fix(aws-cdk): fix profiles in non-'aws' partitions

Properly pass on the default region to the STS call we make to discover the default AWS credentials. Also, there is no way to make use of AssumeRole profiles without the AWS_SDK_LOAD_CONFIG flag being set, so reintroduce setting that flag if we discover the file to exist. Fixes #1262 and #1109.
aws · Dec 4, 2018 · 5aef969 · 5aef969
1 parent 0de2da8
commit 5aef969
Showing 1 changed file with 29 additions and 3 deletions.
diff --git a/packages/aws-cdk/lib/api/util/sdk.ts b/packages/aws-cdk/lib/api/util/sdk.ts
@@ -72,7 +72,7 @@ export class SDK {
       });
     }
 
-    this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider);
+    this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider, getCLICompatibleDefaultRegion(this.profile));
     this.credentialsCache = new CredentialsCache(this.defaultAwsAccount, defaultCredentialProvider);
   }
 
@@ -206,7 +206,9 @@ class DefaultAWSAccount {
   private defaultAccountId?: string = undefined;
   private readonly accountCache = new AccountAccessKeyCache();
 
-  constructor(private readonly defaultCredentialsProvider: Promise<AWS.CredentialProviderChain>) {
+  constructor(
+      private readonly defaultCredentialsProvider: Promise<AWS.CredentialProviderChain>,
+      private readonly region: Promise<string | undefined>) {
   }
 
   /**
@@ -222,6 +224,21 @@ class DefaultAWSAccount {
 
   private async lookupDefaultAccount(): Promise<string | undefined> {
     try {
+      // There just is *NO* way to do AssumeRole credentials as long as AWS_SDK_LOAD_CONFIG is not set. The SDK
+      // crash if the file does not exist though. So set the environment variable if we can find that file.
+      await setConfigVariable();
+
+      // support these
+      // This might try to load a profile which as AssumeRole credentials. This will normally work for the JS SDK
+      // if AWS_PROFILE/AWS_SDK_LOAD_CONFIG are set, but we don't set those (we work directly from the API).
+      //
+      // Since there is no way to pass a { region } argument to the STS client used for AssumeRole credentials
+      // (https://github.com/aws/aws-sdk-js/issues/2377), we must now configure the region globally so that it will
+      // be picked up there.
+      // AWS.config.update({
+      //   region: await this.region
+      // });
+
       debug('Resolving default credentials');
       const credentialProvider = await this.defaultCredentialsProvider;
       const creds = await credentialProvider.resolvePromise();
@@ -234,7 +251,7 @@ class DefaultAWSAccount {
       const accountId = await this.accountCache.fetch(creds.accessKeyId, async () => {
         // if we don't have one, resolve from STS and store in cache.
         debug('Looking up default account ID from STS');
-        const result = await new AWS.STS({ credentials: creds }).getCallerIdentity().promise();
+        const result = await new AWS.STS({ credentials: creds, region: await this.region }).getCallerIdentity().promise();
         const aid = result.Account;
         if (!aid) {
           debug('STS didn\'t return an account ID');
@@ -389,6 +406,15 @@ async function hasEc2Credentials() {
   return instance;
 }
 
+async function setConfigVariable() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE
+    || (process.env.HOMEPATH ? ((process.env.HOMEDRIVE || 'C:/') + process.env.HOMEPATH) : null) || os.homedir();
+
+  if (await fs.pathExists(path.resolve(homeDir, '.aws', 'config'))) {
+    process.env.AWS_SDK_LOAD_CONFIG = '1';
+  }
+}
+
 async function readIfPossible(filename: string): Promise<string | undefined> {
   try {
     if (!await fs.pathExists(filename)) { return undefined; }