npm - @wraps.dev/cli - Versions diffs - 2.21.12 → 2.21.14 - Mend

@wraps.dev/cli 2.21.12 → 2.21.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/api-lambda.zip +0 -0
package/dist/cli.js +20 -10
package/dist/cli.js.map +1 -1
package/dist/lambda/event-processor/.bundled +1 -1
package/dist/lambda/inbound-processor/.bundled +1 -1
package/dist/lambda/sms-event-processor/.bundled +1 -1
package/package.json +1 -1

package/dist/api-lambda.zip CHANGED Viewed

Binary file

package/dist/cli.js CHANGED Viewed

@@ -32159,6 +32159,7 @@ var WRAPS_PLATFORM_ACCOUNT_ID = "905130073023";
 async function updatePlatformRole(metadata, progress, externalId) {
   const roleName = "wraps-console-access-role";
   const iam11 = new IAMClient3({ region: "us-east-1" });
+  const trustedAccountId = metadata.services?.selfhost ? metadata.accountId : WRAPS_PLATFORM_ACCOUNT_ID;
   let roleExists2 = false;
   try {
     await iam11.send(new GetRoleCommand({ RoleName: roleName }));
@@ -32189,7 +32190,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           {
             Effect: "Allow",
             Principal: {
-              AWS: `arn:aws:iam::${WRAPS_PLATFORM_ACCOUNT_ID}:root`
+              AWS: `arn:aws:iam::${trustedAccountId}:root`
             },
             Action: "sts:AssumeRole",
             Condition: {
@@ -32218,7 +32219,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           {
             Effect: "Allow",
             Principal: {
-              AWS: `arn:aws:iam::${WRAPS_PLATFORM_ACCOUNT_ID}:root`
+              AWS: `arn:aws:iam::${trustedAccountId}:root`
             },
             Action: "sts:AssumeRole",
             Condition: {
@@ -33875,14 +33876,23 @@ Run ${pc47.cyan("wraps selfhost deploy")} to deploy the self-hosted control plan
     console.log(`${key}=${value}`);
   }
   console.log("");
-  console.log(
-    "# AWS credentials for role assumption \u2014 create an IAM user in your account"
-  );
-  console.log(
-    `# with sts:AssumeRole permission on arn:aws:iam::${identity.accountId}:role/wraps-console-access-role`
-  );
-  console.log("# AWS_ACCESS_KEY_ID=<fill-in>");
-  console.log("# AWS_SECRET_ACCESS_KEY=<fill-in>");
+  console.log("# =============================================================================");
+  console.log("# AWS Backend Credentials \u2014 Vercel OIDC (recommended)");
+  console.log("# =============================================================================");
+  console.log("#");
+  console.log("# 1. In Vercel: Project Settings \u2192 Cloud \u2192 Configure AWS");
+  console.log("#    Copy the OIDC Provider URL (looks like https://oidc.vercel.com/<team-id>)");
+  console.log("#");
+  console.log("# 2. In AWS IAM \u2192 Identity providers \u2192 Add provider:");
+  console.log("#    Provider type: OpenID Connect");
+  console.log("#    Provider URL:  <your Vercel OIDC URL from step 1>");
+  console.log("#    Audience:      sts.amazonaws.com");
+  console.log("#");
+  console.log("# 3. Create an IAM role that trusts that OIDC provider, with this permission:");
+  console.log(`#    sts:AssumeRole on arn:aws:iam::${identity.accountId}:role/wraps-console-access-role`);
+  console.log("#");
+  console.log("# 4. Set AWS_ROLE_ARN to that role's ARN in Vercel:");
+  console.log(`# AWS_ROLE_ARN=arn:aws:iam::${identity.accountId}:role/<your-vercel-backend-role>`);
   clack44.outro(
     pc47.dim(
       "Paste into Vercel \u2192 Settings \u2192 Environment Variables \u2192 Add from .env"