fix(cli): cdk synth fails if AWS_ credentials have expired (#10343)

If there are credentials but using them fails, the "default account lookup" that's used to populate the environment variables fails (should have returned `undefined`) and the CLI aborts before the CDK app is synth'ed. Fixes #7849. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 14, 2020 · 406f665 · 406f665
1 parent ad9a705
commit 406f665
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
@@ -208,7 +208,7 @@ export class SdkProvider {
           throw new Error('Unable to resolve AWS credentials (setup with "aws configure")');
         }
 
-        return new SDK(creds, this.defaultRegion, this.sdkOptions).currentAccount();
+        return await new SDK(creds, this.defaultRegion, this.sdkOptions).currentAccount();
       } catch (e) {
         debug('Unable to determine the default AWS account:', e);
         return undefined;

diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts
@@ -27,14 +27,15 @@ const defaultCredOptions = {
 let uid: string;
 let pluginQueried = false;
 let defaultEnv: cxapi.Environment;
+let getCallerIdentityError: Error | null = null;
 
 beforeEach(() => {
   uid = `(${uuid.v4()})`;
 
   logging.setLogLevel(logging.LogLevel.TRACE);
 
   SDKMock.mock('STS', 'getCallerIdentity', (cb: AwsCallback<AWS.STS.GetCallerIdentityResponse>) => {
-    return cb(null, {
+    return cb(getCallerIdentityError, {
       Account: `${uid}the_account_#`,
       UserId: 'you!',
       Arn: 'arn:aws-here:iam::12345:role/test',
@@ -473,6 +474,35 @@ test('assume fails with unsupported credential_source', async () => {
   expect(account?.accountId).toEqual(undefined);
 });
 
+test('defaultAccount returns undefined if STS call fails', async () => {
+  // GIVEN
+  process.env.AWS_ACCESS_KEY_ID = `${uid}akid`;
+  process.env.AWS_SECRET_ACCESS_KEY = 'sekrit';
+  getCallerIdentityError = new Error('Something is wrong here');
+
+  // WHEN
+  const provider = await SdkProvider.withAwsCliCompatibleDefaults({
+    ...defaultCredOptions,
+  });
+
+  // THEN
+  await expect(provider.defaultAccount()).resolves.toBe(undefined);
+});
+
+test('plugins are still queried even if current credentials are expired', async () => {
+  // GIVEN
+  process.env.AWS_ACCESS_KEY_ID = `${uid}akid`;
+  process.env.AWS_SECRET_ACCESS_KEY = 'sekrit';
+  getCallerIdentityError = new Error('Something is wrong here');
+
+  // WHEN
+  const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions });
+  await provider.forEnvironment({ ...defaultEnv, account: `${uid}plugin_account_#` }, Mode.ForReading);
+
+  // THEN
+  expect(pluginQueried).toEqual(true);
+});
+
 /**
  * Strip shared whitespace from the start of lines
  */