From f2b1048d25d945e72fd8ada750e577cd162388ae Mon Sep 17 00:00:00 2001 From: Paul Jackson Date: Fri, 12 Oct 2018 10:55:39 +0100 Subject: [PATCH] fix(aws-cdk): Allow use of assumed roles behind a proxy (#898) The call to STS to get assumed role credentials would be started inside the SDK with no way of passing arguments to it. We now set the proxy and user agent options globally so that they'll also be used for the STS call. --- packages/aws-cdk/lib/api/util/sdk.ts | 29 +++++++++++++--------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/packages/aws-cdk/lib/api/util/sdk.ts b/packages/aws-cdk/lib/api/util/sdk.ts index 03b6f448551a6..9b795e0ef1858 100644 --- a/packages/aws-cdk/lib/api/util/sdk.ts +++ b/packages/aws-cdk/lib/api/util/sdk.ts @@ -48,7 +48,6 @@ export interface SDKOptions { export class SDK { private readonly defaultAwsAccount: DefaultAWSAccount; private readonly credentialsCache: CredentialsCache; - private readonly defaultClientArgs: any = {}; private readonly profile?: string; constructor(options: SDKOptions) { @@ -58,7 +57,9 @@ export class SDK { // Find the package.json from the main toolkit const pkg = (require.main as any).require('../package.json'); - this.defaultClientArgs.userAgent = `${pkg.name}/${pkg.version}`; + AWS.config.update({ + customUserAgent: `${pkg.name}/${pkg.version}` + }); // https://aws.amazon.com/blogs/developer/using-the-aws-sdk-for-javascript-from-behind-a-proxy/ if (options.proxyAddress === undefined) { @@ -66,44 +67,40 @@ export class SDK { } if (options.proxyAddress) { // Ignore empty string on purpose debug('Using proxy server: %s', options.proxyAddress); - this.defaultClientArgs.httpOptions = { - agent: require('proxy-agent')(options.proxyAddress) - }; + AWS.config.update({ + httpOptions: { agent: require('proxy-agent')(options.proxyAddress) } + }); } - this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider, this.defaultClientArgs); + this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider); this.credentialsCache = new CredentialsCache(this.defaultAwsAccount, defaultCredentialProvider); } public async cloudFormation(environment: Environment, mode: Mode): Promise { return new AWS.CloudFormation({ region: environment.region, - credentials: await this.credentialsCache.get(environment.account, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(environment.account, mode) }); } public async ec2(awsAccountId: string | undefined, region: string | undefined, mode: Mode): Promise { return new AWS.EC2({ region, - credentials: await this.credentialsCache.get(awsAccountId, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(awsAccountId, mode) }); } public async ssm(awsAccountId: string | undefined, region: string | undefined, mode: Mode): Promise { return new AWS.SSM({ region, - credentials: await this.credentialsCache.get(awsAccountId, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(awsAccountId, mode) }); } public async s3(environment: Environment, mode: Mode): Promise { return new AWS.S3({ region: environment.region, - credentials: await this.credentialsCache.get(environment.account, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(environment.account, mode) }); } @@ -195,7 +192,7 @@ class DefaultAWSAccount { private defaultAccountId?: string = undefined; private readonly accountCache = new AccountAccessKeyCache(); - constructor(private readonly defaultCredentialsProvider: Promise, private readonly defaultClientArgs: any) { + constructor(private readonly defaultCredentialsProvider: Promise) { } /** @@ -223,7 +220,7 @@ class DefaultAWSAccount { const accountId = await this.accountCache.fetch(creds.accessKeyId, async () => { // if we don't have one, resolve from STS and store in cache. debug('Looking up default account ID from STS'); - const result = await new AWS.STS({ credentials: creds, ...this.defaultClientArgs }).getCallerIdentity().promise(); + const result = await new AWS.STS({ credentials: creds }).getCallerIdentity().promise(); const aid = result.Account; if (!aid) { debug('STS didn\'t return an account ID');