-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(cli): can not assume role from 2-level SSO (#23702)
The CLI used to support this: ``` [profile sso] ... [profile one] ... source_profile = sso ``` But not this: ``` [profile sso] ... [profile one] ... source_profile = sso [profile two] ... source_profile = one ``` The reason was that: * We have to do an explicit detection of SSO source profiles in our `PatchedSharedIniFileCredentials` because the upstream `SharedIniFileCredentials` has no SSO support at all; and * When we recursed we would recurse using the `SharedIniFileCredentials` class. In combination, this means that we could only recurse **one level**, because in `SharedIniFileCredentials` we wouldn't support SSO profiles at all. Fix this by recursing using `PatchedSharedIniFileCredentials`, so that we can support SSO source profiles an arbitrary amount of nesting levels deep. While investigating this, also fixed the following issues: - SSO profiles would be detected using the incorrect key: `sso_start_url` can be specified either on the profile section, or a new `[sso-session]` section. `sso_account_id` however always must be on the profile section, so check on that. - Dropped support for reading the STS AssumeRole `region` from the `[default]` section. After investigating by both the JS SDK team and myself, noticed that the AWS CLI does **not** support reading the region from there. While we are both in agreement this is a bug, all customers expect the CDK CLI to behave exactly the same as the AWS CLI, so we have to keep bug-for-bug compatibility. - Drop the `credentials/config` file loading patch. The upstream SDK has fixed this behavior in the mean time, so we can rely on the passed-in profile data again. Fixes #23520. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Showing
1 changed file
with
42 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters