modifying test to ensure credential chain resolves in intended order

Author: smilkuri

packages/credential-providers/src/fromAwsCliV2CompatibleProviderChain.spec.ts

@@ -63,17 +63,40 @@ describe("fromAwsCliV2CompatibleProviderChain", () => {
       accessKeyId: "PROFILE_ACCESS_KEY",
       secretAccessKey: "PROFILE_SECRET_KEY",
     });
+    expect(mockFromIni).toHaveBeenCalled();
     expect(mockLogger.debug).toHaveBeenCalledWith(expect.stringContaining("Using fromIni with profile:test-profile"));
   });
 
-  it("should try credential chain when no static credentials or profile", async () => {
+  it("should merge caller client config with init options", async () => {
+    // Initial credentials
+    const credentials = {
+      accessKeyId: "TEST_ACCESS_KEY",
+      secretAccessKey: "TEST_SECRET_KEY",
+    };
+
+    const provider = fromAwsCliV2CompatibleProviderChain(credentials);
+    const callerConfig = {
+      profile: "caller-profile",
+      logger: mockLogger,
+      region: mockRegion,
+    };
+
+    const result = await provider({ callerClientConfig: callerConfig });
+
+    expect(result).toEqual(credentials);
+    expect(mockLogger.debug).toHaveBeenCalled();
+  });
+
+  it("should fall back to environment variables if no profile is provided", async () => {
     const mockEnvCredentials = {
       accessKeyId: "ENV_ACCESS_KEY",
       secretAccessKey: "ENV_SECRET_KEY",
     };
 
+    const mockFromEnv = vi.fn(() => vi.fn(async () => mockEnvCredentials));
+
     vi.mock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.resolve(mockEnvCredentials),
+      fromEnv: mockFromEnv,
     }));
 
     const provider = fromAwsCliV2CompatibleProviderChain({
@@ -83,11 +106,98 @@ describe("fromAwsCliV2CompatibleProviderChain", () => {
     const result = await provider();
 
     expect(result).toEqual(mockEnvCredentials);
+    expect(mockFromEnv).toHaveBeenCalled();
     expect(mockLogger.debug).toHaveBeenCalledWith(expect.stringContaining("Using from custom credential chain"));
   });
 
-  it("should throw error when no credentials are found", async () => {
-    // Mock all providers to fail
+  it("should fall back to web identity credentials when environment variables are unavailable", async () => {
+    vi.mock("@aws-sdk/credential-provider-env", () => ({
+      fromEnv: () => () => Promise.reject(new Error("No env credentials")),
+    }));
+
+    const mockTokenFileCredentials = {
+      accessKeyId: "TOKEN_ACCESS_KEY",
+      secretAccessKey: "TOKEN_SECRET_KEY",
+    };
+
+    const mockFromTokenFile = vi.fn(() => vi.fn(async () => mockTokenFileCredentials));
+
+    vi.mock("@aws-sdk/credential-provider-web-identity", () => ({
+      fromTokenFile: mockFromTokenFile,
+    }));
+
+    const provider = fromAwsCliV2CompatibleProviderChain({
+      logger: mockLogger,
+    });
+
+    const result = await provider();
+
+    expect(result).toEqual(mockTokenFileCredentials);
+    expect(mockFromTokenFile).toHaveBeenCalled();
+  });
+
+  it("should fall back to SSO credentials when web identity is unavailable", async () => {
+    vi.mock("@aws-sdk/credential-provider-env", () => ({
+      fromEnv: () => () => Promise.reject(new Error("No env credentials")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-web-identity", () => ({
+      fromTokenFile: () => () => Promise.reject(new Error("No token file")),
+    }));
+
+    const mockSSOCredentials = {
+      accessKeyId: "SSO_ACCESS_KEY",
+      secretAccessKey: "SSO_SECRET_KEY",
+    };
+
+    const mockFromSSO = vi.fn(() => vi.fn(async () => mockSSOCredentials));
+
+    vi.mock("@aws-sdk/credential-provider-sso", () => ({
+      fromSSO: mockFromSSO,
+    }));
+
+    const provider = fromAwsCliV2CompatibleProviderChain({
+      logger: mockLogger,
+    });
+
+    const result = await provider();
+
+    expect(result).toEqual(mockSSOCredentials);
+    expect(mockFromSSO).toHaveBeenCalled();
+  });
+
+  it("should fall back to process credentials when SSO is unavailable", async () => {
+    vi.mock("@aws-sdk/credential-provider-env", () => ({
+      fromEnv: () => () => Promise.reject(new Error("No env credentials")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-web-identity", () => ({
+      fromTokenFile: () => () => Promise.reject(new Error("No token file")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-sso", () => ({
+      fromSSO: () => () => Promise.reject(new Error("No SSO credentials")),
+    }));
+
+    const mockProcessCredentials = {
+      accessKeyId: "PROCESS_ACCESS_KEY",
+      secretAccessKey: "PROCESS_SECRET_KEY",
+    };
+
+    const mockFromProcess = vi.fn(() => vi.fn(async () => mockProcessCredentials));
+
+    vi.mock("@aws-sdk/credential-provider-process", () => ({
+      fromProcess: mockFromProcess,
+    }));
+
+    const provider = fromAwsCliV2CompatibleProviderChain({
+      logger: mockLogger,
+    });
+
+    const result = await provider();
+
+    expect(result).toEqual(mockProcessCredentials);
+    expect(mockFromProcess).toHaveBeenCalled();
+  });
+
+  it("should fall back to remote credentials when process credentials are unavailable", async () => {
     vi.mock("@aws-sdk/credential-provider-env", () => ({
       fromEnv: () => () => Promise.reject(new Error("No env credentials")),
     }));
@@ -100,35 +210,51 @@ describe("fromAwsCliV2CompatibleProviderChain", () => {
     vi.mock("@aws-sdk/credential-provider-process", () => ({
       fromProcess: () => () => Promise.reject(new Error("No process credentials")),
     }));
+
+    const mockRemoteCredentials = {
+      accessKeyId: "REMOTE_ACCESS_KEY",
+      secretAccessKey: "REMOTE_SECRET_KEY",
+    };
+
+    const mockRemoteProvider = vi.fn(() => vi.fn(async () => mockRemoteCredentials));
+
     vi.mock("@aws-sdk/credential-provider-node/src/remoteProvider", () => ({
-      remoteProvider: () => () => Promise.reject(new Error("No remote credentials")),
+      remoteProvider: mockRemoteProvider,
     }));
 
     const provider = fromAwsCliV2CompatibleProviderChain({
       logger: mockLogger,
     });
 
-    await expect(provider()).rejects.toThrow(CredentialsProviderError);
-    await expect(provider()).rejects.toThrow("Could not load credentials from any providers");
+    const result = await provider();
+
+    expect(result).toEqual(mockRemoteCredentials);
+    expect(mockRemoteProvider).toHaveBeenCalled();
   });
 
-  it("should merge caller client config with init options", async () => {
-    // Initial credentials
-    const credentials = {
-      accessKeyId: "TEST_ACCESS_KEY",
-      secretAccessKey: "TEST_SECRET_KEY",
-    };
+  it("should throw error when no credentials are found", async () => {
+    // Mock all providers to fail
+    vi.mock("@aws-sdk/credential-provider-env", () => ({
+      fromEnv: () => () => Promise.reject(new Error("No env credentials")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-web-identity", () => ({
+      fromTokenFile: () => () => Promise.reject(new Error("No token file")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-sso", () => ({
+      fromSSO: () => () => Promise.reject(new Error("No SSO credentials")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-process", () => ({
+      fromProcess: () => () => Promise.reject(new Error("No process credentials")),
+    }));
+    vi.mock("@aws-sdk/credential-provider-node/src/remoteProvider", () => ({
+      remoteProvider: () => () => Promise.reject(new Error("No remote credentials")),
+    }));
 
-    const provider = fromAwsCliV2CompatibleProviderChain(credentials);
-    const callerConfig = {
-      profile: "caller-profile",
+    const provider = fromAwsCliV2CompatibleProviderChain({
       logger: mockLogger,
-      region: mockRegion,
-    };
-
-    const result = await provider({ callerClientConfig: callerConfig });
+    });
 
-    expect(result).toEqual(credentials);
-    expect(mockLogger.debug).toHaveBeenCalled();
+    await expect(provider()).rejects.toThrow(CredentialsProviderError);
+    await expect(provider()).rejects.toThrow("Could not load credentials from any providers");
   });
 });

packages/credential-providers/src/resolveAwsCliV2Region.spec.ts

@@ -12,7 +12,7 @@ vi.mock("@smithy/shared-ini-file-loader", () => ({
 
 describe("AWS Region Resolution", () => {
   // Store original environment variables to restore them later
-  const originalEnv = process.env;
+  const originalEnv = { ...process.env };
 
   beforeEach(() => {
     // Reset environment variables before each test
@@ -23,7 +23,7 @@ describe("AWS Region Resolution", () => {
 
   afterEach(() => {
     // Restore environment variables after each test
-    process.env = originalEnv;
+    process.env = { ...originalEnv };
   });
 
   describe("resolveAwsCliV2Region", () => {