fix(aws-cdk): fix profile use in non-'aws' partitions (#1283)

Properly pass on the default region to the STS call we make to discover the default AWS credentials. Also, there is no way to make use of AssumeRole profiles without the AWS_SDK_LOAD_CONFIG flag being set, so reintroduce setting that flag if we discover the file to exist. Fixes #1262 and #1109.
aws · Dec 5, 2018 · 5478913 · 5478913
1 parent c298a7c
commit 5478913
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/packages/aws-cdk/lib/api/util/sdk.ts b/packages/aws-cdk/lib/api/util/sdk.ts
@@ -72,7 +72,7 @@ export class SDK {
       });
     }
 
-    this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider);
+    this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider, getCLICompatibleDefaultRegion(this.profile));
     this.credentialsCache = new CredentialsCache(this.defaultAwsAccount, defaultCredentialProvider);
   }
 
@@ -206,7 +206,9 @@ class DefaultAWSAccount {
   private defaultAccountId?: string = undefined;
   private readonly accountCache = new AccountAccessKeyCache();
 
-  constructor(private readonly defaultCredentialsProvider: Promise<AWS.CredentialProviderChain>) {
+  constructor(
+      private readonly defaultCredentialsProvider: Promise<AWS.CredentialProviderChain>,
+      private readonly region: Promise<string | undefined>) {
   }
 
   /**
@@ -222,6 +224,10 @@ class DefaultAWSAccount {
 
   private async lookupDefaultAccount(): Promise<string | undefined> {
     try {
+      // There just is *NO* way to do AssumeRole credentials as long as AWS_SDK_LOAD_CONFIG is not set. The SDK
+      // crash if the file does not exist though. So set the environment variable if we can find that file.
+      await setConfigVariable();
+
       debug('Resolving default credentials');
       const credentialProvider = await this.defaultCredentialsProvider;
       const creds = await credentialProvider.resolvePromise();
@@ -234,7 +240,7 @@ class DefaultAWSAccount {
       const accountId = await this.accountCache.fetch(creds.accessKeyId, async () => {
         // if we don't have one, resolve from STS and store in cache.
         debug('Looking up default account ID from STS');
-        const result = await new AWS.STS({ credentials: creds }).getCallerIdentity().promise();
+        const result = await new AWS.STS({ credentials: creds, region: await this.region }).getCallerIdentity().promise();
         const aid = result.Account;
         if (!aid) {
           debug('STS didn\'t return an account ID');
@@ -389,6 +395,15 @@ async function hasEc2Credentials() {
   return instance;
 }
 
+async function setConfigVariable() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE
+    || (process.env.HOMEPATH ? ((process.env.HOMEDRIVE || 'C:/') + process.env.HOMEPATH) : null) || os.homedir();
+
+  if (await fs.pathExists(path.resolve(homeDir, '.aws', 'config'))) {
+    process.env.AWS_SDK_LOAD_CONFIG = '1';
+  }
+}
+
 async function readIfPossible(filename: string): Promise<string | undefined> {
   try {
     if (!await fs.pathExists(filename)) { return undefined; }