feat(cli): support WebIdentityCredentials (as used by EKS)

packages/aws-cdk/README.md

@@ -361,4 +361,4 @@ Some of the interesting keys that can be used in the JSON configuration files:
 The following environment variables affect aws-cdk:
 
 - `CDK_DISABLE_VERSION_CHECK`: If set, disable automatic check for newer versions.
-- `CDK_NEW_BOOTSTRAP`: use the modern bootstrapping stack.
+- `CDK_NEW_BOOTSTRAP`: use the modern bootstrapping stack.

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -63,6 +63,8 @@ export class AwsCliCompatible {
 
     if (options.containerCreds ?? hasEcsCredentials()) {
       sources.push(() => new AWS.ECSCredentials());
+    } else if (options.containerCreds ?? hasWebIdentityCredentials() ) {
+      sources.push(() => new AWS.TokenFileWebIdentityCredentials());
     } else if (options.ec2instance ?? await isEc2Instance()) {
       // else if: don't get EC2 creds if we should have gotten ECS creds--ECS instances also
       // run on EC2 boxes but the creds represent something different. Same behavior as
@@ -156,6 +158,15 @@ function hasEcsCredentials(): boolean {
   return (AWS.ECSCredentials.prototype as any).isConfiguredForEcsCredentials();
 }
 
+/**
+ * Return whether it looks like we'll have WebIdentityCredentials (that's what EKS uses) available
+ * No check like hasEcsCredentials available, so have to implement our own.
+ * @see https://github.com/aws/aws-sdk-js/blob/3ccfd94da07234ae87037f55c138392f38b6881d/lib/credentials/token_file_web_identity_credentials.js#L59
+ */
+function hasWebIdentityCredentials(): boolean {
+  return Boolean(process.env.AWS_ROLE_ARN && process.env.AWS_WEB_IDENTITY_TOKEN_FILE);
+}
+
 /**
  * Return whether we're on an EC2 instance
  */

packages/aws-cdk/test/util/awscli-compatible.test.ts

@@ -27,3 +27,21 @@ test('on an EC2 instance, region lookup queries IMDS', async () => {
   });
 });
 
+test('Use web identity when available', async () => {
+
+  // Scrub some environment variables that are maybe set for Ecs Credentials
+  delete process.env.ECS_CONTAINER_METADATA_URI_V4;
+  delete process.env.ECS_CONTAINER_METADATA_URI;
+  delete process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;
+
+  // create and configure the web identity token file
+  process.env.AWS_WEB_IDENTITY_TOKEN_FILE = 'some-value';
+  process.env.AWS_ROLE_ARN = 'some-value';
+
+  // create the chain
+  const providers = (await AwsCliCompatible.credentialChain()).providers;
+
+  // make sure the web identity provider is in the chain
+  const webIdentify = (providers[2] as Function)();
+  expect(webIdentify).toBeInstanceOf(AWS.TokenFileWebIdentityCredentials);
+});