fix(cli): mfa code is not requested when $AWS_PROFILE is used (#32313)

We only passed in the `mfaCode` function if we got a profile from `--profile`, not when configured using `$AWS_PROFILE`. Reduce a miss in the duplicated code by moving the `clientConfig` to a single initialization point. Fixes #32312. Unfortunately this cannot be unit tested (I cannot mock the function that I need to mock), nor integ tested because it needs human input. I'm open to ideas. In the mean time, tested manually. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Nov 28, 2024 · 6458439 · 6458439
1 parent f271168
commit 6458439
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -27,6 +27,12 @@ export class AwsCliCompatible {
   public static async credentialChainBuilder(
     options: CredentialChainOptions = {},
   ): Promise<AwsCredentialIdentityProvider> {
+    const clientConfig = {
+      requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
+      customUserAgent: 'aws-cdk',
+      logger: options.logger,
+    };
+
     /**
      * The previous implementation matched AWS CLI behavior:
      *
@@ -41,16 +47,12 @@ export class AwsCliCompatible {
         profile: options.profile,
         ignoreCache: true,
         mfaCodeProvider: tokenCodeFn,
-        clientConfig: {
-          requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
-          customUserAgent: 'aws-cdk',
-          logger: options.logger,
-        },
+        clientConfig,
         logger: options.logger,
       });
     }
 
-    const profile = options.profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+    const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
 
     /**
      * Env AWS - EnvironmentCredentials with string AWS
@@ -74,13 +76,10 @@ export class AwsCliCompatible {
      * fromInstanceMetadata()
      */
     const nodeProviderChain = fromNodeProviderChain({
-      profile: profile,
-      clientConfig: {
-        requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
-        customUserAgent: 'aws-cdk',
-        logger: options.logger,
-      },
+      profile: envProfile,
+      clientConfig,
       logger: options.logger,
+      mfaCodeProvider: tokenCodeFn,
       ignoreCache: true,
     });