fix(cli): --profile is ignored if AWS_ variables are set (#10362)

rix0rrr · web-flow · commit 957a12eeb464 · 2020-09-16T01:59:24.000Z
Change behavior to match the behavior of the AWS CLI. If `--profile` is
set, the given profile from the INI files will be used to the exclusion
of everything else.

If `--profile` is not set, the regular ambient credential process
is followed.

`AWS_PROFILE` is part of ambient credentials, and setting it does not
lead to triggering the new behavior. This is consistent with how the AWS
CLI behaves.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -34,7 +34,16 @@ export class AwsCliCompatible {
    */
   public static async credentialChain(options: CredentialChainOptions = {}) {
 
-    const profile = options.profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
+    // To match AWS CLI behavior, if a profile is explicitly given using --profile,
+    // we use that to the exclusion of everything else (note: this does not apply
+    // to AWS_PROFILE, environment credentials still take precedence over AWS_PROFILE)
+    if (options.profile) {
+      await forceSdkToReadConfigIfPresent();
+      const theProfile = options.profile;
+      return new AWS.CredentialProviderChain([() => profileCredentials(theProfile)]);
+    }
+
+    const implicitProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
 
     const sources = [
       () => new AWS.EnvironmentCredentials('AWS'),
@@ -45,12 +54,7 @@ export class AwsCliCompatible {
       // Force reading the `config` file if it exists by setting the appropriate
       // environment variable.
       await forceSdkToReadConfigIfPresent();
-      sources.push(() => new PatchedSharedIniFileCredentials({
-        profile,
-        filename: credentialsFileName(),
-        httpOptions: options.httpOptions,
-        tokenCodeFn,
-      }));
+      sources.push(() => profileCredentials(implicitProfile));
     }
 
     if (options.containerCreds ?? hasEcsCredentials()) {
@@ -63,6 +67,15 @@ export class AwsCliCompatible {
     }
 
     return new AWS.CredentialProviderChain(sources);
+
+    function profileCredentials(profileName: string) {
+      return new PatchedSharedIniFileCredentials({
+        profile: profileName,
+        filename: credentialsFileName(),
+        httpOptions: options.httpOptions,
+        tokenCodeFn,
+      });
+    }
   }
 
   /**
diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts
@@ -152,6 +152,22 @@ describe('with default config files', () => {
       expect(sdkConfig(sdk).region).toEqual('eu-bla-5');
     });
 
+    test('passing profile does not use EnvironmentCredentials', async () => {
+      // GIVEN
+      const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions, profile: 'foo' });
+
+      const environmentCredentialsPrototype = (new AWS.EnvironmentCredentials('AWS')).constructor.prototype;
+
+      await withMocked(environmentCredentialsPrototype, 'refresh', async (refresh) => {
+        refresh.mockImplementation((callback: (err?: Error) => void) => callback(new Error('This function should not have been called')));
+
+        // WHEN
+        await provider.defaultAccount();
+
+        expect(refresh).not.toHaveBeenCalled();
+      });
+    });
+
     test('mixed profile credentials', async () => {
       // WHEN
       const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions, profile: 'foo' });
@@ -309,9 +325,6 @@ test('can assume role without a [default] profile', async () => {
   const provider = await SdkProvider.withAwsCliCompatibleDefaults({
     ...defaultCredOptions,
     profile: 'assumable',
-    httpOptions: {
-      proxyAddress: 'http://DOESNTMATTER/',
-    },
   });
 
   const account = await provider.defaultAccount();
@@ -326,8 +339,7 @@ test('can assume role with ecs credentials', async () => {
 
     // GIVEN
     bockfs({
-      '/home/me/.bxt/credentials': dedent(`
-    `),
+      '/home/me/.bxt/credentials': '',
       '/home/me/.bxt/config': dedent(`
       [profile ecs]
       role_arn=arn:aws:iam::12356789012:role/Assumable
@@ -343,9 +355,6 @@ test('can assume role with ecs credentials', async () => {
     const provider = await SdkProvider.withAwsCliCompatibleDefaults({
       ...defaultCredOptions,
       profile: 'ecs',
-      httpOptions: {
-        proxyAddress: 'http://DOESNTMATTER/',
-      },
     });
 
     await provider.defaultAccount();
@@ -364,8 +373,7 @@ test('can assume role with ec2 credentials', async () => {
 
     // GIVEN
     bockfs({
-      '/home/me/.bxt/credentials': dedent(`
-    `),
+      '/home/me/.bxt/credentials': '',
       '/home/me/.bxt/config': dedent(`
       [profile ecs]
       role_arn=arn:aws:iam::12356789012:role/Assumable
@@ -381,9 +389,6 @@ test('can assume role with ec2 credentials', async () => {
     const provider = await SdkProvider.withAwsCliCompatibleDefaults({
       ...defaultCredOptions,
       profile: 'ecs',
-      httpOptions: {
-        proxyAddress: 'http://DOESNTMATTER/',
-      },
     });
 
     await provider.defaultAccount();
@@ -402,8 +407,7 @@ test('can assume role with env credentials', async () => {
 
     // GIVEN
     bockfs({
-      '/home/me/.bxt/credentials': dedent(`
-    `),
+      '/home/me/.bxt/credentials': '',
       '/home/me/.bxt/config': dedent(`
       [profile ecs]
       role_arn=arn:aws:iam::12356789012:role/Assumable
@@ -419,9 +423,6 @@ test('can assume role with env credentials', async () => {
     const provider = await SdkProvider.withAwsCliCompatibleDefaults({
       ...defaultCredOptions,
       profile: 'ecs',
-      httpOptions: {
-        proxyAddress: 'http://DOESNTMATTER/',
-      },
     });
 
     await provider.defaultAccount();
@@ -437,6 +438,7 @@ test('can assume role with env credentials', async () => {
 test('assume fails with unsupported credential_source', async () => {
   // GIVEN
   bockfs({
+    '/home/me/.bxt/credentials': '',
     '/home/me/.bxt/config': dedent(`
       [profile assumable]
       role_arn=arn:aws:iam::12356789012:role/Assumable
@@ -463,9 +465,6 @@ test('assume fails with unsupported credential_source', async () => {
   const provider = await SdkProvider.withAwsCliCompatibleDefaults({
     ...defaultCredOptions,
     profile: 'assumable',
-    httpOptions: {
-      proxyAddress: 'http://DOESNTMATTER/',
-    },
   });
 
   const account = await provider.defaultAccount();
diff --git a/packages/aws-cdk/test/util.ts b/packages/aws-cdk/test/util.ts
@@ -166,20 +166,18 @@ export function withMocked<A extends object, K extends keyof A, B>(obj: A, key:
   const mockFn = jest.fn();
   (obj as any)[key] = mockFn;
 
-  let ret;
+  let asyncFinally: boolean = false;
   try {
-    ret = block(mockFn as any);
-  } catch (e) {
-    obj[key] = original;
-    throw e;
-  }
+    const ret = block(mockFn as any);
+    if (!isPromise(ret)) { return ret; }
 
-  if (!isPromise(ret)) {
-    obj[key] = original;
-    return ret;
+    asyncFinally = true;
+    return ret.finally(() => { obj[key] = original; }) as any;
+  } finally {
+    if (!asyncFinally) {
+      obj[key] = original;
+    }
   }
-
-  return ret.finally(() => { obj[key] = original; }) as any;
 }
 
 function isPromise<A>(object: any): object is Promise<A> {
