fix(cli): cross-account deployment no longer works #11966
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This addresses a regression introduced in #11350 and reported in #11792. The original PR added support for using a credential provider as a source for credentials that will be used to assume the CDK Deploy Roles (created by Modern Bootstrapping and used by Default Synthesis). However, by doing so, it broke support for using current AWS credentials to do the same. Closes #11792.
|
|
|
Still needs tests, and needs more explanation in the PR body. Getting this out as quickly as possible to start collecing comments. |
|
@rix0rrr , I am trying to understand, how does it help to do cross account deployment? For
When we boostrap account A with |
Lookups are out of scope for this, and a separate backlog item: #8905. It will work if you deploy stacks that do not require context lookups though. |
nija-at
approved these changes
Dec 10, 2020
| return (providerOrCreds as any).resolvePromise(); | ||
| } | ||
| return providerOrCreds; | ||
| const credentials = (providerOrCreds as any).resolvePromise ? await (providerOrCreds as any).resolvePromise() : providerOrCreds; |
There was a problem hiding this comment.
minor: could we do better than as any? What type are we expecting here?
There was a problem hiding this comment.
// Backwards compatibility: if the plugin returns a ProviderChain, resolve that chain. // Otherwise it must have returned credentials.
| // We will proceed to AssumeRole using whatever we've been given. | ||
| const sdk = await this.withAssumedRole(baseCreds, options.assumeRoleArn, options.assumeRoleExternalId, env.region); | ||
|
|
||
| // Do a call on this SDK. We don't care about the answer, but we want to excercise the AssumeRoleCredentialsProvider |
There was a problem hiding this comment.
Suggested change
| // Do a call on this SDK. We don't care about the answer, but we want to excercise the AssumeRoleCredentialsProvider | |
| // Do a call on this SDK. We don't care about the answer, but we want to exercise the AssumeRoleCredentialsProvider |
| // feed the CLI credentials which are sufficient by themselves. Prefer to assume the correct role if we can, | ||
| // but if we can't then let's just try with available credentials anyway. | ||
| if (baseCreds.source === 'correctDefault' || baseCreds.source === 'plugin') { | ||
| debug(e.message); |
There was a problem hiding this comment.
minor: also place the stack trace into debug logs.
| // Simple case is if we don't need to "assumeRole" here. If so, we must now have credentials for the right | ||
| // account. | ||
| if (options?.assumeRoleArn === undefined) { | ||
| if (baseCreds.source === 'incorrectDefault') { throw new Error(fmtObtainCredentialsError(env.account, baseCreds)); } |
There was a problem hiding this comment.
curious: why should credentials from a plugin when there is no role to assume produce an error?
There was a problem hiding this comment.
That's not what this says though. This says if the default credentials are for the wrong account.
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@rix0rrr , this change fixed |
flochaz
pushed a commit
to flochaz/aws-cdk
that referenced
this pull request
Jan 5, 2021
This addresses a regression introduced in aws#11350 and reported in aws#11792. The original PR added support for using a credential provider as a source for credentials that will be used to assume the CDK Deploy Roles (created by Modern Bootstrapping and used by Default Synthesis). However, by doing so, it broke support for using current AWS credentials to do the same. ## Original Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, always use "current credentials" to assume role ## Broken Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, - Use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account (reusing the logic from legacy stacks) - Then assume role using credentials obtained in the previous step The reuse of the same "credential obtaining" logic here broke cross-account role assumption, because we'd fail as soon as the current credentials would be for the wrong account instead of still trying to use them for AssumeRole. ## New Behavior - Try to get "base credentials" for a target environment: - Use "current credentials" if they are for the right account - Ask credential provider plugins - Use "current credentials" if they are for the wrong account (but remember that they were wrong) - In case of a legacy stack: - If the credentials are for the wrong account, fail - In case of a DefaultSynthesized stack: - Use the set of "base credentials" to try to assume the target role - If that succeeds, we're done - (Fallback) If it fails and the base credentials were already for the right account, use them after all. This fallback will allow people already using credential plugins to keep on using them, even when interoperating with DefaultSynthesized stacks. It will also allow people who seed their terminal with "ReadOnly" credentials (which might not have `sts:AssumeRole` permissions) to still run `cdk diff` as in the past. ## Changes to tests There has been a major refactoring of the tests around this. The current way of testing (mocking some calls left and right) was completely insufficient to test these mechanisms properly. I've therefore resorted to implementing a fake, in-memory version of STS's `GetCallerIdentity` and `AssumeRole`, and using the testing library `nock` to redirect network calls to that in-memory service. This will allow us to test the entire chain from our code down to and including the SDK's behavior, and make sure the right behavior happens without worrying about exact call orders. At the same time, the single gigantic test fixture (with the `~/.aws/credentials` and `~/.aws/config` files) was becoming rather cumbersome. Instead, each test now includes just the one or two profile sections it uses, and a helper function creates both the config files as well as immediately creates those users in-memory in the fake STS service. Closes aws#11792. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses a regression introduced in #11350 and reported in #11792.
The original PR added support for using a credential provider as a source
for credentials that will be used to assume the CDK Deploy Roles
(created by Modern Bootstrapping and used by Default Synthesis).
However, by doing so, it broke support for using current AWS credentials
to do the same.
Original Behavior
Broken Behavior
The reuse of the same "credential obtaining" logic here broke cross-account role assumption, because we'd fail as soon as the current credentials would be for the wrong account instead of still trying to use them for AssumeRole.
New Behavior
sts:AssumeRolepermissions) to still runcdk diffas in the past.Changes to tests
There has been a major refactoring of the tests around this.
The current way of testing (mocking some calls left and right) was completely insufficient to test these mechanisms properly. I've therefore resorted to implementing a fake, in-memory version of STS's
GetCallerIdentityandAssumeRole, and using the testing librarynockto redirect network calls to that in-memory service. This will allow us to test the entire chain from our code down to and including the SDK's behavior, and make sure the right behavior happens without worrying about exact call orders.At the same time, the single gigantic test fixture (with the
~/.aws/credentialsand~/.aws/configfiles) was becoming rather cumbersome. Instead, each test now includes just the one or two profile sections it uses, and a helper function creates both the config files as well as immediately creates those users in-memory in the fake STS service.Closes #11792.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license