Skip to content

Commit 1a8f5ad

Browse files
rix0rrrrix0rrr
authored
fix(cli): credential plugin exceptions stop the entire CLI (#26244)
Credential provider plugins may sometimes misbehave. Catch any exceptions they may throw and continue. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent c755f50 commit 1a8f5ad

File tree

1 file changed

+21
-3
lines changed

1 file changed

+21
-3
lines changed

packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts

+21-3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import { debug } from './_env';
22
import { Mode } from './credentials';
3+
import { warning } from '../../logging';
34
import { CredentialProviderSource, PluginHost } from '../plugin';
45

56
/**
@@ -33,12 +34,29 @@ export class CredentialPlugins {
3334
const triedSources: CredentialProviderSource[] = [];
3435
// Otherwise, inspect the various credential sources we have
3536
for (const source of PluginHost.instance.credentialProviderSources) {
36-
if (!(await source.isAvailable())) {
37+
let available: boolean;
38+
try {
39+
available = await source.isAvailable();
40+
} catch (e: any) {
41+
// This shouldn't happen, but let's guard against it anyway
42+
warning(`Uncaught exception in ${source.name}: ${e.message}`);
43+
available = false;
44+
}
45+
46+
if (!available) {
3747
debug('Credentials source %s is not available, ignoring it.', source.name);
3848
continue;
3949
}
4050
triedSources.push(source);
41-
if (!(await source.canProvideCredentials(awsAccountId))) { continue; }
51+
let canProvide: boolean;
52+
try {
53+
canProvide = await source.canProvideCredentials(awsAccountId);
54+
} catch (e: any) {
55+
// This shouldn't happen, but let's guard against it anyway
56+
warning(`Uncaught exception in ${source.name}: ${e.message}`);
57+
canProvide = false;
58+
}
59+
if (!canProvide) { continue; }
4260
debug(`Using ${source.name} credentials for account ${awsAccountId}`);
4361
const providerOrCreds = await source.getProvider(awsAccountId, mode);
4462

@@ -55,4 +73,4 @@ export class CredentialPlugins {
5573
export interface PluginCredentials {
5674
readonly credentials: AWS.Credentials;
5775
readonly pluginName: string;
58-
}
76+
}

0 commit comments

Comments
 (0)