From 6458439b08f9ce1f49c1137dd85bb582550a5f52 Mon Sep 17 00:00:00 2001
From: Rico Hermans <rix0rrr@gmail.com>
Date: Thu, 28 Nov 2024 11:03:12 +0100
Subject: [PATCH] fix(cli): mfa code is not requested when `$AWS_PROFILE` is
 used (#32313)

We only passed in the `mfaCode` function if we got a profile from `--profile`, not when configured using `$AWS_PROFILE`.

Reduce a miss in the duplicated code by moving the `clientConfig` to a single initialization point.

Fixes #32312.

Unfortunately this cannot be unit tested (I cannot mock the function that I need to mock), nor integ tested because it needs human input. I'm open to ideas.

In the mean time, tested manually.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/aws-auth/awscli-compatible.ts     | 23 +++++++++----------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
index 5ac65719b77ac..2b69d3031fc67 100644
--- a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -27,6 +27,12 @@ export class AwsCliCompatible {
   public static async credentialChainBuilder(
     options: CredentialChainOptions = {},
   ): Promise<AwsCredentialIdentityProvider> {
+    const clientConfig = {
+      requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
+      customUserAgent: 'aws-cdk',
+      logger: options.logger,
+    };
+
     /**
      * The previous implementation matched AWS CLI behavior:
      *
@@ -41,16 +47,12 @@ export class AwsCliCompatible {
         profile: options.profile,
         ignoreCache: true,
         mfaCodeProvider: tokenCodeFn,
-        clientConfig: {
-          requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
-          customUserAgent: 'aws-cdk',
-          logger: options.logger,
-        },
+        clientConfig,
         logger: options.logger,
       });
     }
 
-    const profile = options.profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+    const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
 
     /**
      * Env AWS - EnvironmentCredentials with string AWS
@@ -74,13 +76,10 @@ export class AwsCliCompatible {
      * fromInstanceMetadata()
      */
     const nodeProviderChain = fromNodeProviderChain({
-      profile: profile,
-      clientConfig: {
-        requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
-        customUserAgent: 'aws-cdk',
-        logger: options.logger,
-      },
+      profile: envProfile,
+      clientConfig,
       logger: options.logger,
+      mfaCodeProvider: tokenCodeFn,
       ignoreCache: true,
     });