fix(credential-providers): use modified region resolver for inner STS clients (#7456)

Author: kuhe

clients/client-sts/src/defaultStsRoleAssumers.ts

@@ -2,6 +2,7 @@
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -28,8 +29,6 @@ export type RoleAssumer = (
   params: AssumeRoleCommandInput
 ) => Promise<AwsCredentialIdentity>;
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
 interface AssumedRoleUser {
   /**
    * The ARN of the temporary security credentials that are returned from the AssumeRole action.
@@ -63,19 +62,21 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
   _parentRegion: string | Provider<string> | undefined,
-  credentialProviderLogger?: Logger
+  credentialProviderLogger?: Logger,
+  loaderConfig: Parameters<typeof stsRegionDefaultResolver>[0] = {}
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
-    `${region} (provider)`,
-    `${parentRegion} (parent client)`,
-    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
+    `${region} (credential provider clientConfig)`,
+    `${parentRegion} (contextual client)`,
+    `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? stsDefaultRegion;
 };
 
 /**
@@ -101,7 +102,11 @@ export const getDefaultRoleAssumer = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 
@@ -164,7 +169,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 

clients/client-sts/test/defaultRoleAssumers.spec.ts

@@ -139,7 +139,7 @@ describe("getDefaultRoleAssumer", () => {
       requestHandler: handler,
       parentClientConfig: {
         region: "some-other-region",
-        logger: null,
+        logger: null as any,
         requestHandler: null,
       },
     });

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultRoleAssumers.spec.ts

@@ -137,7 +137,7 @@ describe("getDefaultRoleAssumer", () => {
       requestHandler: handler,
       parentClientConfig: {
         region: "some-other-region",
-        logger: null,
+        logger: null as any,
         requestHandler: null,
       },
     });

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -1,4 +1,5 @@
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -25,8 +26,6 @@ export type RoleAssumer = (
   params: AssumeRoleCommandInput
 ) => Promise<AwsCredentialIdentity>;
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
 interface AssumedRoleUser {
   /**
    * The ARN of the temporary security credentials that are returned from the AssumeRole action.
@@ -60,19 +59,21 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
   _parentRegion: string | Provider<string> | undefined,
-  credentialProviderLogger?: Logger
+  credentialProviderLogger?: Logger,
+  loaderConfig: Parameters<typeof stsRegionDefaultResolver>[0] = {}
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
-    `${region} (provider)`,
-    `${parentRegion} (parent client)`,
-    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
+    `${region} (credential provider clientConfig)`,
+    `${parentRegion} (contextual client)`,
+    `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? stsDefaultRegion;
 };
 
 /**
@@ -98,7 +99,11 @@ export const getDefaultRoleAssumer = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 
@@ -161,7 +166,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 

packages/credential-provider-ini/src/fromIni.integ.spec.ts

@@ -1,43 +1,33 @@
 import { STS } from "@aws-sdk/client-sts";
 import { HttpRequest, HttpResponse } from "@smithy/protocol-http";
-import { SourceProfileInit } from "@smithy/shared-ini-file-loader";
+import { externalDataInterceptor } from "@smithy/shared-ini-file-loader";
 import type { NodeHttpHandlerOptions, ParsedIniData } from "@smithy/types";
+import { homedir } from "node:os";
+import { join } from "node:path";
 import { PassThrough } from "node:stream";
-import { afterEach, beforeEach, describe, expect, test as it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, test as it } from "vitest";
 
 import { fromIni } from "./fromIni";
 
 let iniProfileData: ParsedIniData = null as any;
-vi.mock("@smithy/shared-ini-file-loader", async () => {
-  const actual: any = await vi.importActual("@smithy/shared-ini-file-loader");
-  const pkg = {
-    ...actual,
-    async loadSsoSessionData() {
-      return Object.entries(iniProfileData)
-        .filter(([key]) => key.startsWith("sso-session."))
-        .reduce(
-          (acc, [key, value]) => ({
-            ...acc,
-            [key.split("sso-session.")[1]]: value,
-          }),
-          {}
-        );
-    },
-    async parseKnownFiles(init: SourceProfileInit): Promise<ParsedIniData> {
-      return iniProfileData;
-    },
-    async getSSOTokenFromFile() {
-      return {
-        accessToken: "mock_sso_token",
-        expiresAt: "3000-01-01T00:00:00.000Z",
-      };
-    },
-  };
-  return {
-    ...pkg,
-    default: pkg,
-  };
-});
+
+function setIniProfileData(data: ParsedIniData) {
+  iniProfileData = data;
+  let buffer = "";
+  for (const profile in data) {
+    if (profile.startsWith("sso-session.")) {
+      buffer += `[sso-session ${profile.split("sso-session.")[1]}]\n`;
+    } else {
+      buffer += `[profile ${profile}]\n`;
+    }
+    for (const [k, v] of Object.entries(data[profile])) {
+      buffer += `${k} = ${v}\n`;
+    }
+    buffer += "\n";
+  }
+  const dir = join(homedir(), ".aws");
+  externalDataInterceptor.interceptFile(join(dir, "config"), buffer);
+}
 
 class MockNodeHttpHandler {
   static create(instanceOrOptions?: any) {
@@ -46,6 +36,7 @@ class MockNodeHttpHandler {
     }
     return new MockNodeHttpHandler();
   }
+
   async handle(request: HttpRequest) {
     const body = new PassThrough({});
 
@@ -125,7 +116,9 @@ class MockNodeHttpHandler {
       }),
     };
   }
+
   updateHttpClientConfig(key: keyof NodeHttpHandlerOptions, value: NodeHttpHandlerOptions[typeof key]): void {}
+
   httpHandlerConfigs(): NodeHttpHandlerOptions {
     return null as any;
   }
@@ -136,22 +129,20 @@ describe("fromIni region search order", () => {
     process.env.AWS_PROFILE = "default";
     iniProfileData = {
       default: {
-        region: "us-west-2",
         output: "json",
+        region: "us-stsar-1",
+        role_arn: "ROLE_ARN",
+        role_session_name: "ROLE_SESSION_NAME",
+        external_id: "EXTERNAL_ID",
+        source_profile: "assume",
+      },
+      assume: {
+        region: "us-stsar-1",
+        aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+        aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
       },
     };
-    iniProfileData.assume = {
-      region: "us-stsar-1",
-      aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
-      aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
-    };
-    Object.assign(iniProfileData.default, {
-      region: "us-stsar-1",
-      role_arn: "ROLE_ARN",
-      role_session_name: "ROLE_SESSION_NAME",
-      external_id: "EXTERNAL_ID",
-      source_profile: "assume",
-    });
+    setIniProfileData(iniProfileData);
   });
 
   afterEach(() => {
@@ -201,6 +192,7 @@ describe("fromIni region search order", () => {
 
   it("should use 3rd priority for the caller client", async () => {
     delete iniProfileData.default.region;
+    setIniProfileData(iniProfileData);
 
     const sts = new STS({
       requestHandler: new MockNodeHttpHandler(),
@@ -221,8 +213,78 @@ describe("fromIni region search order", () => {
     });
   });
 
-  it("should use 4th priority for the default partition's default region", async () => {
-    delete iniProfileData.default.region;
+  it("should use 4th priority for the config file region", async () => {
+    const credentialsData = await fromIni({
+      clientConfig: {
+        requestHandler: new MockNodeHttpHandler(),
+      },
+    })();
+
+    const sts = new STS({
+      requestHandler: new MockNodeHttpHandler(),
+      credentials: credentialsData,
+    });
+
+    await sts.getCallerIdentity({});
+    const credentials = await sts.config.credentials();
+    expect(credentials).toMatchObject({
+      accessKeyId: "STS_AR_ACCESS_KEY_ID",
+      secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+      sessionToken: "STS_AR_SESSION_TOKEN_us-stsar-1",
+    });
+  });
+
+  it("should use 5th priority for the AWS_REGION value", async () => {
+    process.env.AWS_REGION = "ap-northeast-1";
+    iniProfileData = {
+      default: {
+        role_arn: "ROLE_ARN",
+        role_session_name: "ROLE_SESSION_NAME",
+        external_id: "EXTERNAL_ID",
+        source_profile: "assume",
+      },
+      assume: {
+        aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+        aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+      },
+    };
+    setIniProfileData(iniProfileData);
+
+    const credentialsData = await fromIni({
+      clientConfig: {
+        requestHandler: new MockNodeHttpHandler(),
+      },
+    })();
+
+    const sts = new STS({
+      requestHandler: new MockNodeHttpHandler(),
+      credentials: credentialsData,
+    });
+
+    await sts.getCallerIdentity({});
+    const credentials = await sts.config.credentials();
+    expect(credentials).toMatchObject({
+      accessKeyId: "STS_AR_ACCESS_KEY_ID",
+      secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+      sessionToken: "STS_AR_SESSION_TOKEN_ap-northeast-1",
+    });
+  });
+
+  it("should use 6th priority for the default partition's default region", async () => {
+    delete process.env.AWS_REGION;
+    iniProfileData = {
+      default: {
+        role_arn: "ROLE_ARN",
+        role_session_name: "ROLE_SESSION_NAME",
+        external_id: "EXTERNAL_ID",
+        source_profile: "assume",
+      },
+      assume: {
+        aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+        aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+      },
+    };
+    setIniProfileData(iniProfileData);
 
     const credentialsData = await fromIni({
       clientConfig: {

packages/credential-provider-ini/src/resolveSsoCredentials.spec.ts

@@ -64,7 +64,7 @@ describe(resolveSsoCredentials.name, () => {
       secretAccessKey: "mockSecretAccessKey",
     };
     const requestHandler = vi.fn();
-    const logger = vi.fn();
+    const logger: any = vi.fn();
 
     vi.mocked(fromSSO).mockReturnValue(() => Promise.resolve(mockCreds));
 

packages/credential-provider-node/package.json

@@ -15,7 +15,7 @@
     "build:types": "tsc -p tsconfig.types.json",
     "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
     "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
-    "test": "yarn g:vitest run",
+    "test": "yarn g:vitest run --reporter verbose",
     "test:watch": "yarn g:vitest watch",
     "test:integration": "yarn g:vitest run -c vitest.config.integ.mts",
     "test:integration:watch": "yarn g:vitest watch -c vitest.config.integ.mts"

packages/credential-provider-node/src/defaultProvider.spec.ts

@@ -26,7 +26,9 @@ describe(defaultProvider.name, () => {
   };
 
   const credentials = () => {
-    throw new CredentialsProviderError("test", true);
+    throw new CredentialsProviderError("test", {
+      tryNextLink: true,
+    });
   };
 
   const finalCredentials = () => {