Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix(cli): getting credentials via SSO fails when the region is set in the profile #32520

Merged
merged 2 commits into from
Dec 14, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,19 @@ export class AwsCliCompatible {
requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
customUserAgent: 'aws-cdk',
logger: options.logger,
};

// Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
//
// Summary of the problem: we were reading the region from the config file and passing it to
// the credential providers. However, in the case of SSO, this makes the credential provider
// use that region to do the SSO flow, which is incorrect. The region that should be used for
// that is the one set in the sso_session section of the config file.
//
// The idea here: the "clientConfig" is for configuring the inner auth client directly,
// and has the highest priority, whereas "parentClientConfig" is the upper data client
// and has lower priority than the sso_region but still higher priority than STS global region.
const parentClientConfig = {
region: await this.region(options.profile),
};
/**
Expand All @@ -51,6 +64,7 @@ export class AwsCliCompatible {
ignoreCache: true,
mfaCodeProvider: tokenCodeFn,
clientConfig,
parentClientConfig,
logger: options.logger,
}));
}
Expand Down Expand Up @@ -83,6 +97,7 @@ export class AwsCliCompatible {
const nodeProviderChain = fromNodeProviderChain({
profile: envProfile,
clientConfig,
parentClientConfig,
logger: options.logger,
mfaCodeProvider: tokenCodeFn,
ignoreCache: true,
Expand Down
Loading