUID().toString();
-            String sessionToken = randomUUID().toString();
-            when(awsSdkHelper.getAwsAccessKeyIdEnvVar()).thenReturn(accessKeyId);
-            when(awsSdkHelper.getAwsSecretAccessKeyEnvVar()).thenReturn(secretAccessKey);
-            when(awsSdkHelper.getAwsSessionTokenEnvVar()).thenReturn(sessionToken);
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
-
-            verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
-        }
+  }
+
+  @Test
+  void awsTemporaryCredentialsArePickedUpFromEnvironment() throws IOException {
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(null))
+    ) {
+      String accessKeyId = randomUUID().toString();
+      String secretAccessKey = randomUUID().toString();
+      String sessionToken = randomUUID().toString();
+      when(mockAwsSdkAuthHelper.getAwsAccessKeyIdEnvVar()).thenReturn(accessKeyId);
+      when(mockAwsSdkAuthHelper.getAwsSecretAccessKeyEnvVar()).thenReturn(secretAccessKey);
+      when(mockAwsSdkAuthHelper.getAwsSessionTokenEnvVar()).thenReturn(sessionToken);
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+
+      verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, sessionToken);
     }
+  }
 
-    @Test
-    void awsStaticCredentialsArePickedUpFromEnvironment() throws IOException {
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(null))
-        ) {
-            String accessKeyId = randomUUID().toString();
-            String secretAccessKey = randomUUID().toString();
-            when(awsSdkHelper.getAwsAccessKeyIdEnvVar()).thenReturn(accessKeyId);
-            when(awsSdkHelper.getAwsSecretAccessKeyEnvVar()).thenReturn(secretAccessKey);
+  @Test
+  void awsStaticCredentialsArePickedUpFromEnvironment() throws IOException {
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(null))
+    ) {
+      String accessKeyId = randomUUID().toString();
+      String secretAccessKey = randomUUID().toString();
+      when(mockAwsSdkAuthHelper.getAwsAccessKeyIdEnvVar()).thenReturn(accessKeyId);
+      when(mockAwsSdkAuthHelper.getAwsSecretAccessKeyEnvVar()).thenReturn(secretAccessKey);
 
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
 
-            verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, null);
-        }
+      verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, null);
     }
+  }
 
-    @Test
-    void incompleteAwsCredentialsAreIgnored() throws IOException {
-        try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
-          when(mock.createAuthConfig()).thenReturn(null));
+  @Test
+  void incompleteAwsCredentialsAreIgnored() throws IOException {
+    try (MockedConstruction<AwsSdkAuthConfigFactory> ignored = mockConstruction(AwsSdkAuthConfigFactory.class, (mock, ctx) ->
+        when(mock.createAuthConfig()).thenReturn(null));
          MockedStatic<DockerFileUtil> dfu = mockStatic(DockerFileUtil.class)
-        ) {
-            System.setProperty("AWS_ACCESS_KEY_ID", randomUUID().toString());
-            dfu.when(DockerFileUtil::readDockerConfig).thenReturn(null);
+    ) {
+      System.setProperty("AWS_ACCESS_KEY_ID", randomUUID().toString());
+      dfu.when(DockerFileUtil::readDockerConfig).thenReturn(null);
 
-            AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
+      AuthConfig authConfig = factory.createAuthConfig(false, true, null, Collections.emptyList(), "user", ECR_NAME, s -> s);
 
-            assertThat(authConfig).isNull();
-        } finally {
-            System.clearProperty("AWS_ACCESS_KEY_ID");
-        }
+      assertThat(authConfig).isNull();
+    } finally {
+      System.clearProperty("AWS_ACCESS_KEY_ID");
     }
-
-    private void givenEcsMetadataService(String containerCredentialsUri, String accessKeyId, String secretAccessKey, String sessionToken) throws IOException {
-        httpServer =
-                ServerBootstrap.bootstrap()
-                        .setLocalAddress(InetAddress.getLoopbackAddress())
-                        .registerHandler("*", (request, response, context) -> {
-                            System.out.println("REQUEST: " + request.getRequestLine());
-                            if (containerCredentialsUri.matches(request.getRequestLine().getUri())) {
-                                Map<String, String> credentials = new HashMap<>();
-                                credentials.put("AccessKeyId", accessKeyId);
-                                credentials.put("SecretAccessKey", secretAccessKey);
-                                credentials.put("Token", sessionToken);
-                                response.setEntity(new StringEntity(gsonBuilder.create().toJson(credentials)));
-                            } else {
-                                response.setStatusCode(SC_NOT_FOUND);
-                            }
-                        })
-                        .create();
-        httpServer.start();
-    }
-
-    private void setupEcsMetadataConfiguration(HttpServer httpServer, String containerCredentialsUri) {
-        when(awsSdkHelper.getEcsMetadataEndpoint()).thenReturn("http://" +
-                httpServer.getInetAddress().getHostAddress()+":" + httpServer.getLocalPort());
-        when(awsSdkHelper.getAwsContainerCredentialsRelativeUri()).thenReturn(containerCredentialsUri);
+  }
+
+  private void givenEcsMetadataService(String containerCredentialsUri, String accessKeyId, String secretAccessKey, String sessionToken) throws IOException {
+    httpServer =
+        ServerBootstrap.bootstrap()
+            .setLocalAddress(InetAddress.getLoopbackAddress())
+            .registerHandler("*", (request, response, context) -> {
+              System.out.println("REQUEST: " + request.getRequestLine());
+              if (containerCredentialsUri.matches(request.getRequestLine().getUri())) {
+                Map<String, String> credentials = new HashMap<>();
+                credentials.put("AccessKeyId", accessKeyId);
+                credentials.put("SecretAccessKey", secretAccessKey);
+                credentials.put("Token", sessionToken);
+                response.setEntity(new StringEntity(gsonBuilder.create().toJson(credentials)));
+              } else {
+                response.setStatusCode(SC_NOT_FOUND);
+              }
+            })
+            .create();
+    httpServer.start();
+  }
+
+  private void setupEcsMetadataConfiguration(HttpServer httpServer, String containerCredentialsUri) {
+    when(mockAwsSdkAuthHelper.getEcsMetadataEndpoint()).thenReturn("http://" +
+        httpServer.getInetAddress().getHostAddress() + ":" + httpServer.getLocalPort());
+    when(mockAwsSdkAuthHelper.getAwsContainerCredentialsRelativeUri()).thenReturn(containerCredentialsUri);
+  }
+
+  private void verifyAuthConfig(AuthConfig config, String username, String password, String auth) {
+    assertThat(config).isNotNull();
+    JsonObject params = gsonBuilder.create().fromJson(new String(Base64.decodeBase64(config.toHeaderValue(log).getBytes())), JsonObject.class);
+    assertThat(params)
+        .returns(username, p -> p.get("username").getAsString())
+        .returns(password, p -> p.get("password").getAsString());
+    if (auth != null) {
+      assertThat(params.get("auth").getAsString()).isEqualTo(auth);
     }
+  }
 
-    private void verifyAuthConfig(AuthConfig config, String username, String password, String auth) {
-        assertThat(config).isNotNull();
-        JsonObject params = gsonBuilder.create().fromJson(new String(Base64.decodeBase64(config.toHeaderValue(log).getBytes())), JsonObject.class);
-        assertThat(params)
-                .returns(username, p -> p.get("username").getAsString())
-                .returns(password, p -> p.get("password").getAsString());
-        if (auth != null) {
-            assertThat(params.get("auth").getAsString()).isEqualTo(auth);
-        }
-    }
-
-    private void assertAuthConfig(AuthConfig authConfig, String username, String password) {
-        assertThat(authConfig).isNotNull()
-                .hasFieldOrPropertyWithValue("username", username)
-                .hasFieldOrPropertyWithValue("password", password);
-    }
+  private void assertAuthConfig(AuthConfig authConfig, String username, String password) {
+    assertThat(authConfig).isNotNull()
+        .hasFieldOrPropertyWithValue("username", username)
+        .hasFieldOrPropertyWithValue("password", password);
+  }
 }
 
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkDockerAuthConfigFactoryTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkDockerAuthConfigFactoryTest.java
index 7967bca560..644c159a41 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkDockerAuthConfigFactoryTest.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkDockerAuthConfigFactoryTest.java
@@ -12,6 +12,7 @@
  *   Red Hat, Inc. - initial API and implementation
  */
 package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
 import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
 import org.eclipse.jkube.kit.common.KitLogger;
 import org.junit.jupiter.api.BeforeEach;
@@ -19,62 +20,84 @@
 
 import static java.util.UUID.randomUUID;
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 class AwsSdkDockerAuthConfigFactoryTest {
-    private AwsSdkHelper awsSdkHelper;
-
-    private AwsSdkAuthConfigFactory objectUnderTest;
-
-    @BeforeEach
-    void setup() {
-        awsSdkHelper = mock(AwsSdkHelper.class);
-        objectUnderTest = new AwsSdkAuthConfigFactory(new KitLogger.SilentLogger(), awsSdkHelper);
-    }
-
-    @Test
-    void nullValueIsPassedOn() {
-        AuthConfig authConfig = objectUnderTest.createAuthConfig();
-
-        assertThat(authConfig).isNull();
-    }
-
-    @Test
-    void reflectionWorksForBasicCredentials() throws Exception {
-        String accessKey = randomUUID().toString();
-        String secretKey = randomUUID().toString();
-        Object credentials = new Object();
-        when(awsSdkHelper.getCredentialsFromDefaultAWSCredentialsProviderChain()).thenReturn(credentials);
-        when(awsSdkHelper.getAWSAccessKeyIdFromCredentials(any())).thenReturn(accessKey);
-        when(awsSdkHelper.getAwsSecretKeyFromCredentials(any())).thenReturn(secretKey);
-        AuthConfig authConfig = objectUnderTest.createAuthConfig();
-
-        assertThat(authConfig).isNotNull()
-                .hasFieldOrPropertyWithValue("username", accessKey)
-                .hasFieldOrPropertyWithValue("password", secretKey)
-                .hasFieldOrPropertyWithValue("auth", null)
-                .hasFieldOrPropertyWithValue("identityToken", null);
-    }
-
-    @Test
-    void reflectionWorksForSessionCredentials() throws Exception {
-        String accessKey = randomUUID().toString();
-        String secretKey = randomUUID().toString();
-        String sessionToken = randomUUID().toString();
-        Object credentials = new Object();
-        when(awsSdkHelper.getCredentialsFromDefaultAWSCredentialsProviderChain()).thenReturn(credentials);
-        when(awsSdkHelper.getAWSAccessKeyIdFromCredentials(any())).thenReturn(accessKey);
-        when(awsSdkHelper.getAwsSecretKeyFromCredentials(any())).thenReturn(secretKey);
-        when(awsSdkHelper.getSessionTokenFromCrendentials(any())).thenReturn(sessionToken);
-        AuthConfig authConfig = objectUnderTest.createAuthConfig();
-
-        assertThat(authConfig).isNotNull()
-                .hasFieldOrPropertyWithValue("username", accessKey)
-                .hasFieldOrPropertyWithValue("password", secretKey)
-                .hasFieldOrPropertyWithValue("auth", sessionToken)
-                .hasFieldOrPropertyWithValue("identityToken", null);
-    }
+  private AwsSdkAuthHelper mockDelegate;
+
+  private AwsSdkAuthConfigFactory objectUnderTest;
+
+  @BeforeEach
+  void setup() {
+    mockDelegate = mock(AwsSdkAuthHelper.class);
+    AwsSdkHelper awsSdkHelper = new AwsSdkHelper(mockDelegate);
+    objectUnderTest = new AwsSdkAuthConfigFactory(new KitLogger.SilentLogger(), awsSdkHelper);
+  }
+
+  @Test
+  void nullValueIsPassedOn() {
+    when(mockDelegate.getCredentialsFromDefaultCredentialsProvider()).thenReturn(null);
+
+    AuthConfig authConfig = objectUnderTest.createAuthConfig();
+
+    assertThat(authConfig).isNull();
+  }
+
+  @Test
+  void reflectionWorksForBasicCredentials() {
+    String accessKey = randomUUID().toString();
+    String secretKey = randomUUID().toString();
+    AuthConfig expectedAuthConfig = AuthConfig.builder()
+        .username(accessKey)
+        .password(secretKey)
+        .email("none")
+        .build();
+
+    when(mockDelegate.getCredentialsFromDefaultCredentialsProvider()).thenReturn(expectedAuthConfig);
+    when(mockDelegate.getSdkVersion()).thenReturn("v2");
+
+    AuthConfig authConfig = objectUnderTest.createAuthConfig();
+
+    assertThat(authConfig).isNotNull()
+        .hasFieldOrPropertyWithValue("username", accessKey)
+        .hasFieldOrPropertyWithValue("password", secretKey)
+        .hasFieldOrPropertyWithValue("auth", null)
+        .hasFieldOrPropertyWithValue("identityToken", null);
+  }
+
+  @Test
+  void reflectionWorksForSessionCredentials() {
+    String accessKey = randomUUID().toString();
+    String secretKey = randomUUID().toString();
+    String sessionToken = randomUUID().toString();
+    AuthConfig expectedAuthConfig = AuthConfig.builder()
+        .username(accessKey)
+        .password(secretKey)
+        .email("none")
+        .auth(sessionToken)
+        .build();
+
+    when(mockDelegate.getCredentialsFromDefaultCredentialsProvider()).thenReturn(expectedAuthConfig);
+    when(mockDelegate.getSdkVersion()).thenReturn("v2");
+
+    AuthConfig authConfig = objectUnderTest.createAuthConfig();
+
+    assertThat(authConfig).isNotNull()
+        .hasFieldOrPropertyWithValue("username", accessKey)
+        .hasFieldOrPropertyWithValue("password", secretKey)
+        .hasFieldOrPropertyWithValue("auth", sessionToken)
+        .hasFieldOrPropertyWithValue("identityToken", null);
+  }
+
+  @Test
+  void exceptionHandling_returnsNull() {
+    when(mockDelegate.getCredentialsFromDefaultCredentialsProvider()).thenThrow(new RuntimeException("Test exception"));
+    when(mockDelegate.getSdkVersion()).thenReturn("v2");
+
+    AuthConfig authConfig = objectUnderTest.createAuthConfig();
+
+    assertThat(authConfig).isNull();
+  }
 
 }
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperTest.java
new file mode 100644
index 0000000000..46e102bb24
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperTest.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class AwsSdkHelperTest {
+  private AwsSdkAuthHelper mockDelegate;
+  private AwsSdkHelper awsSdkHelper;
+
+  @BeforeEach
+  void setUp() {
+    mockDelegate = mock(AwsSdkAuthHelper.class);
+    awsSdkHelper = new AwsSdkHelper(mockDelegate);
+  }
+
+  @Test
+  void isDefaultAWSCredentialsProviderChainPresentInClassPath_delegatesToHelper() {
+    when(mockDelegate.isAwsSdkAvailable()).thenReturn(true);
+
+    assertThat(awsSdkHelper.isDefaultAWSCredentialsProviderChainPresentInClassPath()).isTrue();
+  }
+
+  @Test
+  void getSdkVersion_delegatesToHelper() {
+    when(mockDelegate.getSdkVersion()).thenReturn("v2");
+
+    assertThat(awsSdkHelper.getSdkVersion()).isEqualTo("v2");
+  }
+
+  @Test
+  void getAwsAccessKeyIdEnvVar_delegatesToHelper() {
+    when(mockDelegate.getAwsAccessKeyIdEnvVar()).thenReturn("AKIAIOSFODNN7EXAMPLE");
+
+    assertThat(awsSdkHelper.getAwsAccessKeyIdEnvVar()).isEqualTo("AKIAIOSFODNN7EXAMPLE");
+  }
+
+  @Test
+  void getAwsSecretAccessKeyEnvVar_delegatesToHelper() {
+    when(mockDelegate.getAwsSecretAccessKeyEnvVar()).thenReturn("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+
+    assertThat(awsSdkHelper.getAwsSecretAccessKeyEnvVar()).isEqualTo("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+  }
+
+  @Test
+  void getAwsSessionTokenEnvVar_delegatesToHelper() {
+    when(mockDelegate.getAwsSessionTokenEnvVar()).thenReturn("sessionToken");
+
+    assertThat(awsSdkHelper.getAwsSessionTokenEnvVar()).isEqualTo("sessionToken");
+  }
+
+  @Test
+  void getAwsContainerCredentialsRelativeUri_delegatesToHelper() {
+    when(mockDelegate.getAwsContainerCredentialsRelativeUri()).thenReturn("/v2/credentials");
+
+    assertThat(awsSdkHelper.getAwsContainerCredentialsRelativeUri()).isEqualTo("/v2/credentials");
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_delegatesToHelper() {
+    when(mockDelegate.getEcsMetadataEndpoint()).thenReturn("http://169.254.170.2");
+
+    assertThat(awsSdkHelper.getEcsMetadataEndpoint()).isEqualTo("http://169.254.170.2");
+  }
+
+  @Test
+  void getAuthConfigFromDefaultCredentialsProvider_delegatesToHelper() {
+    AuthConfig expectedConfig = AuthConfig.builder()
+        .username("AKIAIOSFODNN7EXAMPLE")
+        .password("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")
+        .build();
+    when(mockDelegate.getCredentialsFromDefaultCredentialsProvider()).thenReturn(expectedConfig);
+
+    AuthConfig result = awsSdkHelper.getAuthConfigFromDefaultCredentialsProvider();
+
+    assertThat(result).isEqualTo(expectedConfig);
+  }
+
+  @Test
+  void getCredentialsFromDefaultAWSCredentialsProviderChain_throwsUnsupportedOperationException() {
+    assertThatThrownBy(() -> awsSdkHelper.getCredentialsFromDefaultAWSCredentialsProviderChain())
+        .isInstanceOf(UnsupportedOperationException.class)
+        .hasMessageContaining("deprecated");
+  }
+
+  @Test
+  void getSessionTokenFromCrendentials_throwsUnsupportedOperationException() {
+    assertThatThrownBy(() -> awsSdkHelper.getSessionTokenFromCrendentials(new Object()))
+        .isInstanceOf(UnsupportedOperationException.class)
+        .hasMessageContaining("deprecated");
+  }
+
+  @Test
+  void getAWSAccessKeyIdFromCredentials_throwsUnsupportedOperationException() {
+    assertThatThrownBy(() -> awsSdkHelper.getAWSAccessKeyIdFromCredentials(new Object()))
+        .isInstanceOf(UnsupportedOperationException.class)
+        .hasMessageContaining("deprecated");
+  }
+
+  @Test
+  void getAwsSecretKeyFromCredentials_throwsUnsupportedOperationException() {
+    assertThatThrownBy(() -> awsSdkHelper.getAwsSecretKeyFromCredentials(new Object()))
+        .isInstanceOf(UnsupportedOperationException.class)
+        .hasMessageContaining("deprecated");
+  }
+
+  @Test
+  void constructor_withoutArguments_createsHelperBasedOnClasspath() {
+    // This test verifies that the default constructor works
+    // The actual SDK detection is tested in the v1/v2 specific tests
+    AwsSdkHelper helper = new AwsSdkHelper();
+    assertThat(helper).isNotNull();
+    assertThat(helper.getSdkVersion()).isIn("v1", "v2");
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
new file mode 100644
index 0000000000..fefd63c9c7
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for AwsSdkHelperV1.
+ * Note: These tests verify the helper's behavior when AWS SDK v1 classes are NOT available.
+ * Full integration testing with actual AWS SDK v1 would require adding the dependency.
+ */
+class AwsSdkHelperV1Test {
+  private AwsSdkHelperV1 helper;
+
+  @BeforeEach
+  void setUp() {
+    helper = new AwsSdkHelperV1();
+  }
+
+  @Test
+  void getSdkVersion_returnsV1() {
+    assertThat(helper.getSdkVersion()).isEqualTo("v1");
+  }
+
+  @Test
+  void isAwsSdkAvailable_returnsFalseWhenSdkNotInClasspath() {
+    // AWS SDK v1 is not in the test classpath
+    assertThat(helper.isAwsSdkAvailable()).isFalse();
+  }
+
+  @Test
+  void getAwsAccessKeyIdEnvVar_returnsEnvironmentVariable() {
+    // This test relies on the actual environment, but shows the method works
+    String value = helper.getAwsAccessKeyIdEnvVar();
+    // Value can be null if env var is not set
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSecretAccessKeyEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSecretAccessKeyEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSessionTokenEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSessionTokenEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
+    String value = helper.getAwsContainerCredentialsRelativeUri();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_returnsDefaultWhenEnvVarNotSet() {
+    // Assuming ECS_METADATA_ENDPOINT is not set in test environment
+    String endpoint = helper.getEcsMetadataEndpoint();
+    // Should return either the env var value or the default
+    assertThat(endpoint).matches("^http://.*");
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_returnsNullWhenSdkNotAvailable() {
+    // When AWS SDK v1 is not in classpath, should return null
+    AuthConfig result = helper.getCredentialsFromDefaultCredentialsProvider();
+    assertThat(result).isNull();
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
new file mode 100644
index 0000000000..c71336d4a2
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for AwsSdkHelperV2.
+ * Note: These tests verify the helper's behavior when AWS SDK v2 classes are NOT available.
+ * Full integration testing with actual AWS SDK v2 would require adding the dependency.
+ */
+class AwsSdkHelperV2Test {
+  private AwsSdkHelperV2 helper;
+
+  @BeforeEach
+  void setUp() {
+    helper = new AwsSdkHelperV2();
+  }
+
+  @Test
+  void getSdkVersion_returnsV2() {
+    assertThat(helper.getSdkVersion()).isEqualTo("v2");
+  }
+
+  @Test
+  void isAwsSdkAvailable_returnsFalseWhenSdkNotInClasspath() {
+    // AWS SDK v2 is not in the test classpath
+    assertThat(helper.isAwsSdkAvailable()).isFalse();
+  }
+
+  @Test
+  void getAwsAccessKeyIdEnvVar_returnsEnvironmentVariable() {
+    // This test relies on the actual environment, but shows the method works
+    String value = helper.getAwsAccessKeyIdEnvVar();
+    // Value can be null if env var is not set
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSecretAccessKeyEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSecretAccessKeyEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSessionTokenEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSessionTokenEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
+    String value = helper.getAwsContainerCredentialsRelativeUri();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_returnsDefaultWhenEnvVarNotSet() {
+    // Assuming ECS_METADATA_ENDPOINT is not set in test environment
+    String endpoint = helper.getEcsMetadataEndpoint();
+    // Should return either the env var value or the default
+    assertThat(endpoint).matches("^http://.*");
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_returnsNullWhenSdkNotAvailable() {
+    // When AWS SDK v2 is not in classpath, should return null
+    AuthConfig result = helper.getCredentialsFromDefaultCredentialsProvider();
+    assertThat(result).isNull();
+  }
+}

From 54fed51bd0e7fadacdf43e527059d304e0f0ea95 Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Wed, 26 Nov 2025 14:11:06 +0530
Subject: [PATCH 2/7] feat(auth) - update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc3fd838b9..e5e1981841 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ Usage:
 * Fix #3591: Fix windows line endings for yaml literal blocks, json serialization config updated
 * Fix #3781: Native Generator does not work in Windows system, always finds multiple native executable
 * Fix #2286: Remove Guava dependency where ever possible
+* Fix #3732: ECR registry Auth with AWS SDK java v2
 
 ### 1.18.2 (2025-11-03)
 * Fix #3750: Remove unneeded XMLUtil.createNewDocument method

From 5aaa6a141890e981da1cbe468325c278d8c5bf34 Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Thu, 27 Nov 2025 12:10:51 +0530
Subject: [PATCH 3/7] Add more tests

---
 .../docker/auth/ecr/AbstractAwsSdkHelper.java |  56 ++++++
 .../docker/auth/ecr/AwsSdkHelperV1.java       |  45 +----
 .../docker/auth/ecr/AwsSdkHelperV2.java       |  46 +----
 .../com/amazonaws/auth/AWSCredentials.java    |  10 +
 .../amazonaws/auth/AWSSessionCredentials.java |   9 +
 .../amazonaws/auth/BasicAWSCredentials.java   |  25 +++
 .../auth/BasicSessionCredentials.java         |  32 +++
 .../DefaultAWSCredentialsProviderChain.java   |  37 ++++
 .../auth/EnvironmentVariablesTestUtil.java    | 106 ++++++++++
 .../auth/ecr/AbstractAwsSdkHelperTest.java    | 184 ++++++++++++++++++
 .../docker/auth/ecr/AwsSdkHelperV1Test.java   | 162 +++++++++++++--
 .../docker/auth/ecr/AwsSdkHelperV2Test.java   | 164 ++++++++++++++--
 .../auth/credentials/AwsBasicCredentials.java |  29 +++
 .../auth/credentials/AwsCredentials.java      |  11 ++
 .../credentials/AwsSessionCredentials.java    |   9 +
 .../AwsSessionCredentialsImpl.java            |  36 ++++
 .../DefaultCredentialsProvider.java           |  41 ++++
 17 files changed, 886 insertions(+), 116 deletions(-)
 create mode 100644 jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSSessionCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicAWSCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicSessionCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/EnvironmentVariablesTestUtil.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentialsImpl.java
 create mode 100644 jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java

diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
new file mode 100644
index 0000000000..467b6f4325
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+/**
+ * Abstract base class for AWS SDK helpers.
+ * Contains common functionality shared between AWS SDK v1 and v2 helpers.
+ */
+abstract class AbstractAwsSdkHelper implements AwsSdkAuthHelper {
+  protected static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
+  protected static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
+  protected static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
+  protected static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+  protected static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
+  protected static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
+
+  @Override
+  public String getAwsAccessKeyIdEnvVar() {
+    return System.getenv(ACCESS_KEY_ID);
+  }
+
+  @Override
+  public String getAwsSecretAccessKeyEnvVar() {
+    return System.getenv(SECRET_ACCESS_KEY);
+  }
+
+  @Override
+  public String getAwsSessionTokenEnvVar() {
+    return System.getenv(SESSION_TOKEN);
+  }
+
+  @Override
+  public String getAwsContainerCredentialsRelativeUri() {
+    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
+  }
+
+  @Override
+  public String getEcsMetadataEndpoint() {
+    String endpoint = System.getenv(METADATA_ENDPOINT);
+    if (endpoint == null) {
+      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
+    }
+    return endpoint;
+  }
+}
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
index a7b26ca09a..8fe0a1f69b 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1.java
@@ -21,13 +21,7 @@
  * AWS SDK v1 authentication helper.
  * Uses reflection to avoid hard dependency on AWS SDK v1.
  */
-public class AwsSdkHelperV1 implements AwsSdkAuthHelper {
-  private static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
-  private static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
-  private static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
-  private static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
-  private static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
-  private static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
+public class AwsSdkHelperV1 extends AbstractAwsSdkHelper {
   private static final String DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN = "com.amazonaws.auth.DefaultAWSCredentialsProviderChain";
   private static final String AWS_SESSION_CREDENTIALS = "com.amazonaws.auth.AWSSessionCredentials";
   private static final String AWS_CREDENTIALS = "com.amazonaws.auth.AWSCredentials";
@@ -47,35 +41,6 @@ public String getSdkVersion() {
     return "v1";
   }
 
-  @Override
-  public String getAwsAccessKeyIdEnvVar() {
-    return System.getenv(ACCESS_KEY_ID);
-  }
-
-  @Override
-  public String getAwsSecretAccessKeyEnvVar() {
-    return System.getenv(SECRET_ACCESS_KEY);
-  }
-
-  @Override
-  public String getAwsSessionTokenEnvVar() {
-    return System.getenv(SESSION_TOKEN);
-  }
-
-  @Override
-  public String getAwsContainerCredentialsRelativeUri() {
-    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
-  }
-
-  @Override
-  public String getEcsMetadataEndpoint() {
-    String endpoint = System.getenv(METADATA_ENDPOINT);
-    if (endpoint == null) {
-      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
-    }
-    return endpoint;
-  }
-
   @Override
   public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
     try {
@@ -96,24 +61,24 @@ public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
     }
   }
 
-  private Object getCredentialsFromDefaultAWSCredentialsProviderChain() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
+  Object getCredentialsFromDefaultAWSCredentialsProviderChain() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
     Class<?> credentialsProviderChainClass = Class.forName(DEFAULT_AWSCREDENTIALS_PROVIDER_CHAIN);
     Object credentialsProviderChain = credentialsProviderChainClass.getDeclaredConstructor().newInstance();
     return credentialsProviderChainClass.getMethod("getCredentials").invoke(credentialsProviderChain);
   }
 
-  private String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> sessionCredentialsClass = Class.forName(AWS_SESSION_CREDENTIALS);
     return sessionCredentialsClass.isInstance(credentials)
         ? (String) sessionCredentialsClass.getMethod("getSessionToken").invoke(credentials) : null;
   }
 
-  private String getAWSAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getAWSAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
     return (String) credentialsClass.getMethod("getAWSAccessKeyId").invoke(credentials);
   }
 
-  private String getAwsSecretKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getAwsSecretKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
     return (String) credentialsClass.getMethod("getAWSSecretKey").invoke(credentials);
   }
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
index 70cf39671a..f889cbe2a7 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2.java
@@ -22,14 +22,7 @@
  * AWS SDK v2 authentication helper.
  * Uses reflection to avoid hard dependency on AWS SDK v2.
  */
-public class AwsSdkHelperV2 implements AwsSdkAuthHelper {
-  private static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
-  private static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
-  private static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
-  private static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
-  private static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
-  private static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
-
+public class AwsSdkHelperV2 extends AbstractAwsSdkHelper {
   // AWS SDK v2 class names
   private static final String DEFAULT_CREDENTIALS_PROVIDER = "software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider";
   private static final String AWS_SESSION_CREDENTIALS = "software.amazon.awssdk.auth.credentials.AwsSessionCredentials";
@@ -50,35 +43,6 @@ public String getSdkVersion() {
     return "v2";
   }
 
-  @Override
-  public String getAwsAccessKeyIdEnvVar() {
-    return System.getenv(ACCESS_KEY_ID);
-  }
-
-  @Override
-  public String getAwsSecretAccessKeyEnvVar() {
-    return System.getenv(SECRET_ACCESS_KEY);
-  }
-
-  @Override
-  public String getAwsSessionTokenEnvVar() {
-    return System.getenv(SESSION_TOKEN);
-  }
-
-  @Override
-  public String getAwsContainerCredentialsRelativeUri() {
-    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
-  }
-
-  @Override
-  public String getEcsMetadataEndpoint() {
-    String endpoint = System.getenv(METADATA_ENDPOINT);
-    if (endpoint == null) {
-      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
-    }
-    return endpoint;
-  }
-
   @Override
   public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
     try {
@@ -104,7 +68,7 @@ public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
    * Uses reflection to call:
    * DefaultCredentialsProvider.create().resolveCredentials()
    */
-  private Object getCredentialsFromDefaultProvider() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  Object getCredentialsFromDefaultProvider() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> providerClass = Class.forName(DEFAULT_CREDENTIALS_PROVIDER);
 
     // Call DefaultCredentialsProvider.create()
@@ -120,7 +84,7 @@ private Object getCredentialsFromDefaultProvider() throws ClassNotFoundException
    * Get session token from AWS SDK v2 credentials if they are session credentials.
    * Returns null if credentials don't have a session token.
    */
-  private String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getSessionTokenFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> sessionCredentialsClass = Class.forName(AWS_SESSION_CREDENTIALS);
     if (sessionCredentialsClass.isInstance(credentials)) {
       Method sessionTokenMethod = sessionCredentialsClass.getMethod("sessionToken");
@@ -133,7 +97,7 @@ private String getSessionTokenFromCredentials(Object credentials) throws ClassNo
    * Get access key ID from AWS SDK v2 credentials.
    * Calls credentials.accessKeyId()
    */
-  private String getAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getAccessKeyIdFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
     Method accessKeyIdMethod = credentialsClass.getMethod("accessKeyId");
     return (String) accessKeyIdMethod.invoke(credentials);
@@ -143,7 +107,7 @@ private String getAccessKeyIdFromCredentials(Object credentials) throws ClassNot
    * Get secret access key from AWS SDK v2 credentials.
    * Calls credentials.secretAccessKey()
    */
-  private String getSecretAccessKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
+  String getSecretAccessKeyFromCredentials(Object credentials) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
     Class<?> credentialsClass = Class.forName(AWS_CREDENTIALS);
     Method secretAccessKeyMethod = credentialsClass.getMethod("secretAccessKey");
     return (String) secretAccessKeyMethod.invoke(credentials);
diff --git a/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSCredentials.java b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSCredentials.java
new file mode 100644
index 0000000000..c5f6f0db35
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSCredentials.java
@@ -0,0 +1,10 @@
+/*
+ * Mock AWS SDK v1 class for testing purposes only.
+ * Simulates com.amazonaws.auth.AWSCredentials interface.
+ */
+package com.amazonaws.auth;
+
+public interface AWSCredentials {
+  String getAWSAccessKeyId();
+  String getAWSSecretKey();
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSSessionCredentials.java b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSSessionCredentials.java
new file mode 100644
index 0000000000..a1cb27fd40
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/AWSSessionCredentials.java
@@ -0,0 +1,9 @@
+/*
+ * Mock AWS SDK v1 class for testing purposes only.
+ * Simulates com.amazonaws.auth.AWSSessionCredentials interface.
+ */
+package com.amazonaws.auth;
+
+public interface AWSSessionCredentials extends AWSCredentials {
+  String getSessionToken();
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicAWSCredentials.java b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicAWSCredentials.java
new file mode 100644
index 0000000000..f2cfbd1dc6
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicAWSCredentials.java
@@ -0,0 +1,25 @@
+/*
+ * Mock AWS SDK v1 class for testing purposes only.
+ * Simulates com.amazonaws.auth.BasicAWSCredentials class.
+ */
+package com.amazonaws.auth;
+
+public class BasicAWSCredentials implements AWSCredentials {
+  private final String accessKey;
+  private final String secretKey;
+
+  public BasicAWSCredentials(String accessKey, String secretKey) {
+    this.accessKey = accessKey;
+    this.secretKey = secretKey;
+  }
+
+  @Override
+  public String getAWSAccessKeyId() {
+    return accessKey;
+  }
+
+  @Override
+  public String getAWSSecretKey() {
+    return secretKey;
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicSessionCredentials.java b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicSessionCredentials.java
new file mode 100644
index 0000000000..889008f719
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/BasicSessionCredentials.java
@@ -0,0 +1,32 @@
+/*
+ * Mock AWS SDK v1 class for testing purposes only.
+ * Simulates com.amazonaws.auth.BasicSessionCredentials class.
+ */
+package com.amazonaws.auth;
+
+public class BasicSessionCredentials implements AWSSessionCredentials {
+  private final String accessKey;
+  private final String secretKey;
+  private final String sessionToken;
+
+  public BasicSessionCredentials(String accessKey, String secretKey, String sessionToken) {
+    this.accessKey = accessKey;
+    this.secretKey = secretKey;
+    this.sessionToken = sessionToken;
+  }
+
+  @Override
+  public String getAWSAccessKeyId() {
+    return accessKey;
+  }
+
+  @Override
+  public String getAWSSecretKey() {
+    return secretKey;
+  }
+
+  @Override
+  public String getSessionToken() {
+    return sessionToken;
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java
new file mode 100644
index 0000000000..c226985137
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java
@@ -0,0 +1,37 @@
+/*
+ * Mock AWS SDK v1 class for testing purposes only.
+ * Simulates com.amazonaws.auth.DefaultAWSCredentialsProviderChain class.
+ */
+package com.amazonaws.auth;
+
+/**
+ * Mock implementation of AWS SDK v1 DefaultAWSCredentialsProviderChain.
+ * This is used for testing the reflection-based credential loading.
+ */
+public class DefaultAWSCredentialsProviderChain {
+  private final AWSCredentials credentials;
+
+  public DefaultAWSCredentialsProviderChain() {
+    // Return test credentials based on environment variables
+    String accessKey = System.getenv("AWS_ACCESS_KEY_ID");
+    String secretKey = System.getenv("AWS_SECRET_ACCESS_KEY");
+    String sessionToken = System.getenv("AWS_SESSION_TOKEN");
+
+    if (accessKey != null && secretKey != null) {
+      if (sessionToken != null) {
+        this.credentials = new BasicSessionCredentials(accessKey, secretKey, sessionToken);
+      } else {
+        this.credentials = new BasicAWSCredentials(accessKey, secretKey);
+      }
+    } else {
+      this.credentials = null;
+    }
+  }
+
+  public AWSCredentials getCredentials() {
+    if (credentials == null) {
+      throw new RuntimeException("Unable to load AWS credentials");
+    }
+    return credentials;
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/EnvironmentVariablesTestUtil.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/EnvironmentVariablesTestUtil.java
new file mode 100644
index 0000000000..62e91f5f49
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/EnvironmentVariablesTestUtil.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth;
+
+import java.lang.reflect.Field;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * Utility class for modifying environment variables in tests.
+ * Uses reflection to modify the environment map.
+ */
+public class EnvironmentVariablesTestUtil {
+
+  /**
+   * Sets an environment variable for testing purposes.
+   * This uses reflection to modify the environment map.
+   *
+   * @param key   the environment variable name
+   * @param value the environment variable value
+   */
+  @SuppressWarnings("unchecked")
+  public static void setEnvironmentVariable(String key, String value) {
+    try {
+      Map<String, String> env = System.getenv();
+      Class<?> cl = env.getClass();
+      Field field = cl.getDeclaredField("m");
+      field.setAccessible(true);
+      Map<String, String> writableEnv = (Map<String, String>) field.get(env);
+      writableEnv.put(key, value);
+    } catch (Exception e) {
+      try {
+        // Fallback approach for different JVM implementations
+        Class<?>[] classes = Collections.class.getDeclaredClasses();
+        Map<String, String> env = System.getenv();
+        for (Class<?> cl : classes) {
+          if (cl.isInstance(env)) {
+            Field field = cl.getDeclaredField("m");
+            field.setAccessible(true);
+            Object obj = field.get(env);
+            Map<String, String> map = (Map<String, String>) obj;
+            map.put(key, value);
+            break;
+          }
+        }
+      } catch (Exception e2) {
+        throw new RuntimeException("Failed to set environment variable", e2);
+      }
+    }
+  }
+
+  /**
+   * Clears an environment variable for testing purposes.
+   *
+   * @param key the environment variable name to clear
+   */
+  @SuppressWarnings("unchecked")
+  public static void clearEnvironmentVariable(String key) {
+    try {
+      Map<String, String> env = System.getenv();
+      Class<?> cl = env.getClass();
+      Field field = cl.getDeclaredField("m");
+      field.setAccessible(true);
+      Map<String, String> writableEnv = (Map<String, String>) field.get(env);
+      writableEnv.remove(key);
+    } catch (Exception e) {
+      try {
+        // Fallback approach
+        Class<?>[] classes = Collections.class.getDeclaredClasses();
+        Map<String, String> env = System.getenv();
+        for (Class<?> cl : classes) {
+          if (cl.isInstance(env)) {
+            Field field = cl.getDeclaredField("m");
+            field.setAccessible(true);
+            Object obj = field.get(env);
+            Map<String, String> map = (Map<String, String>) obj;
+            map.remove(key);
+            break;
+          }
+        }
+      } catch (Exception e2) {
+        throw new RuntimeException("Failed to clear environment variable", e2);
+      }
+    }
+  }
+
+  /**
+   * Sets multiple environment variables at once.
+   *
+   * @param variables map of variable names to values
+   */
+  public static void setEnvironmentVariables(Map<String, String> variables) {
+    variables.forEach(EnvironmentVariablesTestUtil::setEnvironmentVariable);
+  }
+}
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
new file mode 100644
index 0000000000..686940c4ec
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
@@ -0,0 +1,184 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.clearEnvironmentVariable;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.setEnvironmentVariable;
+
+/**
+ * Tests for AbstractAwsSdkHelper.
+ * Tests the common functionality shared between V1 and V2 implementations.
+ */
+class AbstractAwsSdkHelperTest {
+  private TestAwsSdkHelper helper;
+
+  @BeforeEach
+  void setUp() {
+    helper = new TestAwsSdkHelper();
+  }
+
+  @AfterEach
+  void tearDown() {
+    // Clean up test environment variables
+    try {
+      clearEnvironmentVariable("TEST_AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("TEST_AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
+      clearEnvironmentVariable("TEST_AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
+      clearEnvironmentVariable("TEST_ECS_METADATA_ENDPOINT");
+    } catch (Exception ignored) {
+      // Ignore failures on newer Java versions
+    }
+  }
+
+  @Test
+  void getAwsAccessKeyIdEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsAccessKeyIdEnvVar();
+    // Value can be null or have a value depending on environment
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsAccessKeyIdEnvVar_whenSet_returnsValue() {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "test-key-123");
+      String value = helper.getAwsAccessKeyIdEnvVar();
+      assertThat(value).isEqualTo("test-key-123");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getAwsSecretAccessKeyEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSecretAccessKeyEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSecretAccessKeyEnvVar_whenSet_returnsValue() {
+    try {
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "test-secret-456");
+      String value = helper.getAwsSecretAccessKeyEnvVar();
+      assertThat(value).isEqualTo("test-secret-456");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getAwsSessionTokenEnvVar_returnsEnvironmentVariable() {
+    String value = helper.getAwsSessionTokenEnvVar();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsSessionTokenEnvVar_whenSet_returnsValue() {
+    try {
+      setEnvironmentVariable("AWS_SESSION_TOKEN", "test-token-789");
+      String value = helper.getAwsSessionTokenEnvVar();
+      assertThat(value).isEqualTo("test-token-789");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
+    String value = helper.getAwsContainerCredentialsRelativeUri();
+    assertThat(value).satisfiesAnyOf(
+        v -> assertThat(v).isNull(),
+        v -> assertThat(v).isNotEmpty()
+    );
+  }
+
+  @Test
+  void getAwsContainerCredentialsRelativeUri_whenSet_returnsValue() {
+    try {
+      setEnvironmentVariable("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "/v2/credentials/test-uuid");
+      String value = helper.getAwsContainerCredentialsRelativeUri();
+      assertThat(value).isEqualTo("/v2/credentials/test-uuid");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_returnsDefaultOrEnvValue() {
+    String endpoint = helper.getEcsMetadataEndpoint();
+    // Should return either the env var value or the default
+    assertThat(endpoint).matches("^http://.*");
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_whenNotSet_returnsDefault() {
+    // This test verifies the default value when env var is not set
+    String endpoint = helper.getEcsMetadataEndpoint();
+    assertThat(endpoint).satisfiesAnyOf(
+        e -> assertThat(e).isEqualTo("http://169.254.170.2"),
+        e -> assertThat(e).startsWith("http://")
+    );
+  }
+
+  @Test
+  void getEcsMetadataEndpoint_whenSet_returnsEnvVarValue() {
+    try {
+      setEnvironmentVariable("ECS_METADATA_ENDPOINT", "http://custom-endpoint:8080");
+      String endpoint = helper.getEcsMetadataEndpoint();
+      assertThat(endpoint).isEqualTo("http://custom-endpoint:8080");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  /**
+   * Test implementation of AbstractAwsSdkHelper for testing purposes.
+   */
+  private static class TestAwsSdkHelper extends AbstractAwsSdkHelper {
+    @Override
+    public boolean isAwsSdkAvailable() {
+      return false;
+    }
+
+    @Override
+    public String getSdkVersion() {
+      return "test";
+    }
+
+    @Override
+    public AuthConfig getCredentialsFromDefaultCredentialsProvider() {
+      return null;
+    }
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
index fefd63c9c7..abd5206644 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
@@ -14,16 +14,14 @@
 package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
 
 import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.clearEnvironmentVariable;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.setEnvironmentVariable;
 
-/**
- * Tests for AwsSdkHelperV1.
- * Note: These tests verify the helper's behavior when AWS SDK v1 classes are NOT available.
- * Full integration testing with actual AWS SDK v1 would require adding the dependency.
- */
 class AwsSdkHelperV1Test {
   private AwsSdkHelperV1 helper;
 
@@ -32,22 +30,34 @@ void setUp() {
     helper = new AwsSdkHelperV1();
   }
 
+  @AfterEach
+  void tearDown() {
+    // Clean up after each test - try to clear but don't fail if not possible
+    try {
+      clearEnvironmentVariable("TEST_AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("TEST_AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
+    } catch (Exception ignored) {
+      // Ignore failures on newer Java versions
+    }
+  }
+
   @Test
   void getSdkVersion_returnsV1() {
     assertThat(helper.getSdkVersion()).isEqualTo("v1");
   }
 
   @Test
-  void isAwsSdkAvailable_returnsFalseWhenSdkNotInClasspath() {
-    // AWS SDK v1 is not in the test classpath
-    assertThat(helper.isAwsSdkAvailable()).isFalse();
+  void isAwsSdkAvailable_returnsTrue_whenMockClassesPresent() {
+    // With mock classes in test classpath, this should return true
+    assertThat(helper.isAwsSdkAvailable()).isTrue();
   }
 
   @Test
   void getAwsAccessKeyIdEnvVar_returnsEnvironmentVariable() {
-    // This test relies on the actual environment, but shows the method works
+    // Test that method correctly reads from environment
     String value = helper.getAwsAccessKeyIdEnvVar();
-    // Value can be null if env var is not set
+    // Value can be null or have a value depending on environment
     assertThat(value).satisfiesAnyOf(
         v -> assertThat(v).isNull(),
         v -> assertThat(v).isNotEmpty()
@@ -82,17 +92,135 @@ void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
   }
 
   @Test
-  void getEcsMetadataEndpoint_returnsDefaultWhenEnvVarNotSet() {
-    // Assuming ECS_METADATA_ENDPOINT is not set in test environment
-    String endpoint = helper.getEcsMetadataEndpoint();
+  void getEcsMetadataEndpoint_returnsValue() {
     // Should return either the env var value or the default
+    String endpoint = helper.getEcsMetadataEndpoint();
     assertThat(endpoint).matches("^http://.*");
   }
 
   @Test
-  void getCredentialsFromDefaultCredentialsProvider_returnsNullWhenSdkNotAvailable() {
-    // When AWS SDK v1 is not in classpath, should return null
-    AuthConfig result = helper.getCredentialsFromDefaultCredentialsProvider();
-    assertThat(result).isNull();
+  void getAWSAccessKeyIdFromCredentials_withBasicCredentials_returnsAccessKeyId() throws Exception {
+    com.amazonaws.auth.BasicAWSCredentials credentials =
+        new com.amazonaws.auth.BasicAWSCredentials("test-access-key", "test-secret-key");
+
+    String accessKeyId = helper.getAWSAccessKeyIdFromCredentials(credentials);
+
+    assertThat(accessKeyId).isEqualTo("test-access-key");
+  }
+
+  @Test
+  void getAwsSecretKeyFromCredentials_withBasicCredentials_returnsSecretKey() throws Exception {
+    com.amazonaws.auth.BasicAWSCredentials credentials =
+        new com.amazonaws.auth.BasicAWSCredentials("test-access-key", "test-secret-key");
+
+    String secretKey = helper.getAwsSecretKeyFromCredentials(credentials);
+
+    assertThat(secretKey).isEqualTo("test-secret-key");
+  }
+
+  @Test
+  void getSessionTokenFromCredentials_withBasicCredentials_returnsNull() throws Exception {
+    com.amazonaws.auth.BasicAWSCredentials credentials =
+        new com.amazonaws.auth.BasicAWSCredentials("test-access-key", "test-secret-key");
+
+    String sessionToken = helper.getSessionTokenFromCredentials(credentials);
+
+    assertThat(sessionToken).isNull();
+  }
+
+  @Test
+  void getSessionTokenFromCredentials_withSessionCredentials_returnsSessionToken() throws Exception {
+    com.amazonaws.auth.BasicSessionCredentials credentials =
+        new com.amazonaws.auth.BasicSessionCredentials("test-access-key", "test-secret-key", "test-session-token");
+
+    String sessionToken = helper.getSessionTokenFromCredentials(credentials);
+
+    assertThat(sessionToken).isEqualTo("test-session-token");
+  }
+
+  @Test
+  void getAWSAccessKeyIdFromCredentials_withSessionCredentials_returnsAccessKeyId() throws Exception {
+    com.amazonaws.auth.BasicSessionCredentials credentials =
+        new com.amazonaws.auth.BasicSessionCredentials("test-access-key", "test-secret-key", "test-session-token");
+
+    String accessKeyId = helper.getAWSAccessKeyIdFromCredentials(credentials);
+
+    assertThat(accessKeyId).isEqualTo("test-access-key");
+  }
+
+  @Test
+  void getAwsSecretKeyFromCredentials_withSessionCredentials_returnsSecretKey() throws Exception {
+    com.amazonaws.auth.BasicSessionCredentials credentials =
+        new com.amazonaws.auth.BasicSessionCredentials("test-access-key", "test-secret-key", "test-session-token");
+
+    String secretKey = helper.getAwsSecretKeyFromCredentials(credentials);
+
+    assertThat(secretKey).isEqualTo("test-secret-key");
+  }
+
+  @Test
+  void getCredentialsFromDefaultAWSCredentialsProviderChain_withEnvVars_returnsCredentials() throws Exception {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "env-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "env-secret-key");
+
+      Object credentials = helper.getCredentialsFromDefaultAWSCredentialsProviderChain();
+
+      assertThat(credentials).isNotNull();
+      assertThat(credentials).isInstanceOf(com.amazonaws.auth.AWSCredentials.class);
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_withBasicCredentials_returnsAuthConfig() {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "provider-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "provider-secret-key");
+
+      AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+
+      assertThat(authConfig).isNotNull();
+      assertThat(authConfig.getUsername()).isEqualTo("provider-access-key");
+      assertThat(authConfig.getPassword()).isEqualTo("provider-secret-key");
+      assertThat(authConfig.getEmail()).isEqualTo("none");
+      assertThat(authConfig.getAuth()).isNull();
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_withSessionCredentials_returnsAuthConfigWithToken() {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "provider-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "provider-secret-key");
+      setEnvironmentVariable("AWS_SESSION_TOKEN", "provider-session-token");
+
+      AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+
+      assertThat(authConfig).isNotNull();
+      assertThat(authConfig.getUsername()).isEqualTo("provider-access-key");
+      assertThat(authConfig.getPassword()).isEqualTo("provider-secret-key");
+      assertThat(authConfig.getEmail()).isEqualTo("none");
+      assertThat(authConfig.getAuth()).isEqualTo("provider-session-token");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_whenNoCredentialsInEnv_handlesGracefully() {
+    // Just test that it doesn't crash when credentials are not available
+    AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+    // Can be null or can have actual credentials depending on environment
+    assertThat(authConfig).satisfiesAnyOf(
+        ac -> assertThat(ac).isNull(),
+        ac -> assertThat(ac.getEmail()).isEqualTo("none")
+    );
   }
 }
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
index c71336d4a2..5d232d253c 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
@@ -14,16 +14,14 @@
 package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
 
 import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.clearEnvironmentVariable;
+import static org.eclipse.jkube.kit.build.service.docker.auth.EnvironmentVariablesTestUtil.setEnvironmentVariable;
 
-/**
- * Tests for AwsSdkHelperV2.
- * Note: These tests verify the helper's behavior when AWS SDK v2 classes are NOT available.
- * Full integration testing with actual AWS SDK v2 would require adding the dependency.
- */
 class AwsSdkHelperV2Test {
   private AwsSdkHelperV2 helper;
 
@@ -32,22 +30,34 @@ void setUp() {
     helper = new AwsSdkHelperV2();
   }
 
+  @AfterEach
+  void tearDown() {
+    // Clean up after each test - try to clear but don't fail if not possible
+    try {
+      clearEnvironmentVariable("TEST_AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("TEST_AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
+    } catch (Exception ignored) {
+      // Ignore failures on newer Java versions
+    }
+  }
+
   @Test
   void getSdkVersion_returnsV2() {
     assertThat(helper.getSdkVersion()).isEqualTo("v2");
   }
 
   @Test
-  void isAwsSdkAvailable_returnsFalseWhenSdkNotInClasspath() {
-    // AWS SDK v2 is not in the test classpath
-    assertThat(helper.isAwsSdkAvailable()).isFalse();
+  void isAwsSdkAvailable_returnsTrue_whenMockClassesPresent() {
+    // With mock classes in test classpath, this should return true
+    assertThat(helper.isAwsSdkAvailable()).isTrue();
   }
 
   @Test
   void getAwsAccessKeyIdEnvVar_returnsEnvironmentVariable() {
-    // This test relies on the actual environment, but shows the method works
+    // Test that method correctly reads from environment
     String value = helper.getAwsAccessKeyIdEnvVar();
-    // Value can be null if env var is not set
+    // Value can be null or have a value depending on environment
     assertThat(value).satisfiesAnyOf(
         v -> assertThat(v).isNull(),
         v -> assertThat(v).isNotEmpty()
@@ -82,17 +92,135 @@ void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
   }
 
   @Test
-  void getEcsMetadataEndpoint_returnsDefaultWhenEnvVarNotSet() {
-    // Assuming ECS_METADATA_ENDPOINT is not set in test environment
-    String endpoint = helper.getEcsMetadataEndpoint();
+  void getEcsMetadataEndpoint_returnsValue() {
     // Should return either the env var value or the default
+    String endpoint = helper.getEcsMetadataEndpoint();
     assertThat(endpoint).matches("^http://.*");
   }
 
   @Test
-  void getCredentialsFromDefaultCredentialsProvider_returnsNullWhenSdkNotAvailable() {
-    // When AWS SDK v2 is not in classpath, should return null
-    AuthConfig result = helper.getCredentialsFromDefaultCredentialsProvider();
-    assertThat(result).isNull();
+  void getAccessKeyIdFromCredentials_withBasicCredentials_returnsAccessKeyId() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsBasicCredentials credentials =
+        software.amazon.awssdk.auth.credentials.AwsBasicCredentials.create("test-access-key", "test-secret-key");
+
+    String accessKeyId = helper.getAccessKeyIdFromCredentials(credentials);
+
+    assertThat(accessKeyId).isEqualTo("test-access-key");
+  }
+
+  @Test
+  void getSecretAccessKeyFromCredentials_withBasicCredentials_returnsSecretKey() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsBasicCredentials credentials =
+        software.amazon.awssdk.auth.credentials.AwsBasicCredentials.create("test-access-key", "test-secret-key");
+
+    String secretKey = helper.getSecretAccessKeyFromCredentials(credentials);
+
+    assertThat(secretKey).isEqualTo("test-secret-key");
+  }
+
+  @Test
+  void getSessionTokenFromCredentials_withBasicCredentials_returnsNull() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsBasicCredentials credentials =
+        software.amazon.awssdk.auth.credentials.AwsBasicCredentials.create("test-access-key", "test-secret-key");
+
+    String sessionToken = helper.getSessionTokenFromCredentials(credentials);
+
+    assertThat(sessionToken).isNull();
+  }
+
+  @Test
+  void getSessionTokenFromCredentials_withSessionCredentials_returnsSessionToken() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl credentials =
+        software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl.create("test-access-key", "test-secret-key", "test-session-token");
+
+    String sessionToken = helper.getSessionTokenFromCredentials(credentials);
+
+    assertThat(sessionToken).isEqualTo("test-session-token");
+  }
+
+  @Test
+  void getAccessKeyIdFromCredentials_withSessionCredentials_returnsAccessKeyId() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl credentials =
+        software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl.create("test-access-key", "test-secret-key", "test-session-token");
+
+    String accessKeyId = helper.getAccessKeyIdFromCredentials(credentials);
+
+    assertThat(accessKeyId).isEqualTo("test-access-key");
+  }
+
+  @Test
+  void getSecretAccessKeyFromCredentials_withSessionCredentials_returnsSecretKey() throws Exception {
+    software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl credentials =
+        software.amazon.awssdk.auth.credentials.AwsSessionCredentialsImpl.create("test-access-key", "test-secret-key", "test-session-token");
+
+    String secretKey = helper.getSecretAccessKeyFromCredentials(credentials);
+
+    assertThat(secretKey).isEqualTo("test-secret-key");
+  }
+
+  @Test
+  void getCredentialsFromDefaultProvider_withEnvVars_returnsCredentials() throws Exception {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "env-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "env-secret-key");
+
+      Object credentials = helper.getCredentialsFromDefaultProvider();
+
+      assertThat(credentials).isNotNull();
+      assertThat(credentials).isInstanceOf(software.amazon.awssdk.auth.credentials.AwsCredentials.class);
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_withBasicCredentials_returnsAuthConfig() {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "provider-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "provider-secret-key");
+
+      AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+
+      assertThat(authConfig).isNotNull();
+      assertThat(authConfig.getUsername()).isEqualTo("provider-access-key");
+      assertThat(authConfig.getPassword()).isEqualTo("provider-secret-key");
+      assertThat(authConfig.getEmail()).isEqualTo("none");
+      assertThat(authConfig.getAuth()).isNull();
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_withSessionCredentials_returnsAuthConfigWithToken() {
+    try {
+      setEnvironmentVariable("AWS_ACCESS_KEY_ID", "provider-access-key");
+      setEnvironmentVariable("AWS_SECRET_ACCESS_KEY", "provider-secret-key");
+      setEnvironmentVariable("AWS_SESSION_TOKEN", "provider-session-token");
+
+      AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+
+      assertThat(authConfig).isNotNull();
+      assertThat(authConfig.getUsername()).isEqualTo("provider-access-key");
+      assertThat(authConfig.getPassword()).isEqualTo("provider-secret-key");
+      assertThat(authConfig.getEmail()).isEqualTo("none");
+      assertThat(authConfig.getAuth()).isEqualTo("provider-session-token");
+    } catch (RuntimeException e) {
+      // Skip test if environment modification not supported
+      org.junit.jupiter.api.Assumptions.assumeTrue(false, "Environment modification not supported");
+    }
+  }
+
+  @Test
+  void getCredentialsFromDefaultCredentialsProvider_whenNoCredentialsInEnv_handlesGracefully() {
+    // Just test that it doesn't crash when credentials are not available
+    AuthConfig authConfig = helper.getCredentialsFromDefaultCredentialsProvider();
+    // Can be null or can have actual credentials depending on environment
+    assertThat(authConfig).satisfiesAnyOf(
+        ac -> assertThat(ac).isNull(),
+        ac -> assertThat(ac.getEmail()).isEqualTo("none")
+    );
   }
-}
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
new file mode 100644
index 0000000000..673500aa27
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsBasicCredentials.java
@@ -0,0 +1,29 @@
+/*
+ * Mock AWS SDK v2 class for testing purposes only.
+ * Simulates AWS SDK v2 basic credentials.
+ */
+package software.amazon.awssdk.auth.credentials;
+
+public class AwsBasicCredentials implements AwsCredentials {
+  private final String accessKeyId;
+  private final String secretAccessKey;
+
+  public AwsBasicCredentials(String accessKeyId, String secretAccessKey) {
+    this.accessKeyId = accessKeyId;
+    this.secretAccessKey = secretAccessKey;
+  }
+
+  @Override
+  public String accessKeyId() {
+    return accessKeyId;
+  }
+
+  @Override
+  public String secretAccessKey() {
+    return secretAccessKey;
+  }
+
+  public static AwsBasicCredentials create(String accessKeyId, String secretAccessKey) {
+    return new AwsBasicCredentials(accessKeyId, secretAccessKey);
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java
new file mode 100644
index 0000000000..e2aa7dea9e
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsCredentials.java
@@ -0,0 +1,11 @@
+/*
+ * Mock AWS SDK v2 class for testing purposes only.
+ * Simulates software.amazon.awssdk.auth.credentials.AwsCredentials interface.
+ */
+package software.amazon.awssdk.auth.credentials;
+
+public interface AwsCredentials {
+  String accessKeyId();
+
+  String secretAccessKey();
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java
new file mode 100644
index 0000000000..cd6ed428c7
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentials.java
@@ -0,0 +1,9 @@
+/*
+ * Mock AWS SDK v2 class for testing purposes only.
+ * Simulates software.amazon.awssdk.auth.credentials.AwsSessionCredentials interface.
+ */
+package software.amazon.awssdk.auth.credentials;
+
+public interface AwsSessionCredentials extends AwsCredentials {
+  String sessionToken();
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentialsImpl.java b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentialsImpl.java
new file mode 100644
index 0000000000..ffc4d2ddb1
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/AwsSessionCredentialsImpl.java
@@ -0,0 +1,36 @@
+/*
+ * Mock AWS SDK v2 class for testing purposes only.
+ * Simulates AWS SDK v2 session credentials.
+ */
+package software.amazon.awssdk.auth.credentials;
+
+public class AwsSessionCredentialsImpl implements AwsSessionCredentials {
+  private final String accessKeyId;
+  private final String secretAccessKey;
+  private final String sessionToken;
+
+  public AwsSessionCredentialsImpl(String accessKeyId, String secretAccessKey, String sessionToken) {
+    this.accessKeyId = accessKeyId;
+    this.secretAccessKey = secretAccessKey;
+    this.sessionToken = sessionToken;
+  }
+
+  @Override
+  public String accessKeyId() {
+    return accessKeyId;
+  }
+
+  @Override
+  public String secretAccessKey() {
+    return secretAccessKey;
+  }
+
+  @Override
+  public String sessionToken() {
+    return sessionToken;
+  }
+
+  public static AwsSessionCredentialsImpl create(String accessKeyId, String secretAccessKey, String sessionToken) {
+    return new AwsSessionCredentialsImpl(accessKeyId, secretAccessKey, sessionToken);
+  }
+}
\ No newline at end of file
diff --git a/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java
new file mode 100644
index 0000000000..deeada3f1c
--- /dev/null
+++ b/jkube-kit/build/service/docker/src/test/java/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.java
@@ -0,0 +1,41 @@
+/*
+ * Mock AWS SDK v2 class for testing purposes only.
+ * Simulates software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider class.
+ */
+package software.amazon.awssdk.auth.credentials;
+
+/**
+ * Mock implementation of AWS SDK v2 DefaultCredentialsProvider.
+ * This is used for testing the reflection-based credential loading.
+ */
+public class DefaultCredentialsProvider {
+  private final AwsCredentials credentials;
+
+  private DefaultCredentialsProvider() {
+    // Return test credentials based on environment variables
+    String accessKey = System.getenv("AWS_ACCESS_KEY_ID");
+    String secretKey = System.getenv("AWS_SECRET_ACCESS_KEY");
+    String sessionToken = System.getenv("AWS_SESSION_TOKEN");
+
+    if (accessKey != null && secretKey != null) {
+      if (sessionToken != null) {
+        this.credentials = AwsSessionCredentialsImpl.create(accessKey, secretKey, sessionToken);
+      } else {
+        this.credentials = AwsBasicCredentials.create(accessKey, secretKey);
+      }
+    } else {
+      this.credentials = null;
+    }
+  }
+
+  public static DefaultCredentialsProvider create() {
+    return new DefaultCredentialsProvider();
+  }
+
+  public AwsCredentials resolveCredentials() {
+    if (credentials == null) {
+      throw new RuntimeException("Unable to load AWS credentials");
+    }
+    return credentials;
+  }
+}
\ No newline at end of file

From 1e801d188507ca17df24d2dfee79e5088b8e1a5d Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Thu, 27 Nov 2025 12:57:13 +0530
Subject: [PATCH 4/7] fix tests

---
 .../service/docker/auth/ecr/AbstractAwsSdkHelperTest.java    | 5 +++++
 .../build/service/docker/auth/ecr/AwsSdkHelperV1Test.java    | 3 +++
 .../build/service/docker/auth/ecr/AwsSdkHelperV2Test.java    | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
index 686940c4ec..80d74d47d5 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
@@ -43,6 +43,11 @@ void tearDown() {
       clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
       clearEnvironmentVariable("TEST_AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
       clearEnvironmentVariable("TEST_ECS_METADATA_ENDPOINT");
+      clearEnvironmentVariable("AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("AWS_SESSION_TOKEN");
+      clearEnvironmentVariable("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
+      clearEnvironmentVariable("ECS_METADATA_ENDPOINT");
     } catch (Exception ignored) {
       // Ignore failures on newer Java versions
     }
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
index abd5206644..35ba891581 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
@@ -37,6 +37,9 @@ void tearDown() {
       clearEnvironmentVariable("TEST_AWS_ACCESS_KEY_ID");
       clearEnvironmentVariable("TEST_AWS_SECRET_ACCESS_KEY");
       clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
+      clearEnvironmentVariable("AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("AWS_SESSION_TOKEN");
     } catch (Exception ignored) {
       // Ignore failures on newer Java versions
     }
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
index 5d232d253c..7010976f63 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
@@ -37,6 +37,9 @@ void tearDown() {
       clearEnvironmentVariable("TEST_AWS_ACCESS_KEY_ID");
       clearEnvironmentVariable("TEST_AWS_SECRET_ACCESS_KEY");
       clearEnvironmentVariable("TEST_AWS_SESSION_TOKEN");
+      clearEnvironmentVariable("AWS_ACCESS_KEY_ID");
+      clearEnvironmentVariable("AWS_SECRET_ACCESS_KEY");
+      clearEnvironmentVariable("AWS_SESSION_TOKEN");
     } catch (Exception ignored) {
       // Ignore failures on newer Java versions
     }

From 2b566c900ef0f769d2a353f9616648d5948e3520 Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Thu, 4 Dec 2025 20:28:52 +0530
Subject: [PATCH 5/7] feat(aws-ecr): ecr error handling

---
 .../docker/auth/ecr/AbstractAwsSdkHelper.java |   7 +-
 .../docker/auth/ecr/EcrExtendedAuth.java      |  74 +++++-
 .../docker/auth/ecr/EcrExtendedAuthTest.java  | 212 ++++++++++++++++++
 3 files changed, 277 insertions(+), 16 deletions(-)

diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
index 467b6f4325..a0325b3eee 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelper.java
@@ -23,7 +23,6 @@ abstract class AbstractAwsSdkHelper implements AwsSdkAuthHelper {
   protected static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
   protected static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
   protected static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
-  protected static final String AWS_INSTANCE_LINK_LOCAL_ADDRESS = "http://169.254.170.2";
 
   @Override
   public String getAwsAccessKeyIdEnvVar() {
@@ -47,10 +46,6 @@ public String getAwsContainerCredentialsRelativeUri() {
 
   @Override
   public String getEcsMetadataEndpoint() {
-    String endpoint = System.getenv(METADATA_ENDPOINT);
-    if (endpoint == null) {
-      return AWS_INSTANCE_LINK_LOCAL_ADDRESS;
-    }
-    return endpoint;
+    return System.getenv(METADATA_ENDPOINT);
   }
 }
diff --git a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuth.java b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuth.java
index eac78b4df9..91adb0ee17 100644
--- a/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuth.java
+++ b/jkube-kit/build/service/docker/src/main/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuth.java
@@ -13,6 +13,7 @@
  */
 package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
 
+import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.Reader;
@@ -20,6 +21,7 @@
 import java.util.Date;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import com.google.gson.Gson;
 import com.google.gson.JsonArray;
@@ -45,6 +47,8 @@ public class EcrExtendedAuth {
     private static final Pattern AWS_REGISTRY =
             Pattern.compile("^(\\d{12})\\.dkr\\.ecr\\.([a-z\\-0-9]+)\\.amazonaws\\.com$");
 
+    private static final Pattern LOCALSTACK_REGISTRY =
+            Pattern.compile("^(\\d{12})\\.dkr\\.ecr\\.([a-z0-9-]+)\\.localhost\\.localstack\\.cloud:(\\d+)$");
     private final KitLogger logger;
     private final boolean isAwsRegistry;
     private final String accountId;
@@ -57,7 +61,7 @@ public class EcrExtendedAuth {
      * @return true, if the registry matches the ecr pattern
      */
     public static boolean isAwsRegistry(String registry) {
-        return (registry != null) && AWS_REGISTRY.matcher(registry).matches();
+        return (registry != null) && (AWS_REGISTRY.matcher(registry).matches() || LOCALSTACK_REGISTRY.matcher(registry).matches());
     }
 
     /**
@@ -69,10 +73,16 @@ public static boolean isAwsRegistry(String registry) {
     public EcrExtendedAuth(KitLogger logger, String registry) {
         this.logger = logger;
         Matcher matcher = AWS_REGISTRY.matcher(registry);
-        isAwsRegistry = matcher.matches();
+        Matcher matcherLocalStack = LOCALSTACK_REGISTRY.matcher(registry);
+        isAwsRegistry = matcher.matches() || matcherLocalStack.matches();
         if (isAwsRegistry) {
-            accountId = matcher.group(1);
-            region = matcher.group(2);
+            if (matcher.matches()) {
+                accountId = matcher.group(1);
+                region = matcher.group(2);
+            } else {
+                accountId = matcherLocalStack.group(1);
+                region = matcherLocalStack.group(2);
+            }
         } else {
             accountId = null;
             region = null;
@@ -120,11 +130,16 @@ private JsonObject executeRequest(CloseableHttpClient client, HttpPost request)
             CloseableHttpResponse response = client.execute(request);
             int statusCode = response.getStatusLine().getStatusCode();
             logger.debug("Response status %d", statusCode);
+
+            HttpEntity entity = response.getEntity();
             if (statusCode != HttpStatus.SC_OK) {
-                throw new IOException("AWS authentication failure");
+                // More robust error handling for clear message
+                Reader errorReader = new InputStreamReader(entity.getContent(), StandardCharsets.UTF_8);
+                String errorMessage = new BufferedReader(errorReader).lines().collect(Collectors.joining("\n"));
+                logger.error("AWS authentication failure. Status: %d, Response: %s", statusCode, errorMessage);
+                throw new IOException("AWS authentication failure - Status: " + statusCode + ", Response: " + errorMessage);
             }
 
-            HttpEntity entity = response.getEntity();
             Reader jr = new InputStreamReader(entity.getContent(), StandardCharsets.UTF_8);
             return new Gson().fromJson(jr, JsonObject.class);
         }
@@ -133,13 +148,52 @@ private JsonObject executeRequest(CloseableHttpClient client, HttpPost request)
         }
     }
 
+    /**
+     * Get the ECR endpoint URL. Can be overridden for testing.
+     * @return endpoint URL from AWS_ENDPOINT_URL environment variable, or null for standard AWS ECR
+     */
+    protected String getEndpointUrl() {
+        return System.getenv("AWS_ENDPOINT_URL");
+    }
+
     HttpPost createSignedRequest(AuthConfig localCredentials, Date time) {
-        String host = "api.ecr." + region + ".amazonaws.com";
+        // Determine if using LocalStack or AWS ECR. If using localstack for testing/dev create an env variable AWS_ENDPOINT_URL which points to localstack api endpoint
+        String endpoint = getEndpointUrl();
+        String requestUrl;
+        String hostForSigning;
+
+        if (endpoint != null && !endpoint.isEmpty()) {
+            // Using LocalStack or custom endpoint
+            // Preserve the protocol (http/https) from the endpoint
+            if (!endpoint.endsWith("/")) {
+                endpoint = endpoint + "/";
+            }
+            requestUrl = endpoint;
+
+            // Extract host:port from endpoint URL for signing
+            String cleanEndpoint = endpoint.replace("https://", "").replace("http://", "");
+            if (cleanEndpoint.endsWith("/")) {
+                cleanEndpoint = cleanEndpoint.substring(0, cleanEndpoint.length() - 1);
+            }
+
+            // For signing, remove port if present
+            int portIndex = cleanEndpoint.lastIndexOf(':');
+            if (portIndex > 0 && cleanEndpoint.substring(portIndex + 1).matches("\\d+")) {
+                hostForSigning = cleanEndpoint.substring(0, portIndex);
+            } else {
+                hostForSigning = cleanEndpoint;
+            }
+        } else {
+            // Using real AWS ECR
+            hostForSigning = "api.ecr." + region + ".amazonaws.com";
+            requestUrl = "https://" + hostForSigning + "/";
+        }
 
-        logger.debug("Get ECR AuthorizationToken from %s", host);
+        logger.debug("Get ECR AuthorizationToken from %s", requestUrl);
 
-        HttpPost request = new HttpPost("https://" + host + '/');
-        request.setHeader("host", host);
+        HttpPost request = new HttpPost(requestUrl);
+        // IMPORTANT: host header for signing must NOT include port
+        request.setHeader("host", hostForSigning);
         request.setHeader("Content-Type", "application/x-amz-json-1.1");
         request.setHeader("X-Amz-Target", "AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken");
         request.setEntity(new StringEntity("{\"registryIds\":[\""+ accountId + "\"]}", StandardCharsets.UTF_8));
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuthTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuthTest.java
index d3228f62c2..4ed7aadfff 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuthTest.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/EcrExtendedAuthTest.java
@@ -28,6 +28,11 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import java.util.stream.Stream;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
@@ -90,6 +95,7 @@ void testClientClosedAndCredentialsDecoded()
         when(statusLine.getStatusCode()).thenReturn(200);
         when(closeableHttpResponse.getEntity()).thenReturn(entity);
         EcrExtendedAuth eea = new EcrExtendedAuth(logger, "123456789012.dkr.ecr.eu-west-1.amazonaws.com") {
+            @Override
             CloseableHttpClient createClient() {
                 return closeableHttpClient;
             }
@@ -106,4 +112,210 @@ CloseableHttpClient createClient() {
         verify(closeableHttpClient).close();
     }
 
+    @Test
+    void testIsLocalStack() {
+        assertThat(new EcrExtendedAuth(logger, "000000000000.dkr.ecr.us-east-1.localhost.localstack.cloud:4566").isAwsRegistry()).isTrue();
+    }
+
+    @Test
+    void testLocalStackRegistryPattern() {
+        EcrExtendedAuth eea = new EcrExtendedAuth(logger, "000000000000.dkr.ecr.us-east-1.localhost.localstack.cloud:4566");
+        assertThat(eea.isAwsRegistry()).isTrue();
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("endpointTestData")
+    void testHeadersWithCustomEndpoint(String testName, String endpoint, String expectedHost, String expectedUri) {
+        EcrExtendedAuth eea = new TestableEcrExtendedAuth(logger, "123456789012.dkr.ecr.eu-west-1.amazonaws.com", endpoint);
+        AuthConfig localCredentials = AuthConfig.builder()
+                .username("username")
+                .password("password")
+                .build();
+        Date signingTime = Date.from(
+            ZonedDateTime.of(2016, 12, 17, 21, 10, 58, 0, ZoneId.of("GMT"))
+                .toInstant());
+        HttpPost request = eea.createSignedRequest(localCredentials, signingTime);
+
+        // Host header should NOT include port for signing
+        assertThat(request.getFirstHeader("host").getValue())
+                .isEqualTo(expectedHost);
+
+        // Request URI
+        assertThat(request.getURI()).hasToString(expectedUri);
+
+        // Verify request entity is created with account ID
+        assertThat(request.getEntity()).isNotNull();
+    }
+
+    static Stream<Arguments> endpointTestData() {
+        return Stream.of(
+            Arguments.of(
+                "HTTP endpoint with port",
+                "http://localhost.localstack.cloud:4566",
+                "localhost.localstack.cloud",
+                "http://localhost.localstack.cloud:4566/"
+            ),
+            Arguments.of(
+                "HTTPS endpoint with port",
+                "https://localhost.localstack.cloud:4566",
+                "localhost.localstack.cloud",
+                "https://localhost.localstack.cloud:4566/"
+            ),
+            Arguments.of(
+                "HTTP endpoint without port",
+                "http://localhost.localstack.cloud",
+                "localhost.localstack.cloud",
+                "http://localhost.localstack.cloud/"
+            ),
+            Arguments.of(
+                "No custom endpoint (AWS ECR)",
+                null,
+                "api.ecr.eu-west-1.amazonaws.com",
+                "https://api.ecr.eu-west-1.amazonaws.com/"
+            ),
+            Arguments.of(
+                "Empty custom endpoint (AWS ECR)",
+                "",
+                "api.ecr.eu-west-1.amazonaws.com",
+                "https://api.ecr.eu-west-1.amazonaws.com/"
+            ),
+            Arguments.of(
+                "Endpoint with trailing slash",
+                "http://localhost.localstack.cloud:4566/",
+                "localhost.localstack.cloud",
+                "http://localhost.localstack.cloud:4566/"
+            ),
+            Arguments.of(
+                "Endpoint with non-standard port",
+                "https://custom.ecr.local:8443",
+                "custom.ecr.local",
+                "https://custom.ecr.local:8443/"
+            ),
+            Arguments.of(
+                "Endpoint without protocol-like port (hostname:text)",
+                "http://localhost.localstack.cloud:notaport",
+                "localhost.localstack.cloud:notaport",
+                "http://localhost.localstack.cloud:notaport/"
+            )
+        );
+    }
+
+    @Test
+    void testGetEndpointUrl() {
+        EcrExtendedAuth eea = new EcrExtendedAuth(logger, "123456789012.dkr.ecr.eu-west-1.amazonaws.com");
+        // Should return null or actual env var value depending on system
+        String endpoint = eea.getEndpointUrl();
+        // Just verify it doesn't throw
+        assertThat(endpoint).satisfiesAnyOf(
+            e -> assertThat(e).isNull(),
+            e -> assertThat(e).isNotEmpty()
+        );
+    }
+
+    @Test
+    void testLocalStackAccountIdAndRegionExtraction() {
+        EcrExtendedAuth eea = new TestableEcrExtendedAuth(logger, "000000000000.dkr.ecr.us-east-1.localhost.localstack.cloud:4566", "http://localhost.localstack.cloud:4566");
+        assertThat(eea.isAwsRegistry()).isTrue();
+        // Verify it can create a signed request with LocalStack registry pattern
+        HttpPost request = eea.createSignedRequest(
+            AuthConfig.builder().username("test").password("test").build(),
+            new Date()
+        );
+        assertThat(request).isNotNull();
+        assertThat(request.getFirstHeader("host").getValue()).isEqualTo("localhost.localstack.cloud");
+    }
+
+    @ParameterizedTest(name = "isAwsRegistry({0}) should return {1}")
+    @MethodSource("registryValidationTestData")
+    void testStaticIsAwsRegistryMethod(String registry, boolean expected) {
+        assertThat(EcrExtendedAuth.isAwsRegistry(registry)).isEqualTo(expected);
+    }
+
+    static Stream<Arguments> registryValidationTestData() {
+        return Stream.of(
+            Arguments.of("123456789012.dkr.ecr.eu-west-1.amazonaws.com", true),
+            Arguments.of("000000000000.dkr.ecr.us-east-1.localhost.localstack.cloud:4566", true),
+            Arguments.of("docker.io", false),
+            Arguments.of(null, false),
+            Arguments.of("", false),
+            Arguments.of("invalid.registry.com", false),
+            Arguments.of("123.dkr.ecr.us-east-1.amazonaws.com", false) // Invalid account ID (too short)
+        );
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("securityTokenTestData")
+    void testAuthConfigWithSecurityToken(String testDescription, String securityToken, boolean shouldHaveHeader) {
+        EcrExtendedAuth eea = new TestableEcrExtendedAuth(logger, "123456789012.dkr.ecr.eu-west-1.amazonaws.com", null);
+        AuthConfig.AuthConfigBuilder builder = AuthConfig.builder()
+                .username("username")
+                .password("password");
+
+        if (securityToken != null) {
+            builder.auth(securityToken);
+        }
+
+        AuthConfig localCredentials = builder.build();
+        Date signingTime = Date.from(
+            ZonedDateTime.of(2016, 12, 17, 21, 10, 58, 0, ZoneId.of("GMT"))
+                .toInstant());
+        HttpPost request = eea.createSignedRequest(localCredentials, signingTime);
+
+        // Verify security token header presence/absence
+        if (shouldHaveHeader) {
+            assertThat(request.getFirstHeader("X-Amz-Security-Token")).isNotNull();
+            assertThat(request.getFirstHeader("X-Amz-Security-Token").getValue())
+                    .isEqualTo(securityToken);
+        } else {
+            assertThat(request.getFirstHeader("X-Amz-Security-Token")).isNull();
+        }
+    }
+
+    static Stream<Arguments> securityTokenTestData() {
+        return Stream.of(
+            Arguments.of("with session token", "session-token-value", true),
+            Arguments.of("without session token", null, false),
+            Arguments.of("with empty session token", "", false)
+        );
+    }
+
+    @ParameterizedTest(name = "Region: {0}")
+    @MethodSource("regionTestData")
+    void testDifferentRegions(String region, String expectedHost) {
+        String registry = "123456789012.dkr.ecr." + region + ".amazonaws.com";
+        EcrExtendedAuth eea = new TestableEcrExtendedAuth(logger, registry, null);
+        AuthConfig credentials = AuthConfig.builder().username("user").password("pass").build();
+        Date time = new Date();
+        HttpPost request = eea.createSignedRequest(credentials, time);
+        assertThat(request.getFirstHeader("host").getValue()).isEqualTo(expectedHost);
+    }
+
+    static Stream<Arguments> regionTestData() {
+        return Stream.of(
+            Arguments.of("us-east-1", "api.ecr.us-east-1.amazonaws.com"),
+            Arguments.of("us-west-2", "api.ecr.us-west-2.amazonaws.com"),
+            Arguments.of("eu-west-1", "api.ecr.eu-west-1.amazonaws.com"),
+            Arguments.of("eu-central-1", "api.ecr.eu-central-1.amazonaws.com"),
+            Arguments.of("ap-south-1", "api.ecr.ap-south-1.amazonaws.com"),
+            Arguments.of("ap-southeast-1", "api.ecr.ap-southeast-1.amazonaws.com")
+        );
+    }
+
+    /**
+     * Testable version of EcrExtendedAuth that allows injecting custom endpoint for testing
+     */
+    private static class TestableEcrExtendedAuth extends EcrExtendedAuth {
+        private final String testEndpoint;
+
+        public TestableEcrExtendedAuth(KitLogger logger, String registry, String endpoint) {
+            super(logger, registry);
+            this.testEndpoint = endpoint;
+        }
+
+        @Override
+        protected String getEndpointUrl() {
+            return testEndpoint;
+        }
+    }
+
 }

From 7bd9f443c0d24f6bd763405fef75bc7408b5a237 Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Thu, 4 Dec 2025 20:36:21 +0530
Subject: [PATCH 6/7] feat(aws-ecr): remove unused tests

---
 .../auth/ecr/AbstractAwsSdkHelperTest.java      | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
index 80d74d47d5..0270604e9d 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AbstractAwsSdkHelperTest.java
@@ -138,23 +138,6 @@ void getAwsContainerCredentialsRelativeUri_whenSet_returnsValue() {
     }
   }
 
-  @Test
-  void getEcsMetadataEndpoint_returnsDefaultOrEnvValue() {
-    String endpoint = helper.getEcsMetadataEndpoint();
-    // Should return either the env var value or the default
-    assertThat(endpoint).matches("^http://.*");
-  }
-
-  @Test
-  void getEcsMetadataEndpoint_whenNotSet_returnsDefault() {
-    // This test verifies the default value when env var is not set
-    String endpoint = helper.getEcsMetadataEndpoint();
-    assertThat(endpoint).satisfiesAnyOf(
-        e -> assertThat(e).isEqualTo("http://169.254.170.2"),
-        e -> assertThat(e).startsWith("http://")
-    );
-  }
-
   @Test
   void getEcsMetadataEndpoint_whenSet_returnsEnvVarValue() {
     try {

From a3ebde7b7b93f8ba1ce85e1ab4150fe6ad1d8b14 Mon Sep 17 00:00:00 2001
From: Ashish Thakur <ashishth@redhat.com>
Date: Thu, 4 Dec 2025 20:45:38 +0530
Subject: [PATCH 7/7] feat(aws-ecr): remove unused tests

---
 .../build/service/docker/auth/ecr/AwsSdkHelperV1Test.java  | 7 -------
 .../build/service/docker/auth/ecr/AwsSdkHelperV2Test.java  | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
index 35ba891581..f497579b0f 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV1Test.java
@@ -94,13 +94,6 @@ void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
     );
   }
 
-  @Test
-  void getEcsMetadataEndpoint_returnsValue() {
-    // Should return either the env var value or the default
-    String endpoint = helper.getEcsMetadataEndpoint();
-    assertThat(endpoint).matches("^http://.*");
-  }
-
   @Test
   void getAWSAccessKeyIdFromCredentials_withBasicCredentials_returnsAccessKeyId() throws Exception {
     com.amazonaws.auth.BasicAWSCredentials credentials =
diff --git a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
index 7010976f63..4f863d46f2 100644
--- a/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
+++ b/jkube-kit/build/service/docker/src/test/java/org/eclipse/jkube/kit/build/service/docker/auth/ecr/AwsSdkHelperV2Test.java
@@ -94,13 +94,6 @@ void getAwsContainerCredentialsRelativeUri_returnsEnvironmentVariable() {
     );
   }
 
-  @Test
-  void getEcsMetadataEndpoint_returnsValue() {
-    // Should return either the env var value or the default
-    String endpoint = helper.getEcsMetadataEndpoint();
-    assertThat(endpoint).matches("^http://.*");
-  }
-
   @Test
   void getAccessKeyIdFromCredentials_withBasicCredentials_returnsAccessKeyId() throws Exception {
     software.amazon.awssdk.auth.credentials.AwsBasicCredentials credentials =