@go-to-k/cdkd 0.162.2 → 0.162.3

package/dist/cli.js

@@ -54737,6 +54737,7 @@ async function localStartApiCommand(target, options) {
 			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -54753,7 +54754,8 @@ async function localStartApiCommand(target, options) {
 				layerTmpDirs,
 				stateByStack,
 				skipPull: options.pull === false,
-				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn }
+				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn },
+				...profileCredentials && { profileCredentials }
 			});
 			specs.set(logicalId, spec);
 		}
@@ -55187,7 +55189,7 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
 	let codeDir;
 	let optDir;
@@ -55233,7 +55235,15 @@ async function buildContainerSpec(args) {
 		dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
 		dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
-	} else forwardAwsEnv$1(dockerEnv);
+	} else {
+		forwardAwsEnv$1(dockerEnv);
+		if (profileCredentials) {
+			dockerEnv["AWS_ACCESS_KEY_ID"] = profileCredentials.accessKeyId;
+			dockerEnv["AWS_SECRET_ACCESS_KEY"] = profileCredentials.secretAccessKey;
+			if (profileCredentials.sessionToken) dockerEnv["AWS_SESSION_TOKEN"] = profileCredentials.sessionToken;
+			else delete dockerEnv["AWS_SESSION_TOKEN"];
+		}
+	}
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
 	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
 		target: "/tmp",
@@ -55596,6 +55606,54 @@ function forwardAwsEnv$1(env) {
 	}
 }
 /**
+* Issue #654: resolve `--profile <p>` to a concrete credential set
+* for forwarding to Lambda containers.
+*
+* The dev's AWS credentials may live in any of:
+*   - `~/.aws/sso/cache/*.json` (AWS IAM Identity Center / legacy SSO)
+*   - `~/.aws/credentials` (regular long-lived access keys)
+*   - `~/.aws/config` profiles with `role_arn` + `source_profile` (chained AssumeRole)
+*   - `credential_process` external resolvers
+*
+* `forwardAwsEnv` only reads `process.env.AWS_*`, which is empty for
+* every shape except "user manually exported the env vars". The
+* Lambda container therefore boots without creds and the handler's
+* AWS SDK call fails with `Could not load credentials from any providers`.
+*
+* This helper constructs a transient `STSClient({ profile })` to drive
+* the SDK's default credential provider chain — same code path cdkd's
+* own CFn / CC API clients use when `--profile` is set, so SSO / IAM
+* Identity Center / role-assumption profiles all resolve the same way
+* they already do for cdkd's outbound calls. We then extract the
+* resolved `AwsCredentialIdentity` via `sts.config.credentials()` and
+* return the underlying `{ accessKeyId, secretAccessKey, sessionToken? }`
+* for env-var injection.
+*
+* Called ONCE at server boot; the resolved creds are reused for every
+* Lambda container's env overlay (when `--assume-role` is not set for
+* that Lambda — assume-role wins per the existing precedence). SSO
+* temp creds typically last 1h+, so a single resolve is fine for the
+* common dev session; long-running `--watch` sessions that outlive
+* the creds need a cdkd restart (deferred refresh out of scope for
+* v1, see issue #654).
+*/
+async function resolveProfileCredentials(profile) {
+	const { STSClient } = await import("@aws-sdk/client-sts");
+	const sts = new STSClient({ profile });
+	try {
+		const credsProvider = sts.config.credentials;
+		const creds = typeof credsProvider === "function" ? await credsProvider() : credsProvider;
+		if (!creds || !creds.accessKeyId || !creds.secretAccessKey) throw new Error(`--profile '${profile}': credential provider chain resolved without usable credentials. Check \`aws sso login --profile ` + profile + "` for SSO profiles, or `~/.aws/credentials` / `~/.aws/config` for regular profiles.");
+		return {
+			accessKeyId: creds.accessKeyId,
+			secretAccessKey: creds.secretAccessKey,
+			...creds.sessionToken && { sessionToken: creds.sessionToken }
+		};
+	} finally {
+		sts.destroy();
+	}
+}
+/**
 * Issue an STS AssumeRole and return temporary credentials. Mirrors
 * `cdkd local invoke`'s helper byte-for-byte; lifted here so the
 * start-api command stays self-contained.
@@ -60270,7 +60328,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.3");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());