feat(cli): process credentials (#11114)

This adds support for the credentials_process feature. Using the aws-sso-credential-process utility you can also use AWS SSO with this feature This should fix #3008 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Nov 9, 2020 · 6efa5e1 · 6efa5e1
1 parent ab9bcf2
commit 6efa5e1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -40,7 +40,10 @@ export class AwsCliCompatible {
     if (options.profile) {
       await forceSdkToReadConfigIfPresent();
       const theProfile = options.profile;
-      return new AWS.CredentialProviderChain([() => profileCredentials(theProfile)]);
+      return new AWS.CredentialProviderChain([
+        () => profileCredentials(theProfile),
+        () => new AWS.ProcessCredentials({ profile: theProfile }),
+      ]);
     }
 
     const implicitProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
@@ -55,6 +58,7 @@ export class AwsCliCompatible {
       // environment variable.
       await forceSdkToReadConfigIfPresent();
       sources.push(() => profileCredentials(implicitProfile));
+      sources.push(() => new AWS.ProcessCredentials({ profile: implicitProfile }));
     }
 
     if (options.containerCreds ?? hasEcsCredentials()) {

diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts
@@ -3,6 +3,7 @@ import * as cxapi from '@aws-cdk/cx-api';
 import * as AWS from 'aws-sdk';
 import * as SDKMock from 'aws-sdk-mock';
 import type { ConfigurationOptions } from 'aws-sdk/lib/config-base';
+import * as promptly from 'promptly';
 import * as uuid from 'uuid';
 import { PluginHost } from '../../lib';
 import { ISDK, Mode, SdkProvider } from '../../lib/api/aws-auth';
@@ -195,12 +196,16 @@ describe('with default config files', () => {
       // WHEN
       const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions, profile: 'mfa-role' });
 
+      const promptlyMockCalls = (promptly.prompt as jest.Mock).mock.calls.length;
+
       // THEN
       try {
         await provider.withAssumedRole('arn:aws:iam::account:role/role', undefined, undefined);
+        fail('Should error as no credentials could be loaded');
       } catch (e) {
-        // Mock response was set to fail with message test to make sure we don't call STS
-        expect(e.message).toEqual('Error fetching MFA token: test');
+        // Mock response was set to fail to make sure we don't call STS
+        // Make sure the MFA mock was called during this test
+        expect((promptly.prompt as jest.Mock).mock.calls.length).toBe(promptlyMockCalls + 1);
       }
     });