Aws-cdk: Profile based credentials don't work with credential_process

Created on 22 Jun 2019 · 11Comments · Source: aws/aws-cdk

I'm submitting a ...
- [X] :beetle: bug report
- [ ] :rocket: feature request
- [ ] :books: construct library gap
- [ ] :phone: security issue or vulnerability => Please see policy
- [ ] :question: support request => Please see note at the top of this template.
What is the current behavior?
If the current behavior is a :beetle:bug:beetle:: Please provide the steps to reproduce

When using --profile (see also #3007), the CLI doesn't respect credential_process. The profile has to have hardcoded credentials.

What is the expected behavior (or behavior of feature suggested)?

credentials_process is respected and invoked the same way other AWS CLI tools do.

What is the motivation / use case for changing the behavior or adding this feature?

Parity with AWS CLI.

Please tell us about your environment:
- CDK CLI Version: 0.35.0
- Module Version: 0.35.0
- OS: macOS Mojave
- Language: TypeScript

bug efformedium in-progress p1 packagtools

Source

prencher

👍14

Most helpful comment

https://github.com/aws/aws-cdk/blob/986e2814e072f0334d8470a2d60ea73dcceadfe4/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L42-L45

I can hack my way to making this work by adding a line here, though there may be other consequences...

    const sources = [
      () => new AWS.EnvironmentCredentials('AWS'),
      () => new AWS.EnvironmentCredentials('AMAZON'),
      () => new AWS.ProcessCredentials({ profile }),
    ];

rclark on 17 May 2020

👍6

All 11 comments

Limitation of the AWS SDK for JavaScript we're using. Nothing to do for us here, you should file a feature request with them: https://github.com/aws/aws-sdk-js

Duplicate: https://github.com/awslabs/aws-cdk/issues/1656

rix0rrr on 26 Jun 2019

@rix0rrr is that the case? I am seeing some PRs that implement credentials_process: https://github.com/aws/aws-sdk-js/pull/2559

mb-dev on 16 Nov 2019

@rix0rrr could you please reopen this ticket? The aws-sdk-js DOES support process credentials now.

rclark on 17 May 2020

👍4

https://github.com/aws/aws-cdk/blob/986e2814e072f0334d8470a2d60ea73dcceadfe4/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L42-L45

I can hack my way to making this work by adding a line here, though there may be other consequences...

    const sources = [
      () => new AWS.EnvironmentCredentials('AWS'),
      () => new AWS.EnvironmentCredentials('AMAZON'),
      () => new AWS.ProcessCredentials({ profile }),
    ];

rclark on 17 May 2020

👍6

Please reopen!

3oris on 29 May 2020

👍4

marking as p1 to prioritize a fix

shivlaks on 24 Jun 2020

👍5

[not a contribution]

Hey is there any update on this issue?

LuqiPan on 4 Aug 2020

JS SDK now supports process_credentials now. Please check out my demo here:

https://github.com/pahud/gitpod-workspace/issues/1#issue-726527096

However, AWS CDK does not support it. Can we add support for it given JS SDK supports it now?

pahud on 21 Oct 2020

👍1

@shivlaks @rix0rrr Is there anything I can help to make this work? AWS SSO is marketed as the way to configure your users in a multi-account setup but CDK is then not usable.

hoegertn on 22 Oct 2020

I believe we probably need update
https://github.com/aws/aws-cdk/blob/905f661038b0ebe3072b0ccfd4b93f93030740ec/packages/aws-cdk/lib/api/aws-auth/aws-sdk-inifile.ts#L29
or
https://github.com/aws/aws-cdk/blob/905f661038b0ebe3072b0ccfd4b93f93030740ec/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts#L35

And determine if credential_process is configured in the profile. If yes, we simply return the AWS.ProcessCredentials to the credential provider chain and it should work.

pahud on 24 Oct 2020

👍3

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.