@aws-cdk/toolkit-lib 0.3.1 → 0.3.3

package/lib/api/aws-auth/provider-caching.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeCachingProvider = makeCachingProvider;
+exports.credentialsAboutToExpire = credentialsAboutToExpire;
+const property_provider_1 = require("@smithy/property-provider");
+/**
+ * Wrap a credential provider in a cache
+ *
+ * Some credential providers in the SDKv3 are cached (the default Node
+ * chain, specifically) but most others are not.
+ *
+ * Since we want to avoid duplicate calls to `AssumeRole`, or duplicate
+ * MFA prompts or what have you, we are going to liberally wrap providers
+ * in caches which will return the cached value until it expires.
+ */
+function makeCachingProvider(provider) {
+    return (0, property_provider_1.memoize)(provider, credentialsAboutToExpire, (token) => !!token.expiration);
+}
+function credentialsAboutToExpire(token) {
+    const expiryMarginSecs = 5;
+    // token.expiration is sometimes null
+    return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJvdmlkZXItY2FjaGluZy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInByb3ZpZGVyLWNhY2hpbmcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFhQSxrREFNQztBQUVELDREQUlDO0FBekJELGlFQUFvRDtBQUdwRDs7Ozs7Ozs7O0dBU0c7QUFDSCxTQUFnQixtQkFBbUIsQ0FBQyxRQUF1QztJQUN6RSxPQUFPLElBQUEsMkJBQU8sRUFDWixRQUFRLEVBQ1Isd0JBQXdCLEVBQ3hCLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FDOUIsQ0FBQztBQUNKLENBQUM7QUFFRCxTQUFnQix3QkFBd0IsQ0FBQyxLQUE0QjtJQUNuRSxNQUFNLGdCQUFnQixHQUFHLENBQUMsQ0FBQztJQUMzQixxQ0FBcUM7SUFDckMsT0FBTyxDQUFDLENBQUMsS0FBSyxDQUFDLFVBQVUsSUFBSSxLQUFLLENBQUMsVUFBVSxDQUFDLE9BQU8sRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxnQkFBZ0IsR0FBRyxJQUFJLENBQUM7QUFDakcsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IG1lbW9pemUgfSBmcm9tICdAc21pdGh5L3Byb3BlcnR5LXByb3ZpZGVyJztcbmltcG9ydCB0eXBlIHsgQXdzQ3JlZGVudGlhbElkZW50aXR5LCBBd3NDcmVkZW50aWFsSWRlbnRpdHlQcm92aWRlciB9IGZyb20gJ0BzbWl0aHkvdHlwZXMnO1xuXG4vKipcbiAqIFdyYXAgYSBjcmVkZW50aWFsIHByb3ZpZGVyIGluIGEgY2FjaGVcbiAqXG4gKiBTb21lIGNyZWRlbnRpYWwgcHJvdmlkZXJzIGluIHRoZSBTREt2MyBhcmUgY2FjaGVkICh0aGUgZGVmYXVsdCBOb2RlXG4gKiBjaGFpbiwgc3BlY2lmaWNhbGx5KSBidXQgbW9zdCBvdGhlcnMgYXJlIG5vdC5cbiAqXG4gKiBTaW5jZSB3ZSB3YW50IHRvIGF2b2lkIGR1cGxpY2F0ZSBjYWxscyB0byBgQXNzdW1lUm9sZWAsIG9yIGR1cGxpY2F0ZVxuICogTUZBIHByb21wdHMgb3Igd2hhdCBoYXZlIHlvdSwgd2UgYXJlIGdvaW5nIHRvIGxpYmVyYWxseSB3cmFwIHByb3ZpZGVyc1xuICogaW4gY2FjaGVzIHdoaWNoIHdpbGwgcmV0dXJuIHRoZSBjYWNoZWQgdmFsdWUgdW50aWwgaXQgZXhwaXJlcy5cbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIG1ha2VDYWNoaW5nUHJvdmlkZXIocHJvdmlkZXI6IEF3c0NyZWRlbnRpYWxJZGVudGl0eVByb3ZpZGVyKTogQXdzQ3JlZGVudGlhbElkZW50aXR5UHJvdmlkZXIge1xuICByZXR1cm4gbWVtb2l6ZShcbiAgICBwcm92aWRlcixcbiAgICBjcmVkZW50aWFsc0Fib3V0VG9FeHBpcmUsXG4gICAgKHRva2VuKSA9PiAhIXRva2VuLmV4cGlyYXRpb24sXG4gICk7XG59XG5cbmV4cG9ydCBmdW5jdGlvbiBjcmVkZW50aWFsc0Fib3V0VG9FeHBpcmUodG9rZW46IEF3c0NyZWRlbnRpYWxJZGVudGl0eSkge1xuICBjb25zdCBleHBpcnlNYXJnaW5TZWNzID0gNTtcbiAgLy8gdG9rZW4uZXhwaXJhdGlvbiBpcyBzb21ldGltZXMgbnVsbFxuICByZXR1cm4gISF0b2tlbi5leHBpcmF0aW9uICYmIHRva2VuLmV4cGlyYXRpb24uZ2V0VGltZSgpIC0gRGF0ZS5ub3coKSA8IGV4cGlyeU1hcmdpblNlY3MgKiAxMDAwO1xufVxuIl19

package/lib/api/aws-auth/proxy-agent.d.ts

@@ -0,0 +1,13 @@
+import { ProxyAgent } from 'proxy-agent';
+import type { SdkHttpOptions } from './types';
+import { type IoHelper } from '../io/private';
+export declare class ProxyAgentProvider {
+    private readonly ioHelper;
+    constructor(ioHelper: IoHelper);
+    create(options: SdkHttpOptions): Promise<ProxyAgent>;
+    private tryGetCACert;
+    /**
+     * Find and return a CA certificate bundle path to be passed into the SDK.
+     */
+    private caBundlePathFromEnvironment;
+}

package/lib/api/aws-auth/proxy-agent.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProxyAgentProvider = void 0;
+const fs = require("fs-extra");
+const proxy_agent_1 = require("proxy-agent");
+const private_1 = require("../io/private");
+class ProxyAgentProvider {
+    ioHelper;
+    constructor(ioHelper) {
+        this.ioHelper = ioHelper;
+    }
+    async create(options) {
+        // Force it to use the proxy provided through the command line.
+        // Otherwise, let the ProxyAgent auto-detect the proxy using environment variables.
+        const getProxyForUrl = options.proxyAddress != null
+            ? () => Promise.resolve(options.proxyAddress)
+            : undefined;
+        return new proxy_agent_1.ProxyAgent({
+            ca: await this.tryGetCACert(options.caBundlePath),
+            getProxyForUrl,
+        });
+    }
+    async tryGetCACert(bundlePath) {
+        const path = bundlePath || this.caBundlePathFromEnvironment();
+        if (path) {
+            await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(`Using CA bundle path: ${path}`));
+            try {
+                if (!fs.pathExistsSync(path)) {
+                    return undefined;
+                }
+                return fs.readFileSync(path, { encoding: 'utf-8' });
+            }
+            catch (e) {
+                await this.ioHelper.notify(private_1.IO.DEFAULT_SDK_DEBUG.msg(String(e)));
+                return undefined;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Find and return a CA certificate bundle path to be passed into the SDK.
+     */
+    caBundlePathFromEnvironment() {
+        if (process.env.aws_ca_bundle) {
+            return process.env.aws_ca_bundle;
+        }
+        if (process.env.AWS_CA_BUNDLE) {
+            return process.env.AWS_CA_BUNDLE;
+        }
+        return undefined;
+    }
+}
+exports.ProxyAgentProvider = ProxyAgentProvider;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJveHktYWdlbnQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJwcm94eS1hZ2VudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwrQkFBK0I7QUFDL0IsNkNBQXlDO0FBRXpDLDJDQUFrRDtBQUVsRCxNQUFhLGtCQUFrQjtJQUNaLFFBQVEsQ0FBVztJQUVwQyxZQUFtQixRQUFrQjtRQUNuQyxJQUFJLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztJQUMzQixDQUFDO0lBRU0sS0FBSyxDQUFDLE1BQU0sQ0FBQyxPQUF1QjtRQUN6QywrREFBK0Q7UUFDL0QsbUZBQW1GO1FBQ25GLE1BQU0sY0FBYyxHQUFHLE9BQU8sQ0FBQyxZQUFZLElBQUksSUFBSTtZQUNqRCxDQUFDLENBQUMsR0FBRyxFQUFFLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsWUFBYSxDQUFDO1lBQzlDLENBQUMsQ0FBQyxTQUFTLENBQUM7UUFFZCxPQUFPLElBQUksd0JBQVUsQ0FBQztZQUNwQixFQUFFLEVBQUUsTUFBTSxJQUFJLENBQUMsWUFBWSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUM7WUFDakQsY0FBYztTQUNmLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFTyxLQUFLLENBQUMsWUFBWSxDQUFDLFVBQW1CO1FBQzVDLE1BQU0sSUFBSSxHQUFHLFVBQVUsSUFBSSxJQUFJLENBQUMsMkJBQTJCLEVBQUUsQ0FBQztRQUM5RCxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ1QsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLHlCQUF5QixJQUFJLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDdEYsSUFBSSxDQUFDO2dCQUNILElBQUksQ0FBQyxFQUFFLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7b0JBQzdCLE9BQU8sU0FBUyxDQUFDO2dCQUNuQixDQUFDO2dCQUNELE9BQU8sRUFBRSxDQUFDLFlBQVksQ0FBQyxJQUFJLEVBQUUsRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUN0RCxDQUFDO1lBQUMsT0FBTyxDQUFNLEVBQUUsQ0FBQztnQkFDaEIsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ2hFLE9BQU8sU0FBUyxDQUFDO1lBQ25CLENBQUM7UUFDSCxDQUFDO1FBQ0QsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVEOztPQUVHO0lBQ0ssMkJBQTJCO1FBQ2pDLElBQUksT0FBTyxDQUFDLEdBQUcsQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUM5QixPQUFPLE9BQU8sQ0FBQyxHQUFHLENBQUMsYUFBYSxDQUFDO1FBQ25DLENBQUM7UUFDRCxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDOUIsT0FBTyxPQUFPLENBQUMsR0FBRyxDQUFDLGFBQWEsQ0FBQztRQUNuQyxDQUFDO1FBQ0QsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztDQUNGO0FBakRELGdEQWlEQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGZzIGZyb20gJ2ZzLWV4dHJhJztcbmltcG9ydCB7IFByb3h5QWdlbnQgfSBmcm9tICdwcm94eS1hZ2VudCc7XG5pbXBvcnQgdHlwZSB7IFNka0h0dHBPcHRpb25zIH0gZnJvbSAnLi90eXBlcyc7XG5pbXBvcnQgeyBJTywgdHlwZSBJb0hlbHBlciB9IGZyb20gJy4uL2lvL3ByaXZhdGUnO1xuXG5leHBvcnQgY2xhc3MgUHJveHlBZ2VudFByb3ZpZGVyIHtcbiAgcHJpdmF0ZSByZWFkb25seSBpb0hlbHBlcjogSW9IZWxwZXI7XG5cbiAgcHVibGljIGNvbnN0cnVjdG9yKGlvSGVscGVyOiBJb0hlbHBlcikge1xuICAgIHRoaXMuaW9IZWxwZXIgPSBpb0hlbHBlcjtcbiAgfVxuXG4gIHB1YmxpYyBhc3luYyBjcmVhdGUob3B0aW9uczogU2RrSHR0cE9wdGlvbnMpIHtcbiAgICAvLyBGb3JjZSBpdCB0byB1c2UgdGhlIHByb3h5IHByb3ZpZGVkIHRocm91Z2ggdGhlIGNvbW1hbmQgbGluZS5cbiAgICAvLyBPdGhlcndpc2UsIGxldCB0aGUgUHJveHlBZ2VudCBhdXRvLWRldGVjdCB0aGUgcHJveHkgdXNpbmcgZW52aXJvbm1lbnQgdmFyaWFibGVzLlxuICAgIGNvbnN0IGdldFByb3h5Rm9yVXJsID0gb3B0aW9ucy5wcm94eUFkZHJlc3MgIT0gbnVsbFxuICAgICAgPyAoKSA9PiBQcm9taXNlLnJlc29sdmUob3B0aW9ucy5wcm94eUFkZHJlc3MhKVxuICAgICAgOiB1bmRlZmluZWQ7XG5cbiAgICByZXR1cm4gbmV3IFByb3h5QWdlbnQoe1xuICAgICAgY2E6IGF3YWl0IHRoaXMudHJ5R2V0Q0FDZXJ0KG9wdGlvbnMuY2FCdW5kbGVQYXRoKSxcbiAgICAgIGdldFByb3h5Rm9yVXJsLFxuICAgIH0pO1xuICB9XG5cbiAgcHJpdmF0ZSBhc3luYyB0cnlHZXRDQUNlcnQoYnVuZGxlUGF0aD86IHN0cmluZykge1xuICAgIGNvbnN0IHBhdGggPSBidW5kbGVQYXRoIHx8IHRoaXMuY2FCdW5kbGVQYXRoRnJvbUVudmlyb25tZW50KCk7XG4gICAgaWYgKHBhdGgpIHtcbiAgICAgIGF3YWl0IHRoaXMuaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfU0RLX0RFQlVHLm1zZyhgVXNpbmcgQ0EgYnVuZGxlIHBhdGg6ICR7cGF0aH1gKSk7XG4gICAgICB0cnkge1xuICAgICAgICBpZiAoIWZzLnBhdGhFeGlzdHNTeW5jKHBhdGgpKSB7XG4gICAgICAgICAgcmV0dXJuIHVuZGVmaW5lZDtcbiAgICAgICAgfVxuICAgICAgICByZXR1cm4gZnMucmVhZEZpbGVTeW5jKHBhdGgsIHsgZW5jb2Rpbmc6ICd1dGYtOCcgfSk7XG4gICAgICB9IGNhdGNoIChlOiBhbnkpIHtcbiAgICAgICAgYXdhaXQgdGhpcy5pb0hlbHBlci5ub3RpZnkoSU8uREVGQVVMVF9TREtfREVCVUcubXNnKFN0cmluZyhlKSkpO1xuICAgICAgICByZXR1cm4gdW5kZWZpbmVkO1xuICAgICAgfVxuICAgIH1cbiAgICByZXR1cm4gdW5kZWZpbmVkO1xuICB9XG5cbiAgLyoqXG4gICAqIEZpbmQgYW5kIHJldHVybiBhIENBIGNlcnRpZmljYXRlIGJ1bmRsZSBwYXRoIHRvIGJlIHBhc3NlZCBpbnRvIHRoZSBTREsuXG4gICAqL1xuICBwcml2YXRlIGNhQnVuZGxlUGF0aEZyb21FbnZpcm9ubWVudCgpOiBzdHJpbmcgfCB1bmRlZmluZWQge1xuICAgIGlmIChwcm9jZXNzLmVudi5hd3NfY2FfYnVuZGxlKSB7XG4gICAgICByZXR1cm4gcHJvY2Vzcy5lbnYuYXdzX2NhX2J1bmRsZTtcbiAgICB9XG4gICAgaWYgKHByb2Nlc3MuZW52LkFXU19DQV9CVU5ETEUpIHtcbiAgICAgIHJldHVybiBwcm9jZXNzLmVudi5BV1NfQ0FfQlVORExFO1xuICAgIH1cbiAgICByZXR1cm4gdW5kZWZpbmVkO1xuICB9XG59XG5cbiJdfQ==

package/lib/api/aws-auth/sdk-logger.d.ts

@@ -0,0 +1,69 @@
+import type { Logger } from '@smithy/types';
+import type { IoHelper } from '../io/private';
+export declare class SdkToCliLogger implements Logger {
+    private readonly ioHelper;
+    constructor(ioHelper: IoHelper);
+    private notify;
+    trace(..._content: any[]): void;
+    debug(..._content: any[]): void;
+    /**
+     * Info is called mostly (exclusively?) for successful API calls
+     *
+     * Payload:
+     *
+     * (Note the input contains entire CFN templates, for example)
+     *
+     * ```
+     * {
+     *   clientName: 'S3Client',
+     *   commandName: 'GetBucketLocationCommand',
+     *   input: {
+     *     Bucket: '.....',
+     *     ExpectedBucketOwner: undefined
+     *   },
+     *   output: { LocationConstraint: 'eu-central-1' },
+     *   metadata: {
+     *     httpStatusCode: 200,
+     *     requestId: '....',
+     *     extendedRequestId: '...',
+     *     cfId: undefined,
+     *     attempts: 1,
+     *     totalRetryDelay: 0
+     *   }
+     * }
+     * ```
+     */
+    info(...content: any[]): void;
+    warn(...content: any[]): void;
+    /**
+     * Error is called mostly (exclusively?) for failing API calls
+     *
+     * Payload (input would be the entire API call arguments).
+     *
+     * ```
+     * {
+     *   clientName: 'STSClient',
+     *   commandName: 'GetCallerIdentityCommand',
+     *   input: {},
+     *   error: AggregateError [ECONNREFUSED]:
+     *       at internalConnectMultiple (node:net:1121:18)
+     *       at afterConnectMultiple (node:net:1688:7) {
+     *     code: 'ECONNREFUSED',
+     *     '$metadata': { attempts: 3, totalRetryDelay: 600 },
+     *     [errors]: [ [Error], [Error] ]
+     *   },
+     *   metadata: { attempts: 3, totalRetryDelay: 600 }
+     * }
+     * ```
+     */
+    error(...content: any[]): void;
+}
+/**
+ * This can be anything.
+ *
+ * For debug, it seems to be mostly strings.
+ * For info, it seems to be objects.
+ *
+ * Stringify and join without separator.
+ */
+export declare function formatSdkLoggerContent(content: any[]): string;

package/lib/api/aws-auth/sdk-logger.js

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SdkToCliLogger = void 0;
+exports.formatSdkLoggerContent = formatSdkLoggerContent;
+const util_1 = require("util");
+const util_2 = require("../../util");
+const private_1 = require("../io/private");
+class SdkToCliLogger {
+    ioHelper;
+    constructor(ioHelper) {
+        this.ioHelper = ioHelper;
+    }
+    notify(level, ...content) {
+        void this.ioHelper.notify(private_1.IO.CDK_SDK_I0100.msg((0, util_1.format)('[SDK %s] %s', level, formatSdkLoggerContent(content)), {
+            sdkLevel: level,
+            content,
+        }));
+    }
+    trace(..._content) {
+        // This is too much detail for our logs
+        // this.notify('trace', ...content);
+    }
+    debug(..._content) {
+        // This is too much detail for our logs
+        // this.notify('debug', ...content);
+    }
+    /**
+     * Info is called mostly (exclusively?) for successful API calls
+     *
+     * Payload:
+     *
+     * (Note the input contains entire CFN templates, for example)
+     *
+     * ```
+     * {
+     *   clientName: 'S3Client',
+     *   commandName: 'GetBucketLocationCommand',
+     *   input: {
+     *     Bucket: '.....',
+     *     ExpectedBucketOwner: undefined
+     *   },
+     *   output: { LocationConstraint: 'eu-central-1' },
+     *   metadata: {
+     *     httpStatusCode: 200,
+     *     requestId: '....',
+     *     extendedRequestId: '...',
+     *     cfId: undefined,
+     *     attempts: 1,
+     *     totalRetryDelay: 0
+     *   }
+     * }
+     * ```
+     */
+    info(...content) {
+        this.notify('info', ...content);
+    }
+    warn(...content) {
+        this.notify('warn', ...content);
+    }
+    /**
+     * Error is called mostly (exclusively?) for failing API calls
+     *
+     * Payload (input would be the entire API call arguments).
+     *
+     * ```
+     * {
+     *   clientName: 'STSClient',
+     *   commandName: 'GetCallerIdentityCommand',
+     *   input: {},
+     *   error: AggregateError [ECONNREFUSED]:
+     *       at internalConnectMultiple (node:net:1121:18)
+     *       at afterConnectMultiple (node:net:1688:7) {
+     *     code: 'ECONNREFUSED',
+     *     '$metadata': { attempts: 3, totalRetryDelay: 600 },
+     *     [errors]: [ [Error], [Error] ]
+     *   },
+     *   metadata: { attempts: 3, totalRetryDelay: 600 }
+     * }
+     * ```
+     */
+    error(...content) {
+        this.notify('error', ...content);
+    }
+}
+exports.SdkToCliLogger = SdkToCliLogger;
+/**
+ * This can be anything.
+ *
+ * For debug, it seems to be mostly strings.
+ * For info, it seems to be objects.
+ *
+ * Stringify and join without separator.
+ */
+function formatSdkLoggerContent(content) {
+    if (content.length === 1) {
+        const apiFmt = formatApiCall(content[0]);
+        if (apiFmt) {
+            return apiFmt;
+        }
+    }
+    return content.map((x) => typeof x === 'string' ? x : (0, util_1.inspect)(x)).join('');
+}
+function formatApiCall(content) {
+    if (!isSdkApiCallSuccess(content) && !isSdkApiCallError(content)) {
+        return undefined;
+    }
+    const service = content.clientName.replace(/Client$/, '');
+    const api = content.commandName.replace(/Command$/, '');
+    const parts = [];
+    if ((content.metadata?.attempts ?? 0) > 1) {
+        parts.push(`[${content.metadata?.attempts} attempts, ${content.metadata?.totalRetryDelay}ms retry]`);
+    }
+    parts.push(`${service}.${api}(${JSON.stringify(content.input, util_2.replacerBufferWithInfo)})`);
+    if (isSdkApiCallSuccess(content)) {
+        parts.push('-> OK');
+    }
+    else {
+        parts.push(`-> ${content.error}`);
+    }
+    return parts.join(' ');
+}
+function isSdkApiCallSuccess(x) {
+    return x && typeof x === 'object' && x.commandName && x.output;
+}
+function isSdkApiCallError(x) {
+    return x && typeof x === 'object' && x.commandName && x.error;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2RrLWxvZ2dlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInNkay1sb2dnZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBbUdBLHdEQVFDO0FBM0dELCtCQUF1QztBQUV2QyxxQ0FBb0Q7QUFFcEQsMkNBQW1DO0FBRW5DLE1BQWEsY0FBYztJQUNSLFFBQVEsQ0FBVztJQUVwQyxZQUFtQixRQUFrQjtRQUNuQyxJQUFJLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztJQUMzQixDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQWdDLEVBQUUsR0FBRyxPQUFjO1FBQ2hFLEtBQUssSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsWUFBRSxDQUFDLGFBQWEsQ0FBQyxHQUFHLENBQUMsSUFBQSxhQUFNLEVBQUMsYUFBYSxFQUFFLEtBQUssRUFBRSxzQkFBc0IsQ0FBQyxPQUFPLENBQUMsQ0FBQyxFQUFFO1lBQzVHLFFBQVEsRUFBRSxLQUFLO1lBQ2YsT0FBTztTQUNSLENBQUMsQ0FBQyxDQUFDO0lBQ04sQ0FBQztJQUVNLEtBQUssQ0FBQyxHQUFHLFFBQWU7UUFDN0IsdUNBQXVDO1FBQ3ZDLG9DQUFvQztJQUN0QyxDQUFDO0lBRU0sS0FBSyxDQUFDLEdBQUcsUUFBZTtRQUM3Qix1Q0FBdUM7UUFDdkMsb0NBQW9DO0lBQ3RDLENBQUM7SUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7T0EwQkc7SUFDSSxJQUFJLENBQUMsR0FBRyxPQUFjO1FBQzNCLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxFQUFFLEdBQUcsT0FBTyxDQUFDLENBQUM7SUFDbEMsQ0FBQztJQUVNLElBQUksQ0FBQyxHQUFHLE9BQWM7UUFDM0IsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLEVBQUUsR0FBRyxPQUFPLENBQUMsQ0FBQztJQUNsQyxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O09Bb0JHO0lBQ0ksS0FBSyxDQUFDLEdBQUcsT0FBYztRQUM1QixJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxHQUFHLE9BQU8sQ0FBQyxDQUFDO0lBQ25DLENBQUM7Q0FDRjtBQW5GRCx3Q0FtRkM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsU0FBZ0Isc0JBQXNCLENBQUMsT0FBYztJQUNuRCxJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDekIsTUFBTSxNQUFNLEdBQUcsYUFBYSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3pDLElBQUksTUFBTSxFQUFFLENBQUM7WUFDWCxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDO0lBQ0gsQ0FBQztJQUNELE9BQU8sT0FBTyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUEsY0FBTyxFQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0FBQzdFLENBQUM7QUFFRCxTQUFTLGFBQWEsQ0FBQyxPQUFZO0lBQ2pDLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDakUsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVELE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUMxRCxNQUFNLEdBQUcsR0FBRyxPQUFPLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFFeEQsTUFBTSxLQUFLLEdBQUcsRUFBRSxDQUFDO0lBQ2pCLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLFFBQVEsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUMxQyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksT0FBTyxDQUFDLFFBQVEsRUFBRSxRQUFRLGNBQWMsT0FBTyxDQUFDLFFBQVEsRUFBRSxlQUFlLFdBQVcsQ0FBQyxDQUFDO0lBQ3ZHLENBQUM7SUFFRCxLQUFLLENBQUMsSUFBSSxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsSUFBSSxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsNkJBQXNCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFMUYsSUFBSSxtQkFBbUIsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ2pDLEtBQUssQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDdEIsQ0FBQztTQUFNLENBQUM7UUFDTixLQUFLLENBQUMsSUFBSSxDQUFDLE1BQU0sT0FBTyxDQUFDLEtBQUssRUFBRSxDQUFDLENBQUM7SUFDcEMsQ0FBQztJQUVELE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztBQUN6QixDQUFDO0FBbUJELFNBQVMsbUJBQW1CLENBQUMsQ0FBTTtJQUNqQyxPQUFPLENBQUMsSUFBSSxPQUFPLENBQUMsS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLFdBQVcsSUFBSSxDQUFDLENBQUMsTUFBTSxDQUFDO0FBQ2pFLENBQUM7QUFFRCxTQUFTLGlCQUFpQixDQUFDLENBQU07SUFDL0IsT0FBTyxDQUFDLElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxJQUFJLENBQUMsQ0FBQyxXQUFXLElBQUksQ0FBQyxDQUFDLEtBQUssQ0FBQztBQUNoRSxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgaW5zcGVjdCwgZm9ybWF0IH0gZnJvbSAndXRpbCc7XG5pbXBvcnQgdHlwZSB7IExvZ2dlciB9IGZyb20gJ0BzbWl0aHkvdHlwZXMnO1xuaW1wb3J0IHsgcmVwbGFjZXJCdWZmZXJXaXRoSW5mbyB9IGZyb20gJy4uLy4uL3V0aWwnO1xuaW1wb3J0IHR5cGUgeyBJb0hlbHBlciB9IGZyb20gJy4uL2lvL3ByaXZhdGUnO1xuaW1wb3J0IHsgSU8gfSBmcm9tICcuLi9pby9wcml2YXRlJztcblxuZXhwb3J0IGNsYXNzIFNka1RvQ2xpTG9nZ2VyIGltcGxlbWVudHMgTG9nZ2VyIHtcbiAgcHJpdmF0ZSByZWFkb25seSBpb0hlbHBlcjogSW9IZWxwZXI7XG5cbiAgcHVibGljIGNvbnN0cnVjdG9yKGlvSGVscGVyOiBJb0hlbHBlcikge1xuICAgIHRoaXMuaW9IZWxwZXIgPSBpb0hlbHBlcjtcbiAgfVxuXG4gIHByaXZhdGUgbm90aWZ5KGxldmVsOiAnaW5mbycgfCAnd2FybicgfCAnZXJyb3InLCAuLi5jb250ZW50OiBhbnlbXSkge1xuICAgIHZvaWQgdGhpcy5pb0hlbHBlci5ub3RpZnkoSU8uQ0RLX1NES19JMDEwMC5tc2coZm9ybWF0KCdbU0RLICVzXSAlcycsIGxldmVsLCBmb3JtYXRTZGtMb2dnZXJDb250ZW50KGNvbnRlbnQpKSwge1xuICAgICAgc2RrTGV2ZWw6IGxldmVsLFxuICAgICAgY29udGVudCxcbiAgICB9KSk7XG4gIH1cblxuICBwdWJsaWMgdHJhY2UoLi4uX2NvbnRlbnQ6IGFueVtdKSB7XG4gICAgLy8gVGhpcyBpcyB0b28gbXVjaCBkZXRhaWwgZm9yIG91ciBsb2dzXG4gICAgLy8gdGhpcy5ub3RpZnkoJ3RyYWNlJywgLi4uY29udGVudCk7XG4gIH1cblxuICBwdWJsaWMgZGVidWcoLi4uX2NvbnRlbnQ6IGFueVtdKSB7XG4gICAgLy8gVGhpcyBpcyB0b28gbXVjaCBkZXRhaWwgZm9yIG91ciBsb2dzXG4gICAgLy8gdGhpcy5ub3RpZnkoJ2RlYnVnJywgLi4uY29udGVudCk7XG4gIH1cblxuICAvKipcbiAgICogSW5mbyBpcyBjYWxsZWQgbW9zdGx5IChleGNsdXNpdmVseT8pIGZvciBzdWNjZXNzZnVsIEFQSSBjYWxsc1xuICAgKlxuICAgKiBQYXlsb2FkOlxuICAgKlxuICAgKiAoTm90ZSB0aGUgaW5wdXQgY29udGFpbnMgZW50aXJlIENGTiB0ZW1wbGF0ZXMsIGZvciBleGFtcGxlKVxuICAgKlxuICAgKiBgYGBcbiAgICoge1xuICAgKiAgIGNsaWVudE5hbWU6ICdTM0NsaWVudCcsXG4gICAqICAgY29tbWFuZE5hbWU6ICdHZXRCdWNrZXRMb2NhdGlvbkNvbW1hbmQnLFxuICAgKiAgIGlucHV0OiB7XG4gICAqICAgICBCdWNrZXQ6ICcuLi4uLicsXG4gICAqICAgICBFeHBlY3RlZEJ1Y2tldE93bmVyOiB1bmRlZmluZWRcbiAgICogICB9LFxuICAgKiAgIG91dHB1dDogeyBMb2NhdGlvbkNvbnN0cmFpbnQ6ICdldS1jZW50cmFsLTEnIH0sXG4gICAqICAgbWV0YWRhdGE6IHtcbiAgICogICAgIGh0dHBTdGF0dXNDb2RlOiAyMDAsXG4gICAqICAgICByZXF1ZXN0SWQ6ICcuLi4uJyxcbiAgICogICAgIGV4dGVuZGVkUmVxdWVzdElkOiAnLi4uJyxcbiAgICogICAgIGNmSWQ6IHVuZGVmaW5lZCxcbiAgICogICAgIGF0dGVtcHRzOiAxLFxuICAgKiAgICAgdG90YWxSZXRyeURlbGF5OiAwXG4gICAqICAgfVxuICAgKiB9XG4gICAqIGBgYFxuICAgKi9cbiAgcHVibGljIGluZm8oLi4uY29udGVudDogYW55W10pIHtcbiAgICB0aGlzLm5vdGlmeSgnaW5mbycsIC4uLmNvbnRlbnQpO1xuICB9XG5cbiAgcHVibGljIHdhcm4oLi4uY29udGVudDogYW55W10pIHtcbiAgICB0aGlzLm5vdGlmeSgnd2FybicsIC4uLmNvbnRlbnQpO1xuICB9XG5cbiAgLyoqXG4gICAqIEVycm9yIGlzIGNhbGxlZCBtb3N0bHkgKGV4Y2x1c2l2ZWx5PykgZm9yIGZhaWxpbmcgQVBJIGNhbGxzXG4gICAqXG4gICAqIFBheWxvYWQgKGlucHV0IHdvdWxkIGJlIHRoZSBlbnRpcmUgQVBJIGNhbGwgYXJndW1lbnRzKS5cbiAgICpcbiAgICogYGBgXG4gICAqIHtcbiAgICogICBjbGllbnROYW1lOiAnU1RTQ2xpZW50JyxcbiAgICogICBjb21tYW5kTmFtZTogJ0dldENhbGxlcklkZW50aXR5Q29tbWFuZCcsXG4gICAqICAgaW5wdXQ6IHt9LFxuICAgKiAgIGVycm9yOiBBZ2dyZWdhdGVFcnJvciBbRUNPTk5SRUZVU0VEXTpcbiAgICogICAgICAgYXQgaW50ZXJuYWxDb25uZWN0TXVsdGlwbGUgKG5vZGU6bmV0OjExMjE6MTgpXG4gICAqICAgICAgIGF0IGFmdGVyQ29ubmVjdE11bHRpcGxlIChub2RlOm5ldDoxNjg4OjcpIHtcbiAgICogICAgIGNvZGU6ICdFQ09OTlJFRlVTRUQnLFxuICAgKiAgICAgJyRtZXRhZGF0YSc6IHsgYXR0ZW1wdHM6IDMsIHRvdGFsUmV0cnlEZWxheTogNjAwIH0sXG4gICAqICAgICBbZXJyb3JzXTogWyBbRXJyb3JdLCBbRXJyb3JdIF1cbiAgICogICB9LFxuICAgKiAgIG1ldGFkYXRhOiB7IGF0dGVtcHRzOiAzLCB0b3RhbFJldHJ5RGVsYXk6IDYwMCB9XG4gICAqIH1cbiAgICogYGBgXG4gICAqL1xuICBwdWJsaWMgZXJyb3IoLi4uY29udGVudDogYW55W10pIHtcbiAgICB0aGlzLm5vdGlmeSgnZXJyb3InLCAuLi5jb250ZW50KTtcbiAgfVxufVxuXG4vKipcbiAqIFRoaXMgY2FuIGJlIGFueXRoaW5nLlxuICpcbiAqIEZvciBkZWJ1ZywgaXQgc2VlbXMgdG8gYmUgbW9zdGx5IHN0cmluZ3MuXG4gKiBGb3IgaW5mbywgaXQgc2VlbXMgdG8gYmUgb2JqZWN0cy5cbiAqXG4gKiBTdHJpbmdpZnkgYW5kIGpvaW4gd2l0aG91dCBzZXBhcmF0b3IuXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBmb3JtYXRTZGtMb2dnZXJDb250ZW50KGNvbnRlbnQ6IGFueVtdKSB7XG4gIGlmIChjb250ZW50Lmxlbmd0aCA9PT0gMSkge1xuICAgIGNvbnN0IGFwaUZtdCA9IGZvcm1hdEFwaUNhbGwoY29udGVudFswXSk7XG4gICAgaWYgKGFwaUZtdCkge1xuICAgICAgcmV0dXJuIGFwaUZtdDtcbiAgICB9XG4gIH1cbiAgcmV0dXJuIGNvbnRlbnQubWFwKCh4KSA9PiB0eXBlb2YgeCA9PT0gJ3N0cmluZycgPyB4IDogaW5zcGVjdCh4KSkuam9pbignJyk7XG59XG5cbmZ1bmN0aW9uIGZvcm1hdEFwaUNhbGwoY29udGVudDogYW55KTogc3RyaW5nIHwgdW5kZWZpbmVkIHtcbiAgaWYgKCFpc1Nka0FwaUNhbGxTdWNjZXNzKGNvbnRlbnQpICYmICFpc1Nka0FwaUNhbGxFcnJvcihjb250ZW50KSkge1xuICAgIHJldHVybiB1bmRlZmluZWQ7XG4gIH1cblxuICBjb25zdCBzZXJ2aWNlID0gY29udGVudC5jbGllbnROYW1lLnJlcGxhY2UoL0NsaWVudCQvLCAnJyk7XG4gIGNvbnN0IGFwaSA9IGNvbnRlbnQuY29tbWFuZE5hbWUucmVwbGFjZSgvQ29tbWFuZCQvLCAnJyk7XG5cbiAgY29uc3QgcGFydHMgPSBbXTtcbiAgaWYgKChjb250ZW50Lm1ldGFkYXRhPy5hdHRlbXB0cyA/PyAwKSA+IDEpIHtcbiAgICBwYXJ0cy5wdXNoKGBbJHtjb250ZW50Lm1ldGFkYXRhPy5hdHRlbXB0c30gYXR0ZW1wdHMsICR7Y29udGVudC5tZXRhZGF0YT8udG90YWxSZXRyeURlbGF5fW1zIHJldHJ5XWApO1xuICB9XG5cbiAgcGFydHMucHVzaChgJHtzZXJ2aWNlfS4ke2FwaX0oJHtKU09OLnN0cmluZ2lmeShjb250ZW50LmlucHV0LCByZXBsYWNlckJ1ZmZlcldpdGhJbmZvKX0pYCk7XG5cbiAgaWYgKGlzU2RrQXBpQ2FsbFN1Y2Nlc3MoY29udGVudCkpIHtcbiAgICBwYXJ0cy5wdXNoKCctPiBPSycpO1xuICB9IGVsc2Uge1xuICAgIHBhcnRzLnB1c2goYC0+ICR7Y29udGVudC5lcnJvcn1gKTtcbiAgfVxuXG4gIHJldHVybiBwYXJ0cy5qb2luKCcgJyk7XG59XG5cbmludGVyZmFjZSBTZGtBcGlDYWxsQmFzZSB7XG4gIGNsaWVudE5hbWU6IHN0cmluZztcbiAgY29tbWFuZE5hbWU6IHN0cmluZztcbiAgaW5wdXQ6IFJlY29yZDxzdHJpbmcsIHVua25vd24+O1xuICBtZXRhZGF0YT86IHtcbiAgICBodHRwU3RhdHVzQ29kZT86IG51bWJlcjtcbiAgICByZXF1ZXN0SWQ/OiBzdHJpbmc7XG4gICAgZXh0ZW5kZWRSZXF1ZXN0SWQ/OiBzdHJpbmc7XG4gICAgY2ZJZD86IHN0cmluZztcbiAgICBhdHRlbXB0cz86IG51bWJlcjtcbiAgICB0b3RhbFJldHJ5RGVsYXk/OiBudW1iZXI7XG4gIH07XG59XG5cbnR5cGUgU2RrQXBpQ2FsbFN1Y2Nlc3MgPSBTZGtBcGlDYWxsQmFzZSAmIHsgb3V0cHV0OiBSZWNvcmQ8c3RyaW5nLCB1bmtub3duPiB9O1xudHlwZSBTZGtBcGlDYWxsRXJyb3IgPSBTZGtBcGlDYWxsQmFzZSAmIHsgZXJyb3I6IEVycm9yIH07XG5cbmZ1bmN0aW9uIGlzU2RrQXBpQ2FsbFN1Y2Nlc3MoeDogYW55KTogeCBpcyBTZGtBcGlDYWxsU3VjY2VzcyB7XG4gIHJldHVybiB4ICYmIHR5cGVvZiB4ID09PSAnb2JqZWN0JyAmJiB4LmNvbW1hbmROYW1lICYmIHgub3V0cHV0O1xufVxuXG5mdW5jdGlvbiBpc1Nka0FwaUNhbGxFcnJvcih4OiBhbnkpOiB4IGlzIFNka0FwaUNhbGxFcnJvciB7XG4gIHJldHVybiB4ICYmIHR5cGVvZiB4ID09PSAnb2JqZWN0JyAmJiB4LmNvbW1hbmROYW1lICYmIHguZXJyb3I7XG59XG4iXX0=

package/lib/api/aws-auth/sdk-provider.d.ts

@@ -0,0 +1,195 @@
+import type { ContextLookupRoleOptions } from '@aws-cdk/cloud-assembly-schema';
+import type { Environment } from '@aws-cdk/cx-api';
+import type { AssumeRoleCommandInput } from '@aws-sdk/client-sts';
+import type { NodeHttpHandlerOptions } from '@smithy/node-http-handler';
+import type { AwsCredentialIdentityProvider, Logger } from '@smithy/types';
+import { SDK } from './sdk';
+import { type IoHelper } from '../io/private';
+import { PluginHost, Mode } from '../plugin';
+export type AssumeRoleAdditionalOptions = Partial<Omit<AssumeRoleCommandInput, 'ExternalId' | 'RoleArn'>>;
+/**
+ * Options for the default SDK provider
+ */
+export interface SdkProviderOptions extends SdkProviderServices {
+    /**
+     * Profile to read from ~/.aws
+     *
+     * @default - No profile
+     */
+    readonly profile?: string;
+}
+/**
+ * SDK configuration for a given environment
+ * 'forEnvironment' will attempt to assume a role and if it
+ * is not successful, then it will either:
+ *   1. Check to see if the default credentials (local credentials the CLI was executed with)
+ *      are for the given environment. If they are then return those.
+ *   2. If the default credentials are not for the given environment then
+ *      throw an error
+ *
+ * 'didAssumeRole' allows callers to whether they are receiving the assume role
+ * credentials or the default credentials.
+ */
+export interface SdkForEnvironment {
+    /**
+     * The SDK for the given environment
+     */
+    readonly sdk: SDK;
+    /**
+     * Whether or not the assume role was successful.
+     * If the assume role was not successful (false)
+     * then that means that the 'sdk' returned contains
+     * the default credentials (not the assume role credentials)
+     */
+    readonly didAssumeRole: boolean;
+}
+/**
+ * Creates instances of the AWS SDK appropriate for a given account/region.
+ *
+ * Behavior is as follows:
+ *
+ * - First, a set of "base" credentials are established
+ *   - If a target environment is given and the default ("current") SDK credentials are for
+ *     that account, return those; otherwise
+ *   - If a target environment is given, scan all credential provider plugins
+ *     for credentials, and return those if found; otherwise
+ *   - Return default ("current") SDK credentials, noting that they might be wrong.
+ *
+ * - Second, a role may optionally need to be assumed. Use the base credentials
+ *   established in the previous process to assume that role.
+ *   - If assuming the role fails and the base credentials are for the correct
+ *     account, return those. This is a fallback for people who are trying to interact
+ *     with a Default Synthesized stack and already have right credentials setup.
+ *
+ *     Typical cases we see in the wild:
+ *     - Credential plugin setup that, although not recommended, works for them
+ *     - Seeded terminal with `ReadOnly` credentials in order to do `cdk diff`--the `ReadOnly`
+ *       role doesn't have `sts:AssumeRole` and will fail for no real good reason.
+ */
+export declare class SdkProvider {
+    /**
+     * Create a new SdkProvider which gets its defaults in a way that behaves like the AWS CLI does
+     *
+     * The AWS SDK for JS behaves slightly differently from the AWS CLI in a number of ways; see the
+     * class `AwsCliCompatible` for the details.
+     */
+    static withAwsCliCompatibleDefaults(options: SdkProviderOptions): Promise<SdkProvider>;
+    readonly defaultRegion: string;
+    private readonly defaultCredentialProvider;
+    private readonly plugins;
+    private readonly requestHandler;
+    private readonly ioHelper;
+    private readonly logger?;
+    constructor(defaultCredentialProvider: AwsCredentialIdentityProvider, defaultRegion: string | undefined, services: SdkProviderServices);
+    /**
+     * Return an SDK which can do operations in the given environment
+     *
+     * The `environment` parameter is resolved first (see `resolveEnvironment()`).
+     */
+    forEnvironment(environment: Environment, mode: Mode, options?: CredentialsOptions, quiet?: boolean): Promise<SdkForEnvironment>;
+    /**
+     * Return the partition that base credentials are for
+     *
+     * Returns `undefined` if there are no base credentials.
+     */
+    baseCredentialsPartition(environment: Environment, mode: Mode): Promise<string | undefined>;
+    /**
+     * Resolve the environment for a stack
+     *
+     * Replaces the magic values `UNKNOWN_REGION` and `UNKNOWN_ACCOUNT`
+     * with the defaults for the current SDK configuration (`~/.aws/config` or
+     * otherwise).
+     *
+     * It is an error if `UNKNOWN_ACCOUNT` is used but the user hasn't configured
+     * any SDK credentials.
+     */
+    resolveEnvironment(env: Environment): Promise<Environment>;
+    /**
+     * The account we'd auth into if we used default credentials.
+     *
+     * Default credentials are the set of ambiently configured credentials using
+     * one of the environment variables, or ~/.aws/credentials, or the *one*
+     * profile that was passed into the CLI.
+     *
+     * Might return undefined if there are no default/ambient credentials
+     * available (in which case the user should better hope they have
+     * credential plugins configured).
+     *
+     * Uses a cache to avoid STS calls if we don't need 'em.
+     */
+    defaultAccount(): Promise<Account | undefined>;
+    /**
+     * Get credentials for the given account ID in the given mode
+     *
+     * 1. Use the default credentials if the destination account matches the
+     *    current credentials' account.
+     * 2. Otherwise try all credential plugins.
+     * 3. Fail if neither of these yield any credentials.
+     * 4. Return a failure if any of them returned credentials
+     */
+    private obtainBaseCredentials;
+    /**
+     * Return an SDK which uses assumed role credentials
+     *
+     * The base credentials used to retrieve the assumed role credentials will be the
+     * same credentials returned by obtainCredentials if an environment and mode is passed,
+     * otherwise it will be the current credentials.
+     */
+    private withAssumedRole;
+}
+/**
+ * An AWS account
+ *
+ * An AWS account always exists in only one partition. Usually we don't care about
+ * the partition, but when we need to form ARNs we do.
+ */
+export interface Account {
+    /**
+     * The account number
+     */
+    readonly accountId: string;
+    /**
+     * The partition ('aws' or 'aws-cn' or otherwise)
+     */
+    readonly partition: string;
+}
+/**
+ * Options for obtaining credentials for an environment
+ */
+export interface CredentialsOptions {
+    /**
+     * The ARN of the role that needs to be assumed, if any
+     */
+    readonly assumeRoleArn?: string;
+    /**
+     * External ID required to assume the given role.
+     */
+    readonly assumeRoleExternalId?: string;
+    /**
+     * Session tags required to assume the given role.
+     */
+    readonly assumeRoleAdditionalOptions?: AssumeRoleAdditionalOptions;
+}
+/**
+ * Instantiate an SDK for context providers. This function ensures that all
+ * lookup assume role options are used when context providers perform lookups.
+ */
+export declare function initContextProviderSdk(aws: SdkProvider, options: ContextLookupRoleOptions): Promise<SDK>;
+export interface SdkProviderServices {
+    /**
+     * An IO helper for emitting messages
+     */
+    readonly ioHelper: IoHelper;
+    /**
+     * The request handler settings
+     */
+    readonly requestHandler?: NodeHttpHandlerOptions;
+    /**
+     * A plugin host
+     */
+    readonly pluginHost?: PluginHost;
+    /**
+     * An SDK logger
+     */
+    readonly logger?: Logger;
+}