From 38116b0ce7afda179c0067dfc5f19f24409f7fbe Mon Sep 17 00:00:00 2001 From: Rico Hermans Date: Tue, 17 Dec 2024 11:35:09 +0100 Subject: [PATCH] fix(cli): doesn't support plugins that return initially empty credentials (#32552) Plugins that return V2 credentials objects, return credentials that are self-refreshing. Those credentials can start out empty, which is perfectly valid. We shouldn't reject them if they are. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/api/aws-auth/credential-plugins.ts | 2 +- .../test/api/plugin/credential-plugin.test.ts | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts index c587e0fc20040..b2047bd3fbbfb 100644 --- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts +++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts @@ -165,7 +165,7 @@ function isV3Provider(x: PluginProviderResult): x is SDKv3CompatibleCredentialPr } function isV2Credentials(x: PluginProviderResult): x is SDKv2CompatibleCredentials { - return !!(x && typeof x === 'object' && x.accessKeyId && (x as SDKv2CompatibleCredentials).getPromise); + return !!(x && typeof x === 'object' && (x as SDKv2CompatibleCredentials).getPromise); } function isV3Credentials(x: PluginProviderResult): x is SDKv3CompatibleCredentials { diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts index f665dc179db9c..77fc97731e58d 100644 --- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts +++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts @@ -104,6 +104,26 @@ test('plugin can return V2 compatible credential-provider', async () => { expect(getPromise).toHaveBeenCalled(); }); +test('plugin can return V2 compatible credential-provider with initially empty keys', async () => { + // GIVEN + mockCredentialFunction(() => Promise.resolve({ + accessKeyId: '', + secretAccessKey: '', + expired: false, + getPromise() { + this.accessKeyId = 'keyid'; + return Promise.resolve({}); + }, + })); + + // WHEN + const creds = await fetchNow(); + + await expect(creds).toEqual(expect.objectContaining({ + accessKeyId: 'keyid', + })); +}); + test('plugin must not return something that is not a credential', async () => { // GIVEN mockCredentialFunction(() => Promise.resolve({