fix(cli): failure to get credentials when session token is not set (#32134)

otaviomacedo · web-flow · commit 9ef4e72663d3 · 2024-11-14T15:44:12.000Z
In Node.js, if you assign `undefined` to an environment variable, that variable ends up having the string `"undefined"`. If we are using IAM user credentials, `AWS_SESSION_TOKEN` should not be set, but because we were not handling this edge case, it was getting assigned an invalid value: ``` Welcome to Node.js v22.9.0. Type ".help" for more information. > process.env.AWS_SESSION_TOKEN || process.env.AMAZON_SESSION_TOKEN undefined > process.env.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN || process.env.AMAZON_SESSION_TOKEN undefined > process.env.AWS_SESSION_TOKEN 'undefined' ``` Closes #32120. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -182,11 +182,16 @@ function caBundlePathFromEnvironment(): string | undefined {
 function shouldPrioritizeEnv() {
   const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
   const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
-  process.env.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN || process.env.AMAZON_SESSION_TOKEN;
 
   if (!!id && !!key) {
     process.env.AWS_ACCESS_KEY_ID = id;
     process.env.AWS_SECRET_ACCESS_KEY = key;
+
+    const sessionToken = process.env.AWS_SESSION_TOKEN ?? process.env.AMAZON_SESSION_TOKEN;
+    if (sessionToken) {
+      process.env.AWS_SESSION_TOKEN = sessionToken;
+    }
+
     return true;
   }
 
diff --git a/packages/aws-cdk/test/api/aws-auth/awscli-compatible.test.ts b/packages/aws-cdk/test/api/aws-auth/awscli-compatible.test.ts
@@ -0,0 +1,45 @@
+import { AwsCliCompatible } from '../../../lib/api/aws-auth/awscli-compatible';
+
+describe('Session token', () => {
+  beforeEach(() => {
+    process.env.AWS_ACCESS_KEY_ID = 'foo';
+    process.env.AWS_SECRET_ACCESS_KEY = 'bar';
+  });
+
+  test('does not mess up with session token env variables if they are undefined', async () => {
+    // Making sure these variables are not defined
+    delete process.env.AWS_SESSION_TOKEN;
+    delete process.env.AMAZON_SESSION_TOKEN;
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toBeUndefined();
+  });
+
+  test('preserves AWS_SESSION_TOKEN if it is defined', async () => {
+    process.env.AWS_SESSION_TOKEN = 'aaa';
+    delete process.env.AMAZON_SESSION_TOKEN;
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+
+  test('assigns AWS_SESSION_TOKEN if it is not defined but AMAZON_SESSION_TOKEN is', async () => {
+    delete process.env.AWS_SESSION_TOKEN;
+    process.env.AMAZON_SESSION_TOKEN = 'aaa';
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+
+  test('preserves AWS_SESSION_TOKEN if both are defined', async () => {
+    process.env.AWS_SESSION_TOKEN = 'aaa';
+    process.env.AMAZON_SESSION_TOKEN = 'bbb';
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+});
