fix(cli): profile AssumeRole credentials don't work via proxy

The proxy configuration was not being properly passed to the
`AWS.SharedIniFileCredentials` object, so if users configure AssumeRole
credentials in their `~/.aws/config` file, it would try to connect to
STS directly instead of going through the proxy.

Properly parse and pass the HTTP options to the right AWS file.

(Note that this object only takes `HTTPOptions` and not
`ConfigurationOptions`, so there's no way to override the user agent
on this initial STS call).

Fixes #7265.

Author: rix0rrr

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -30,7 +30,11 @@ export class AwsCliCompatible {
    * 3. Respects $AWS_SHARED_CREDENTIALS_FILE.
    * 4. Respects $AWS_DEFAULT_PROFILE in addition to $AWS_PROFILE.
    */
-  public static async credentialChain(profile: string | undefined, ec2creds: boolean | undefined, containerCreds: boolean | undefined) {
+  public static async credentialChain(
+    profile: string | undefined,
+    ec2creds: boolean | undefined,
+    containerCreds: boolean | undefined,
+    httpOptions: AWS.HTTPOptions | undefined) {
     await forceSdkToReadConfigIfPresent();
 
     profile = profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
@@ -41,11 +45,11 @@ export class AwsCliCompatible {
     ];
 
     if (await fs.pathExists(credentialsFileName())) {
-      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName() }));
+      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions }));
     }
 
     if (await fs.pathExists(configFileName())) {
-      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName() }));
+      sources.push(() => new AWS.SharedIniFileCredentials({ profile, filename: credentialsFileName(), httpOptions }));
     }
 
     if (containerCreds ?? hasEcsCredentials()) {

packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

@@ -88,23 +88,23 @@ export class SdkProvider {
    * class `AwsCliCompatible` for the details.
    */
   public static async withAwsCliCompatibleDefaults(options: SdkProviderOptions = {}) {
-    const chain = await AwsCliCompatible.credentialChain(options.profile, options.ec2creds, options.containerCreds);
+    const sdkOptions = parseHttpOptions(options.httpOptions ?? {});
+
+    const chain = await AwsCliCompatible.credentialChain(options.profile, options.ec2creds, options.containerCreds, sdkOptions.httpOptions);
     const region = await AwsCliCompatible.region(options.profile);
 
-    return new SdkProvider(chain, region, options.httpOptions);
+    return new SdkProvider(chain, region, sdkOptions);
   }
 
   private readonly plugins = new CredentialPlugins();
-  private readonly httpOptions: ConfigurationOptions;
 
   public constructor(
     private readonly defaultChain: AWS.CredentialProviderChain,
     /**
      * Default region
      */
     public readonly defaultRegion: string,
-    httpOptions: SdkHttpOptions = {}) {
-    this.httpOptions = defaultHttpOptions(httpOptions);
+    private readonly sdkOptions: ConfigurationOptions = {}) {
   }
 
   /**
@@ -116,7 +116,7 @@ export class SdkProvider {
   public async forEnvironment(accountId: string | undefined, region: string | undefined, mode: Mode): Promise<ISDK> {
     const env = await this.resolveEnvironment(accountId, region);
     const creds = await this.obtainCredentials(env.account, mode);
-    return new SDK(creds, env.region, this.httpOptions);
+    return new SDK(creds, env.region, this.sdkOptions);
   }
 
   /**
@@ -139,12 +139,12 @@ export class SdkProvider {
       },
       stsConfig: {
         region,
-        ...this.httpOptions,
+        ...this.sdkOptions,
       },
       masterCredentials: await this.defaultCredentials(),
     });
 
-    return new SDK(creds, region, this.httpOptions);
+    return new SDK(creds, region, this.sdkOptions);
   }
 
   /**
@@ -199,7 +199,7 @@ export class SdkProvider {
           throw new Error('Unable to resolve AWS credentials (setup with "aws configure")');
         }
 
-        return new SDK(creds, this.defaultRegion, this.httpOptions).currentAccount();
+        return new SDK(creds, this.defaultRegion, this.sdkOptions).currentAccount();
       } catch (e) {
         debug('Unable to determine the default AWS account:', e);
         return undefined;
@@ -269,8 +269,11 @@ export interface Account {
  * Get HTTP options for the SDK
  *
  * Read from user input or environment variables.
+ *
+ * Returns a complete `ConfigurationOptions` object because that's where
+ * `customUserAgent` lives, but `httpOptions` is the most important attribute.
  */
-function defaultHttpOptions(options: SdkHttpOptions) {
+function parseHttpOptions(options: SdkHttpOptions) {
   const config: ConfigurationOptions = {};
   config.httpOptions = {};
 
@@ -298,6 +301,7 @@ function defaultHttpOptions(options: SdkHttpOptions) {
     debug('Using proxy server: %s', proxyAddress);
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     const ProxyAgent: any = require('proxy-agent');
+    // tslint:disable-next-line:no-console
     config.httpOptions.agent = new ProxyAgent(proxyAddress);
   }
   if (caBundlePath) {

packages/aws-cdk/test/api/sdk-provider.test.ts

@@ -34,6 +34,10 @@ beforeEach(() => {
       [foo]
       aws_access_key_id=${uid}fooccess
       aws_secret_access_key=secret
+
+      [assumer]
+      aws_access_key_id=${uid}assumer
+      aws_secret_access_key=secret
     `),
     '/home/me/.bxt/config': dedent(`
       [default]
@@ -46,6 +50,13 @@ beforeEach(() => {
       aws_access_key_id=${uid}booccess
       aws_secret_access_key=boocret
       # No region here
+
+      [profile assumable]
+      role_arn=arn:aws:iam::12356789012:role/Assumable
+      source_profile=assumer
+
+      [profile assumer]
+      region=us-east-2
     `),
   });
 
@@ -138,6 +149,40 @@ describe('CLI compatible credentials loading', () => {
 
     await expect(provider.forEnvironment(`${uid}some_account_#`, 'def', Mode.ForReading)).rejects.toThrow('Need to perform AWS calls');
   });
+
+  test('even when using a profile to assume another profile, STS calls goes through the proxy', async () => {
+    // Messy mocking
+    let called = false;
+    jest.mock('proxy-agent', () => {
+      class FakeAgent extends require('https').Agent {
+        public addRequest(_: any, __: any) {
+          // This error takes 6 seconds to be completely handled. It might be retries in the SDK
+          // somewhere, or something about the Node event loop. I've spent an hour trying to figure
+          // it out and I can't, and I gave up. We'll just have to live with this.
+          const error = new Error('ABORTED BY TEST');
+          (error as any).code = 'RequestAbortedError';
+          (error as any).retryable = false;
+          called = true;
+          throw error;
+        }
+      }
+      return FakeAgent;
+    });
+
+    // WHEN
+    const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions,
+      ec2creds: false,
+      profile: 'assumable',
+      httpOptions: {
+        proxyAddress: 'http://DOESNTMATTER/',
+      }
+    });
+
+    await provider.defaultAccount();
+
+    // THEN -- the fake proxy agent got called, we don't care about the result
+    expect(called).toEqual(true);
+  });
 });
 
 describe('Plugins', () => {

packages/aws-cdk/test/util/mock-sdk.ts

@@ -12,7 +12,7 @@ export class MockSdkProvider extends SdkProvider {
   private readonly sdk: ISDK;
 
   constructor() {
-    super(new AWS.CredentialProviderChain([]), 'bermuda-triangle-1337', { userAgent: 'aws-cdk/jest' });
+    super(new AWS.CredentialProviderChain([]), 'bermuda-triangle-1337', { customUserAgent: 'aws-cdk/jest' });
 
     // SDK contains a real SDK, since some test use 'AWS-mock' to replace the underlying
     // AWS calls which a real SDK would do, and some tests use the 'stub' functionality below.