From bf026bdd8557305d427510af49f1bc538d439cb6 Mon Sep 17 00:00:00 2001 From: Otavio Macedo <288203+otaviomacedo@users.noreply.github.com> Date: Sat, 14 Dec 2024 08:05:53 +0000 Subject: [PATCH] fix(cli): getting credentials via SSO fails when the region is set in the profile (#32520) We were reading the region from the config file and passing it to the credential providers. However, in the case of SSO, this makes the credential provider use that region to do the SSO flow, which is incorrect. The region that should be used for that is the one set in the `sso_session` section of the config file. The long term solution is for all the logic for handling regions in the SDK itself, without forcing consumers to know all the intricacies of all the use cases. As a mitigation for now, we are using the non-public `parentClientConfig` while we wait for an SDK update. Fixes https://github.com/aws/aws-cdk/issues/32510. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk/lib/api/aws-auth/awscli-compatible.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts index 319e75e3bdb79..3c1fec2604abd 100644 --- a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts +++ b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts @@ -34,6 +34,19 @@ export class AwsCliCompatible { requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions), customUserAgent: 'aws-cdk', logger: options.logger, + }; + + // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team. + // + // Summary of the problem: we were reading the region from the config file and passing it to + // the credential providers. However, in the case of SSO, this makes the credential provider + // use that region to do the SSO flow, which is incorrect. The region that should be used for + // that is the one set in the sso_session section of the config file. + // + // The idea here: the "clientConfig" is for configuring the inner auth client directly, + // and has the highest priority, whereas "parentClientConfig" is the upper data client + // and has lower priority than the sso_region but still higher priority than STS global region. + const parentClientConfig = { region: await this.region(options.profile), }; /** @@ -51,6 +64,7 @@ export class AwsCliCompatible { ignoreCache: true, mfaCodeProvider: tokenCodeFn, clientConfig, + parentClientConfig, logger: options.logger, })); } @@ -83,6 +97,7 @@ export class AwsCliCompatible { const nodeProviderChain = fromNodeProviderChain({ profile: envProfile, clientConfig, + parentClientConfig, logger: options.logger, mfaCodeProvider: tokenCodeFn, ignoreCache: true,