diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md index 54adb46a964bd..0ac2e08947ec8 100644 --- a/packages/aws-cdk/README.md +++ b/packages/aws-cdk/README.md @@ -622,6 +622,11 @@ role_arn=arn:aws:iam::123456789123:role/role_to_be_assumed mfa_serial=arn:aws:iam::123456789123:mfa/my_user ``` +## SSO support + +If you create an SSO profile with `aws configure sso` and run `aws sso login`, the CDK can use those credentials +if you set the profile name as the value of `AWS_PROFILE` or pass it to `--profile`. + ## Configuration On top of passing configuration through command-line arguments, it is possible to use JSON configuration files. The diff --git a/packages/aws-cdk/THIRD_PARTY_LICENSES b/packages/aws-cdk/THIRD_PARTY_LICENSES index e43fa957bb495..cdb1faf8a84cc 100644 --- a/packages/aws-cdk/THIRD_PARTY_LICENSES +++ b/packages/aws-cdk/THIRD_PARTY_LICENSES @@ -268,7 +268,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE ---------------- -** aws-sdk@2.1094.0 - https://www.npmjs.com/package/aws-sdk/v/2.1094.0 | Apache-2.0 +** aws-sdk@2.1095.0 - https://www.npmjs.com/package/aws-sdk/v/2.1095.0 | Apache-2.0 AWS SDK for JavaScript Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts index af7ed642c86c3..3c5651396200e 100644 --- a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts +++ b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts @@ -33,17 +33,15 @@ export class AwsCliCompatible { * 4. Respects $AWS_DEFAULT_PROFILE in addition to $AWS_PROFILE. */ public static async credentialChain(options: CredentialChainOptions = {}) { + // Force reading the `config` file if it exists by setting the appropriate + // environment variable. + await forceSdkToReadConfigIfPresent(); // To match AWS CLI behavior, if a profile is explicitly given using --profile, // we use that to the exclusion of everything else (note: this does not apply // to AWS_PROFILE, environment credentials still take precedence over AWS_PROFILE) if (options.profile) { - await forceSdkToReadConfigIfPresent(); - const theProfile = options.profile; - return new AWS.CredentialProviderChain([ - () => profileCredentials(theProfile), - () => new AWS.ProcessCredentials({ profile: theProfile }), - ]); + return new AWS.CredentialProviderChain(iniFileCredentialFactories(options.profile)); } const implicitProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default'; @@ -51,16 +49,9 @@ export class AwsCliCompatible { const sources = [ () => new AWS.EnvironmentCredentials('AWS'), () => new AWS.EnvironmentCredentials('AMAZON'), + ...iniFileCredentialFactories(implicitProfile), ]; - if (await fs.pathExists(credentialsFileName())) { - // Force reading the `config` file if it exists by setting the appropriate - // environment variable. - await forceSdkToReadConfigIfPresent(); - sources.push(() => profileCredentials(implicitProfile)); - sources.push(() => new AWS.ProcessCredentials({ profile: implicitProfile })); - } - if (options.containerCreds ?? hasEcsCredentials()) { sources.push(() => new AWS.ECSCredentials()); } else if (hasWebIdentityCredentials()) { @@ -83,6 +74,14 @@ export class AwsCliCompatible { tokenCodeFn, }); } + + function iniFileCredentialFactories(theProfile: string) { + return [ + () => profileCredentials(theProfile), + () => new AWS.SsoCredentials({ profile: theProfile }), + () => new AWS.ProcessCredentials({ profile: theProfile }), + ]; + } } /** diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index a2ff2b37cc575..b848505085412 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -94,7 +94,7 @@ "@aws-cdk/region-info": "0.0.0", "@jsii/check-node": "1.55.0", "archiver": "^5.3.0", - "aws-sdk": "^2.979.0", + "aws-sdk": "^2.1093.0", "camelcase": "^6.3.0", "cdk-assets": "0.0.0", "chokidar": "^3.5.3", diff --git a/packages/aws-cdk/test/context-providers/amis.test.ts b/packages/aws-cdk/test/context-providers/amis.test.ts index 177a47bcac209..a3cdf4a49c65c 100644 --- a/packages/aws-cdk/test/context-providers/amis.test.ts +++ b/packages/aws-cdk/test/context-providers/amis.test.ts @@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock'; import { AmiContextProviderPlugin } from '../../lib/context-providers/ami'; import { MockSdkProvider } from '../util/mock-sdk'; -AWS.setSDKInstance(aws); +// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't +// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen), +// the type check here takes too long and makes the TypeScript compiler fail. +// Suppress the type check using 'as any' to make this more robust. +AWS.setSDKInstance(aws as any); afterEach(done => { AWS.restore(); diff --git a/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts b/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts index 81a107ecad720..2056e44b724a9 100644 --- a/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts +++ b/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts @@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock'; import { VpcNetworkContextProviderPlugin } from '../../lib/context-providers/vpcs'; import { MockSdkProvider } from '../util/mock-sdk'; -AWS.setSDKInstance(aws); +// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't +// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen), +// the type check here takes too long and makes the TypeScript compiler fail. +// Suppress the type check using 'as any' to make this more robust. +AWS.setSDKInstance(aws as any); afterEach(done => { AWS.restore(); diff --git a/packages/aws-cdk/test/util/awscli-compatible.test.ts b/packages/aws-cdk/test/util/awscli-compatible.test.ts index a676af7e4c889..cc9ebf5e020ac 100644 --- a/packages/aws-cdk/test/util/awscli-compatible.test.ts +++ b/packages/aws-cdk/test/util/awscli-compatible.test.ts @@ -42,6 +42,6 @@ test('Use web identity when available', async () => { const providers = (await AwsCliCompatible.credentialChain()).providers; // make sure the web identity provider is in the chain - const webIdentify = (providers[2] as Function)(); + const webIdentify = (providers[5] as Function)(); expect(webIdentify).toBeInstanceOf(AWS.TokenFileWebIdentityCredentials); }); diff --git a/packages/cdk-assets/package.json b/packages/cdk-assets/package.json index 6047c8edb3b6d..475066b249b4d 100644 --- a/packages/cdk-assets/package.json +++ b/packages/cdk-assets/package.json @@ -47,7 +47,7 @@ "@aws-cdk/cloud-assembly-schema": "0.0.0", "@aws-cdk/cx-api": "0.0.0", "archiver": "^5.3.0", - "aws-sdk": "^2.848.0", + "aws-sdk": "^2.1093.0", "glob": "^7.2.0", "mime": "^2.6.0", "yargs": "^16.2.0" diff --git a/yarn.lock b/yarn.lock index 3b8c692919504..38187d1917dfd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2562,7 +2562,22 @@ aws-sdk-mock@5.6.0: sinon "^11.1.1" traverse "^0.6.6" -aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0, aws-sdk@^2.979.0: +aws-sdk@^2.1093.0: + version "2.1095.0" + resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1095.0.tgz#7847493b09a326a0613010ed9db53302f760edf6" + integrity sha512-OrZq2pTDsnfOJYsAdRlw+NXTGLQYqWldSZR3HugW8JT4JPWyFZrgB2yPP2ElFHX+4J4SZg5QvkAXl/7s9gLTgA== + dependencies: + buffer "4.9.2" + events "1.1.1" + ieee754 "1.1.13" + jmespath "0.16.0" + querystring "0.2.0" + sax "1.2.1" + url "0.10.3" + uuid "3.3.2" + xml2js "0.4.19" + +aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0: version "2.1094.0" resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1094.0.tgz#85cc5fb416ce7af356f1dd1b14fbb714cd923800" integrity sha512-g/pjEl1JKs8+UZSdfdTMwUh7oNSWy6LXkjd0WfI3TBVgU5+yE5bd1VtAiJxJ/kIOFwcWyGPy0fNkGjAqL6NAGw==