feat(cli): support SSO (#19454)

Adds support for SSO. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Mar 21, 2022 · eba6052 · eba6052
1 parent d59bee9
commit eba6052
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 21 deletions.
diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md
@@ -622,6 +622,11 @@ role_arn=arn:aws:iam::123456789123:role/role_to_be_assumed
 mfa_serial=arn:aws:iam::123456789123:mfa/my_user
 ```
 
+## SSO support
+
+If you create an SSO profile with `aws configure sso` and run `aws sso login`, the CDK can use those credentials
+if you set the profile name as the value of `AWS_PROFILE` or pass it to `--profile`.
+
 ## Configuration
 
 On top of passing configuration through command-line arguments, it is possible to use JSON configuration files. The

diff --git a/packages/aws-cdk/THIRD_PARTY_LICENSES b/packages/aws-cdk/THIRD_PARTY_LICENSES
@@ -268,7 +268,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE
 
 ----------------
 
-** aws-sdk@2.1094.0 - https://www.npmjs.com/package/aws-sdk/v/2.1094.0 | Apache-2.0
+** aws-sdk@2.1095.0 - https://www.npmjs.com/package/aws-sdk/v/2.1095.0 | Apache-2.0
 AWS SDK for JavaScript
 Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 

diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -33,34 +33,25 @@ export class AwsCliCompatible {
    * 4. Respects $AWS_DEFAULT_PROFILE in addition to $AWS_PROFILE.
    */
   public static async credentialChain(options: CredentialChainOptions = {}) {
+    // Force reading the `config` file if it exists by setting the appropriate
+    // environment variable.
+    await forceSdkToReadConfigIfPresent();
 
     // To match AWS CLI behavior, if a profile is explicitly given using --profile,
     // we use that to the exclusion of everything else (note: this does not apply
     // to AWS_PROFILE, environment credentials still take precedence over AWS_PROFILE)
     if (options.profile) {
-      await forceSdkToReadConfigIfPresent();
-      const theProfile = options.profile;
-      return new AWS.CredentialProviderChain([
-        () => profileCredentials(theProfile),
-        () => new AWS.ProcessCredentials({ profile: theProfile }),
-      ]);
+      return new AWS.CredentialProviderChain(iniFileCredentialFactories(options.profile));
     }
 
     const implicitProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
 
     const sources = [
       () => new AWS.EnvironmentCredentials('AWS'),
       () => new AWS.EnvironmentCredentials('AMAZON'),
+      ...iniFileCredentialFactories(implicitProfile),
     ];
 
-    if (await fs.pathExists(credentialsFileName())) {
-      // Force reading the `config` file if it exists by setting the appropriate
-      // environment variable.
-      await forceSdkToReadConfigIfPresent();
-      sources.push(() => profileCredentials(implicitProfile));
-      sources.push(() => new AWS.ProcessCredentials({ profile: implicitProfile }));
-    }
-
     if (options.containerCreds ?? hasEcsCredentials()) {
       sources.push(() => new AWS.ECSCredentials());
     } else if (hasWebIdentityCredentials()) {
@@ -83,6 +74,14 @@ export class AwsCliCompatible {
         tokenCodeFn,
       });
     }
+
+    function iniFileCredentialFactories(theProfile: string) {
+      return [
+        () => profileCredentials(theProfile),
+        () => new AWS.SsoCredentials({ profile: theProfile }),
+        () => new AWS.ProcessCredentials({ profile: theProfile }),
+      ];
+    }
   }
 
   /**

diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json
@@ -94,7 +94,7 @@
     "@aws-cdk/region-info": "0.0.0",
     "@jsii/check-node": "1.55.0",
     "archiver": "^5.3.0",
-    "aws-sdk": "^2.979.0",
+    "aws-sdk": "^2.1093.0",
     "camelcase": "^6.3.0",
     "cdk-assets": "0.0.0",
     "chokidar": "^3.5.3",

diff --git a/packages/aws-cdk/test/context-providers/amis.test.ts b/packages/aws-cdk/test/context-providers/amis.test.ts
@@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock';
 import { AmiContextProviderPlugin } from '../../lib/context-providers/ami';
 import { MockSdkProvider } from '../util/mock-sdk';
 
-AWS.setSDKInstance(aws);
+// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't
+// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen),
+// the type check here takes too long and makes the TypeScript compiler fail.
+// Suppress the type check using 'as any' to make this more robust.
+AWS.setSDKInstance(aws as any);
 
 afterEach(done => {
   AWS.restore();

diff --git a/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts b/packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts
@@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock';
 import { VpcNetworkContextProviderPlugin } from '../../lib/context-providers/vpcs';
 import { MockSdkProvider } from '../util/mock-sdk';
 
-AWS.setSDKInstance(aws);
+// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't
+// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen),
+// the type check here takes too long and makes the TypeScript compiler fail.
+// Suppress the type check using 'as any' to make this more robust.
+AWS.setSDKInstance(aws as any);
 
 afterEach(done => {
   AWS.restore();

diff --git a/packages/aws-cdk/test/util/awscli-compatible.test.ts b/packages/aws-cdk/test/util/awscli-compatible.test.ts
@@ -42,6 +42,6 @@ test('Use web identity when available', async () => {
   const providers = (await AwsCliCompatible.credentialChain()).providers;
 
   // make sure the web identity provider is in the chain
-  const webIdentify = (providers[2] as Function)();
+  const webIdentify = (providers[5] as Function)();
   expect(webIdentify).toBeInstanceOf(AWS.TokenFileWebIdentityCredentials);
 });
diff --git a/packages/cdk-assets/package.json b/packages/cdk-assets/package.json
@@ -47,7 +47,7 @@
     "@aws-cdk/cloud-assembly-schema": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "archiver": "^5.3.0",
-    "aws-sdk": "^2.848.0",
+    "aws-sdk": "^2.1093.0",
     "glob": "^7.2.0",
     "mime": "^2.6.0",
     "yargs": "^16.2.0"

diff --git a/yarn.lock b/yarn.lock
@@ -2562,7 +2562,22 @@ aws-sdk-mock@5.6.0:
     sinon "^11.1.1"
     traverse "^0.6.6"
 
-aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0, aws-sdk@^2.979.0:
+aws-sdk@^2.1093.0:
+  version "2.1095.0"
+  resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1095.0.tgz#7847493b09a326a0613010ed9db53302f760edf6"
+  integrity sha512-OrZq2pTDsnfOJYsAdRlw+NXTGLQYqWldSZR3HugW8JT4JPWyFZrgB2yPP2ElFHX+4J4SZg5QvkAXl/7s9gLTgA==
+  dependencies:
+    buffer "4.9.2"
+    events "1.1.1"
+    ieee754 "1.1.13"
+    jmespath "0.16.0"
+    querystring "0.2.0"
+    sax "1.2.1"
+    url "0.10.3"
+    uuid "3.3.2"
+    xml2js "0.4.19"
+
+aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0:
   version "2.1094.0"
   resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1094.0.tgz#85cc5fb416ce7af356f1dd1b14fbb714cd923800"
   integrity sha512-g/pjEl1JKs8+UZSdfdTMwUh7oNSWy6LXkjd0WfI3TBVgU5+yE5bd1VtAiJxJ/kIOFwcWyGPy0fNkGjAqL6NAGw==