npm - @go-to-k/cdkd - Versions diffs - 0.164.0 → 0.164.1 - Mend

@go-to-k/cdkd 0.164.0 → 0.164.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -58752,6 +58752,7 @@ async function localInvokeCommand(target, options) {
 			region: options.region
 		});
 		await ensureDockerAvailable();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const appCmd = resolveApp(options.app);
 		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
 		logger.info("Synthesizing CDK app...");
@@ -58849,7 +58850,10 @@ async function localInvokeCommand(target, options) {
 				logger.warn(`--assume-role: STS AssumeRole(${resolvedAssumeRoleArn}) failed: ${reason}. Falling back to the developer's shell credentials.`);
 			}
 		}
-		if (!assumeSucceeded) forwardAwsEnv(dockerEnv);
+		if (!assumeSucceeded) {
+			forwardAwsEnv(dockerEnv);
+			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
+		}
 		let debugPort;
 		if (options.debugPort) {
 			debugPort = Number(options.debugPort);
@@ -59286,6 +59290,44 @@ function forwardAwsEnv(env) {
 	}
 }
 /**
+* Issue #657: overlay `--profile <p>`-resolved credentials onto the
+* Lambda container's env block AFTER `forwardAwsEnv` has copied
+* `process.env.AWS_*`. The overlay covers SSO / IAM Identity Center /
+* fromIni / role-assumption profiles uniformly (resolved via the SDK's
+* default credential chain in `resolveProfileCredentials`). Without
+* this overlay, a dev who runs `cdkd local invoke --profile dev`
+* AND has no `AWS_ACCESS_KEY_ID` env var (the common SSO / Identity
+* Center case) sees the Lambda boot with no creds → handler's AWS SDK
+* call fails with `Could not load credentials from any providers`.
+*
+* Precedence (codifies existing semantics + this new layer):
+*   1. `--assume-role <arn>` (per-Lambda STS creds) — unchanged
+*   2. NEW: `--profile <p>` resolved + cached (this helper)
+*   3. `process.env.AWS_*` forwarded — when `--profile` not set
+*
+* Region from `forwardAwsEnv` is preserved — only the credential
+* triple is overlaid.
+*
+* When the resolved profile is long-lived (no `sessionToken`), any
+* inherited `AWS_SESSION_TOKEN` is stripped — a mismatched (long-
+* lived AKID + foreign session) would otherwise cause an SDK error
+* inside the container.
+*
+* No-op when `profileCreds` is `undefined` (profile not set) or when
+* `assumeRoleActive` is true (assume-role already won; its STS-issued
+* creds must not be clobbered by the profile overlay).
+*
+* Exported for unit-test isolation (see `local-invoke-profile-creds.test.ts`).
+*/
+function applyProfileCredentialsOverlay(env, profileCreds, assumeRoleActive) {
+	if (!profileCreds) return;
+	if (assumeRoleActive) return;
+	env["AWS_ACCESS_KEY_ID"] = profileCreds.accessKeyId;
+	env["AWS_SECRET_ACCESS_KEY"] = profileCreds.secretAccessKey;
+	if (profileCreds.sessionToken) env["AWS_SESSION_TOKEN"] = profileCreds.sessionToken;
+	else delete env["AWS_SESSION_TOKEN"];
+}
+/**
 * Materialize an inline Lambda body (`Code.ZipFile`) to a tmpdir and
 * return the directory the container should mount at /var/task. The
 * filename is derived from the function's Handler property and the
@@ -60505,7 +60547,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.164.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.164.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());