From 06fec305a9c636ccec2e7cf06a70ec21fa897dbe Mon Sep 17 00:00:00 2001 From: Paul Jackson Date: Thu, 11 Oct 2018 10:25:54 +0100 Subject: [PATCH 1/2] Allow use of assumed roles behind a proxy. The call to STS for the credentials of the assumed role does not route through the proxy unless the proxy is configured globally for the AWS SDK. --- packages/aws-cdk/lib/api/util/sdk.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk/lib/api/util/sdk.ts b/packages/aws-cdk/lib/api/util/sdk.ts index 03b6f448551a6..fc587d05a28a8 100644 --- a/packages/aws-cdk/lib/api/util/sdk.ts +++ b/packages/aws-cdk/lib/api/util/sdk.ts @@ -66,9 +66,9 @@ export class SDK { } if (options.proxyAddress) { // Ignore empty string on purpose debug('Using proxy server: %s', options.proxyAddress); - this.defaultClientArgs.httpOptions = { - agent: require('proxy-agent')(options.proxyAddress) - }; + AWS.config.update({ + httpOptions: { agent: require('proxy-agent')(options.proxyAddress) } + }); } this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider, this.defaultClientArgs); From c7dee9abd17fc01c24cb45a80a0d464d41bc41cf Mon Sep 17 00:00:00 2001 From: Paul Jackson Date: Thu, 11 Oct 2018 15:43:42 +0100 Subject: [PATCH 2/2] Get rid of defaultClientArgs completely Everything now done via global config. --- packages/aws-cdk/lib/api/util/sdk.ts | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/packages/aws-cdk/lib/api/util/sdk.ts b/packages/aws-cdk/lib/api/util/sdk.ts index fc587d05a28a8..9b795e0ef1858 100644 --- a/packages/aws-cdk/lib/api/util/sdk.ts +++ b/packages/aws-cdk/lib/api/util/sdk.ts @@ -48,7 +48,6 @@ export interface SDKOptions { export class SDK { private readonly defaultAwsAccount: DefaultAWSAccount; private readonly credentialsCache: CredentialsCache; - private readonly defaultClientArgs: any = {}; private readonly profile?: string; constructor(options: SDKOptions) { @@ -58,7 +57,9 @@ export class SDK { // Find the package.json from the main toolkit const pkg = (require.main as any).require('../package.json'); - this.defaultClientArgs.userAgent = `${pkg.name}/${pkg.version}`; + AWS.config.update({ + customUserAgent: `${pkg.name}/${pkg.version}` + }); // https://aws.amazon.com/blogs/developer/using-the-aws-sdk-for-javascript-from-behind-a-proxy/ if (options.proxyAddress === undefined) { @@ -71,39 +72,35 @@ export class SDK { }); } - this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider, this.defaultClientArgs); + this.defaultAwsAccount = new DefaultAWSAccount(defaultCredentialProvider); this.credentialsCache = new CredentialsCache(this.defaultAwsAccount, defaultCredentialProvider); } public async cloudFormation(environment: Environment, mode: Mode): Promise { return new AWS.CloudFormation({ region: environment.region, - credentials: await this.credentialsCache.get(environment.account, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(environment.account, mode) }); } public async ec2(awsAccountId: string | undefined, region: string | undefined, mode: Mode): Promise { return new AWS.EC2({ region, - credentials: await this.credentialsCache.get(awsAccountId, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(awsAccountId, mode) }); } public async ssm(awsAccountId: string | undefined, region: string | undefined, mode: Mode): Promise { return new AWS.SSM({ region, - credentials: await this.credentialsCache.get(awsAccountId, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(awsAccountId, mode) }); } public async s3(environment: Environment, mode: Mode): Promise { return new AWS.S3({ region: environment.region, - credentials: await this.credentialsCache.get(environment.account, mode), - ...this.defaultClientArgs + credentials: await this.credentialsCache.get(environment.account, mode) }); } @@ -195,7 +192,7 @@ class DefaultAWSAccount { private defaultAccountId?: string = undefined; private readonly accountCache = new AccountAccessKeyCache(); - constructor(private readonly defaultCredentialsProvider: Promise, private readonly defaultClientArgs: any) { + constructor(private readonly defaultCredentialsProvider: Promise) { } /** @@ -223,7 +220,7 @@ class DefaultAWSAccount { const accountId = await this.accountCache.fetch(creds.accessKeyId, async () => { // if we don't have one, resolve from STS and store in cache. debug('Looking up default account ID from STS'); - const result = await new AWS.STS({ credentials: creds, ...this.defaultClientArgs }).getCallerIdentity().promise(); + const result = await new AWS.STS({ credentials: creds }).getCallerIdentity().promise(); const aid = result.Account; if (!aid) { debug('STS didn\'t return an account ID');