deps(auth): remove dependence on deprecated and outdated @aws-sdk/* packages. (#6474)

Hweinstock · web-flow · commit 6f6a8c2fea20 · 2025-02-13T15:33:09.000-05:00
## Problem The auth code relies on old versions of `@aws-sdk/*` that have since been deprecated or are no longer backward compatible, making versions bumps impossible. - `@aws-sdk/credential-provider-imds` has since been [deprecated](https://www.npmjs.com/package/@aws-sdk/credential-provider-imds) - `fromIni` from `@aws-sdk/credential-provider-ini` no longer supports passing a `loadedConfig`. - `AssumeRoleParams` is no longer exported by `@aws-sdk/credential-provider-ini`. We need to be able to bump these `@aws-sdk/*` package versions to continue to consume newer generated clients. Being pinned to older versions is also a security risk. See #6439 for more information. ## Solution - write custom credentials provider to replace `fromIni` with `loadedConfig` option. - drop dependency on `@aws-sdk/credential-provider-ini` since its no longer used. - add direct dependency on `@aws-sdk/credential-provider-env` since this was installed as part of `@aws-sdk-credential-provider-ini` before. - Fix many (not all) of the deprecation warnings in auth code related to credentials provider. ### Custom Credentials Provider Before, we used `fromIni` with the `loadedConfig` option which allows us to avoid reading the config file from disk on each credentials fetch and allows us to merge the current credentials with those found in the `.ini` file. To achieve the same behavior without the `loadedConfig` option, we need to write our own credentials provider that supports MFA and role assumption, and returns the desired merged credentials, rather than reading from disk. ### Testing - Manually verify this role assumption works by following the steps [here](https://docs.aws.amazon.com/sdkref/latest/guide/access-assume-role.html). - Manually verify MFA works via adapting [this](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-role.html#:~:text=This%20policy%20allows%20the%20user,they%20authenticate%20by%20using%20MFA.&text=Next%2C%20add%20a%20line%20to,by%20the%20role's%20trust%20policy.&text=The%20mfa_serial%20setting%20can%20take,command%20with%20this%20profile%20fails.&text=The%20second%20profile%20entry%2C%20role,%22:%20%5B%20%7B%20...). (Used DuoMobile) - Add unit tests with API calls stubbed. ## Future Work - There are two tests that can now be re-enabled because of this version bump, undoing db27ebb - The steps to test role assumption could become an integ/e2e test. Right now requires setting many resources up in console, but perhaps this can all be done by the SDKs with an account on admin access. --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/docs/faq-credentials.md b/docs/faq-credentials.md
@@ -13,3 +13,7 @@ Issue [aws-toolkit-vscode#3667](https://github.com/aws/aws-toolkit-vscode/issues
 2. Attempt to sign in again with AWS Builder ID
 3. If sign is is successful you can remove the old folder: `rm -rf ~/.aws/sso-OLD`
     1. Or revert the change: `mv ~/.aws/sso-OLD ~/.aws/sso`
+
+### AWS Shared Credentials File
+
+When authenticating with IAM credentials, the profile name, access key, and secret key will be stored on disk at a default location of `~/.aws/credentials` on Linux and MacOS, and `%USERPROFILE%\.aws\credentials` on Windows machines. The toolkit also supports editting this file manually, with the format specified [here](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html#file-format-creds). The credentials files also supports [role assumption](https://docs.aws.amazon.com/sdkref/latest/guide/access-assume-role.html) and [MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). Note that this credentials file is shared between all local AWS development tools. For more information, see the full documentation [here](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html).
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -504,7 +504,7 @@
         "@aws-sdk/client-lambda": "^3.637.0",
         "@aws-sdk/client-sso": "^3.342.0",
         "@aws-sdk/client-sso-oidc": "^3.574.0",
-        "@aws-sdk/credential-provider-ini": "3.46.0",
+        "@aws-sdk/credential-provider-env": "3.696.0",
         "@aws-sdk/credential-provider-process": "3.37.0",
         "@aws-sdk/credential-provider-sso": "^3.345.0",
         "@aws-sdk/property-provider": "3.46.0",
diff --git a/packages/core/src/auth/providers/ec2CredentialsProvider.ts b/packages/core/src/auth/providers/ec2CredentialsProvider.ts
@@ -4,7 +4,7 @@
  */
 
 import { Credentials } from '@aws-sdk/types'
-import { fromInstanceMetadata } from '@aws-sdk/credential-provider-imds'
+import { fromInstanceMetadata } from '@smithy/credential-provider-imds'
 import { DefaultEc2MetadataClient } from '../../shared/clients/ec2MetadataClient'
 import { Ec2MetadataClient } from '../../shared/clients/ec2MetadataClient'
 import { getLogger } from '../../shared/logger/logger'
diff --git a/packages/core/src/auth/providers/ecsCredentialsProvider.ts b/packages/core/src/auth/providers/ecsCredentialsProvider.ts
@@ -4,7 +4,7 @@
  */
 
 import { Credentials, CredentialProvider } from '@aws-sdk/types'
-import { fromContainerMetadata } from '@aws-sdk/credential-provider-imds'
+import { fromContainerMetadata } from '@smithy/credential-provider-imds'
 import { EnvironmentVariables } from '../../shared/environmentVariables'
 import { CredentialType } from '../../shared/telemetry/telemetry.gen'
 import { getStringHash } from '../../shared/utilities/textUtilities'
diff --git a/packages/core/src/auth/providers/sharedCredentialsProvider.ts b/packages/core/src/auth/providers/sharedCredentialsProvider.ts
@@ -4,11 +4,10 @@
  */
 
 import * as AWS from '@aws-sdk/types'
-import { AssumeRoleParams, fromIni } from '@aws-sdk/credential-provider-ini'
 import { fromProcess } from '@aws-sdk/credential-provider-process'
-import { ParsedIniData, SharedConfigFiles } from '@smithy/shared-ini-file-loader'
+import { ParsedIniData } from '@smithy/types'
 import { chain } from '@aws-sdk/property-provider'
-import { fromInstanceMetadata, fromContainerMetadata } from '@aws-sdk/credential-provider-imds'
+import { fromInstanceMetadata, fromContainerMetadata } from '@smithy/credential-provider-imds'
 import { fromEnv } from '@aws-sdk/credential-provider-env'
 import { getLogger } from '../../shared/logger/logger'
 import { getStringHash } from '../../shared/utilities/textUtilities'
@@ -29,9 +28,10 @@ import {
     Profile,
     Section,
 } from '../credentials/sharedCredentials'
-import { SectionName, SharedCredentialsKeys } from '../credentials/types'
+import { CredentialsData, SectionName, SharedCredentialsKeys } from '../credentials/types'
 import { SsoProfile, hasScopes, scopesSsoAccountAccess } from '../connection'
 import { builderIdStartUrl } from '../sso/constants'
+import { ToolkitError } from '../../shared/errors'
 
 const credentialSources = {
     ECS_CONTAINER: 'EcsContainer',
@@ -378,18 +378,6 @@ export class SharedCredentialsProvider implements CredentialsProvider {
     }
 
     private makeSharedIniFileCredentialsProvider(loadedCreds?: ParsedIniData): AWS.CredentialProvider {
-        const assumeRole = async (credentials: AWS.Credentials, params: AssumeRoleParams) => {
-            const region = this.getDefaultRegion() ?? 'us-east-1'
-            const stsClient = new DefaultStsClient(region, credentials)
-            const response = await stsClient.assumeRole(params)
-            return {
-                accessKeyId: response.Credentials!.AccessKeyId!,
-                secretAccessKey: response.Credentials!.SecretAccessKey!,
-                sessionToken: response.Credentials?.SessionToken,
-                expiration: response.Credentials?.Expiration,
-            }
-        }
-
         // Our credentials logic merges profiles from the credentials and config files but SDK v3 does not
         // This can cause odd behavior where the Toolkit can switch to a profile but not authenticate with it
         // So the workaround is to do give the SDK the merged profiles directly
@@ -399,15 +387,50 @@ export class SharedCredentialsProvider implements CredentialsProvider {
             (k) => this.getProfile(k)
         )
 
-        return fromIni({
-            profile: this.profileName,
-            mfaCodeProvider: async (mfaSerial) => await getMfaTokenFromUser(mfaSerial, this.profileName),
-            roleAssumer: assumeRole,
-            loadedConfig: Promise.resolve({
-                credentialsFile: loadedCreds ?? profiles,
-                configFile: {},
-            } as SharedConfigFiles),
-        })
+        return async () => {
+            const iniData = loadedCreds ?? profiles
+            const profile: CredentialsData = iniData[this.profileName]
+            if (!profile) {
+                throw new ToolkitError(`auth: Profile ${this.profileName} not found`)
+            }
+            // No role to assume, return static credentials.
+            if (!profile.role_arn) {
+                return {
+                    accessKeyId: profile.aws_access_key_id!,
+                    secretAccessKey: profile.aws_secret_access_key!,
+                    sessionToken: profile.aws_session_token,
+                }
+            }
+            if (!profile.source_profile || !iniData[profile.source_profile]) {
+                throw new ToolkitError(
+                    `auth: Profile ${this.profileName} is missing source_profile for role assumption`
+                )
+            }
+            // Use source profile to assume IAM role based on role ARN provided.
+            const sourceProfile = iniData[profile.source_profile!]
+            const stsClient = new DefaultStsClient(this.getDefaultRegion() ?? 'us-east-1', {
+                accessKeyId: sourceProfile.aws_access_key_id!,
+                secretAccessKey: sourceProfile.aws_secret_access_key!,
+            })
+            // Prompt for MFA Token if needed.
+            const assumeRoleReq = {
+                RoleArn: profile.role_arn,
+                RoleSessionName: 'AssumeRoleSession',
+                ...(profile.mfa_serial
+                    ? {
+                          SerialNumber: profile.mfa_serial,
+                          TokenCode: await getMfaTokenFromUser(profile.mfa_serial, this.profileName),
+                      }
+                    : {}),
+            }
+            const assumeRoleRsp = await stsClient.assumeRole(assumeRoleReq)
+            return {
+                accessKeyId: assumeRoleRsp.Credentials!.AccessKeyId!,
+                secretAccessKey: assumeRoleRsp.Credentials!.SecretAccessKey!,
+                sessionToken: assumeRoleRsp.Credentials?.SessionToken,
+                expiration: assumeRoleRsp.Credentials?.Expiration,
+            }
+        }
     }
 
     private makeSourcedCredentialsProvider(): AWS.CredentialProvider {
diff --git a/packages/core/src/test/credentials/provider/sharedCredentialsProvider.test.ts b/packages/core/src/test/credentials/provider/sharedCredentialsProvider.test.ts
@@ -13,6 +13,9 @@ import { SsoClient } from '../../../auth/sso/clients'
 import { stub } from '../../utilities/stubber'
 import { SsoAccessTokenProvider } from '../../../auth/sso/ssoAccessTokenProvider'
 import { createTestSections } from '../testUtil'
+import { DefaultStsClient } from '../../../shared/clients/stsClient'
+import { oneDay } from '../../../shared/datetime'
+import { getTestWindow } from '../../shared/vscode/window'
 
 const missingPropertiesFragment = 'missing properties'
 
@@ -450,6 +453,76 @@ describe('SharedCredentialsProvider', async function () {
             })
         })
     })
+
+    describe('makeSharedIniFileCredentialsProvider', function () {
+        let defaultSection: string
+
+        before(function () {
+            defaultSection = `[profile default]
+                aws_access_key_id = x
+                aws_secret_access_key = y`
+        })
+
+        beforeEach(function () {
+            sandbox.stub(DefaultStsClient.prototype, 'assumeRole').callsFake(async (request) => {
+                assert.strictEqual(request.RoleArn, 'testarn')
+                if (request.SerialNumber) {
+                    assert.strictEqual(request.SerialNumber, 'mfaSerialToken')
+                    assert.strictEqual(request.TokenCode, 'mfaToken')
+                }
+                return {
+                    Credentials: {
+                        AccessKeyId: 'id',
+                        SecretAccessKey: 'secret',
+                        SessionToken: 'token',
+                        Expiration: new Date(Date.now() + oneDay),
+                    },
+                }
+            })
+        })
+
+        it('assumes role given in ini data', async function () {
+            const sections = await createTestSections(`
+                ${defaultSection}
+                [profile assume]
+                source_profile = default
+                role_arn = testarn
+                `)
+
+            const sut = new SharedCredentialsProvider('assume', sections)
+            const creds = await sut.getCredentials()
+            assert.strictEqual(creds.accessKeyId, 'id')
+            assert.strictEqual(creds.secretAccessKey, 'secret')
+            assert.strictEqual(creds.sessionToken, 'token')
+        })
+
+        it('assumes role with mfa token', async function () {
+            const sections = await createTestSections(`
+                ${defaultSection}
+                [profile assume]
+                source_profile = default
+                role_arn = testarn
+                mfa_serial= mfaSerialToken
+                `)
+            const sut = new SharedCredentialsProvider('assume', sections)
+
+            getTestWindow().onDidShowInputBox((inputBox) => {
+                inputBox.acceptValue('mfaToken')
+            })
+
+            const creds = await sut.getCredentials()
+            assert.strictEqual(creds.accessKeyId, 'id')
+            assert.strictEqual(creds.secretAccessKey, 'secret')
+            assert.strictEqual(creds.sessionToken, 'token')
+        })
+
+        it('does not assume role when no roleArn is present', async function () {
+            const sut = new SharedCredentialsProvider('default', await createTestSections(defaultSection))
+            const creds = await sut.getCredentials()
+            assert.strictEqual(creds.accessKeyId, 'x')
+            assert.strictEqual(creds.secretAccessKey, 'y')
+        })
+    })
 })
 
 function assertSubstringsInText(text: string | undefined, ...substrings: string[]) {
