feat(cli): support SSO

packages/aws-cdk/README.md

@@ -622,6 +622,11 @@ role_arn=arn:aws:iam::123456789123:role/role_to_be_assumed
 mfa_serial=arn:aws:iam::123456789123:mfa/my_user
 ```
 
+## SSO support
+
+If you create an SSO profile with `aws configure sso` and run `aws sso login`, the CDK can use those credentials
+if you set the profile name as the value of `AWS_PROFILE` or pass it to `--profile`.
+
 ## Configuration
 
 On top of passing configuration through command-line arguments, it is possible to use JSON configuration files. The

packages/aws-cdk/THIRD_PARTY_LICENSES

@@ -357,7 +357,7 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 ----------------
 
-** aws-sdk@2.1094.0 - https://www.npmjs.com/package/aws-sdk/v/2.1094.0 | Apache-2.0
+** aws-sdk@2.1095.0 - https://www.npmjs.com/package/aws-sdk/v/2.1095.0 | Apache-2.0
 AWS SDK for JavaScript
 Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
@@ -2962,6 +2962,16 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
+----------------
+
+** aws-sdk@2.1094.0 - https://www.npmjs.com/package/aws-sdk/v/2.1094.0 | Apache-2.0
+AWS SDK for JavaScript
+Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+This product includes software developed at
+Amazon Web Services, Inc. (http://aws.amazon.com/).
+
+
 ----------------
 
 ** fast-deep-equal@3.1.3 - https://www.npmjs.com/package/fast-deep-equal/v/3.1.3 | MIT

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -42,6 +42,7 @@ export class AwsCliCompatible {
       const theProfile = options.profile;
       return new AWS.CredentialProviderChain([
         () => profileCredentials(theProfile),
+        () => new AWS.SsoCredentials({ profile: theProfile }),
         () => new AWS.ProcessCredentials({ profile: theProfile }),
       ]);
     }
@@ -53,13 +54,12 @@ export class AwsCliCompatible {
       () => new AWS.EnvironmentCredentials('AMAZON'),
     ];
 
-    if (await fs.pathExists(credentialsFileName())) {
-      // Force reading the `config` file if it exists by setting the appropriate
-      // environment variable.
-      await forceSdkToReadConfigIfPresent();
-      sources.push(() => profileCredentials(implicitProfile));
-      sources.push(() => new AWS.ProcessCredentials({ profile: implicitProfile }));
-    }
+    // Force reading the `config` file if it exists by setting the appropriate
+    // environment variable.
+    await forceSdkToReadConfigIfPresent();
+    sources.push(() => profileCredentials(implicitProfile));
+    sources.push(() => new AWS.SsoCredentials({ profile: implicitProfile }));
+    sources.push(() => new AWS.ProcessCredentials({ profile: implicitProfile }));
 
     if (options.containerCreds ?? hasEcsCredentials()) {
       sources.push(() => new AWS.ECSCredentials());

packages/aws-cdk/package.json

@@ -94,7 +94,7 @@
     "@aws-cdk/region-info": "0.0.0",
     "@jsii/check-node": "1.55.0",
     "archiver": "^5.3.0",
-    "aws-sdk": "^2.979.0",
+    "aws-sdk": "^2.1093.0",
     "camelcase": "^6.3.0",
     "cdk-assets": "0.0.0",
     "chokidar": "^3.5.3",

packages/aws-cdk/test/context-providers/amis.test.ts

@@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock';
 import { AmiContextProviderPlugin } from '../../lib/context-providers/ami';
 import { MockSdkProvider } from '../util/mock-sdk';
 
-AWS.setSDKInstance(aws);
+// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't
+// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen),
+// the type check here takes too long and makes the TypeScript compiler fail.
+// Suppress the type check using 'as any' to make this more robust.
+AWS.setSDKInstance(aws as any);
 
 afterEach(done => {
   AWS.restore();

packages/aws-cdk/test/context-providers/asymmetric-vpcs.test.ts

@@ -3,7 +3,11 @@ import * as AWS from 'aws-sdk-mock';
 import { VpcNetworkContextProviderPlugin } from '../../lib/context-providers/vpcs';
 import { MockSdkProvider } from '../util/mock-sdk';
 
-AWS.setSDKInstance(aws);
+// If the 'aws-sdk' package imported here and the 'aws-sdk' package imported by 'aws-sdk-mock' aren't
+// the same physical package on disk (if version mismatches cause hoisting/deduping to not happen),
+// the type check here takes too long and makes the TypeScript compiler fail.
+// Suppress the type check using 'as any' to make this more robust.
+AWS.setSDKInstance(aws as any);
 
 afterEach(done => {
   AWS.restore();

packages/aws-cdk/test/util/awscli-compatible.test.ts

@@ -42,6 +42,6 @@ test('Use web identity when available', async () => {
   const providers = (await AwsCliCompatible.credentialChain()).providers;
 
   // make sure the web identity provider is in the chain
-  const webIdentify = (providers[2] as Function)();
+  const webIdentify = (providers[5] as Function)();
   expect(webIdentify).toBeInstanceOf(AWS.TokenFileWebIdentityCredentials);
 });

yarn.lock

@@ -2562,7 +2562,22 @@ aws-sdk-mock@5.6.0:
     sinon "^11.1.1"
     traverse "^0.6.6"
 
-aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0, aws-sdk@^2.979.0:
+aws-sdk@^2.1093.0:
+  version "2.1095.0"
+  resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1095.0.tgz#7847493b09a326a0613010ed9db53302f760edf6"
+  integrity sha512-OrZq2pTDsnfOJYsAdRlw+NXTGLQYqWldSZR3HugW8JT4JPWyFZrgB2yPP2ElFHX+4J4SZg5QvkAXl/7s9gLTgA==
+  dependencies:
+    buffer "4.9.2"
+    events "1.1.1"
+    ieee754 "1.1.13"
+    jmespath "0.16.0"
+    querystring "0.2.0"
+    sax "1.2.1"
+    url "0.10.3"
+    uuid "3.3.2"
+    xml2js "0.4.19"
+
+aws-sdk@^2.596.0, aws-sdk@^2.848.0, aws-sdk@^2.928.0:
   version "2.1094.0"
   resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1094.0.tgz#85cc5fb416ce7af356f1dd1b14fbb714cd923800"
   integrity sha512-g/pjEl1JKs8+UZSdfdTMwUh7oNSWy6LXkjd0WfI3TBVgU5+yE5bd1VtAiJxJ/kIOFwcWyGPy0fNkGjAqL6NAGw==