@goldstack/infra-aws - npm Package Compare versions

Comparing version 0.3.35 to 0.3.36

dist/src/awsUserUtils.js

@@ -40,10 +40,14 @@ "use strict";
     let credentials = new aws_sdk_1.default.SharedIniFileCredentials();
+    const envVarValues = {
+        AWS_SDK_LOAD_CONFIG: process.env.AWS_SDK_LOAD_CONFIG,
+    };
     // if no access key is found, try loading process_credentials
     if (!credentials.accessKeyId) {
+        // see https://github.com/aws/aws-sdk-js/pull/1391
+        process.env.AWS_SDK_LOAD_CONFIG = '1';
         credentials = new aws_sdk_1.default.ProcessCredentials();
         await credentials.refreshPromise();
     }
+    resetEnvironmentVariables(envVarValues);
     aws_sdk_1.default.config.credentials = credentials;
-    // see https://github.com/aws/aws-sdk-js/pull/1391
-    process.env.AWS_SDK_LOAD_CONFIG = 'true';
     return credentials;
@@ -68,3 +72,3 @@ }
         if (userConfig.awsConfigFileName) {
-            // support loading from both `config` and `credentials` files, see https://github.com/goldstack/goldstack/issues/17#issuecomment-1044811805
+            // support loading from both `config` and `credentials` files, see https://github.com/goldstack/goldstack/issues/17#issuecomment-1044811805  https://github.com/aws/aws-sdk-js/pull/1391
             process.env.AWS_SDK_LOAD_CONFIG = '1';
@@ -77,7 +81,4 @@ // filename property is ignored if AWS_SDK_LOAD_CONFIG is set; thus need to set AWS_SHARED_CREDENTIALS_FILE.
         let credentials;
-        let filename;
-        if (userConfig.awsConfigFileName) {
-            filename = undefined;
-        }
-        else if (!process.env.SHARE_CREDENTIALS_FILE) {
+        let filename = undefined;
+        if (!process.env.SHARE_CREDENTIALS_FILE) {
             filename = userConfig.awsCredentialsFileName;
@@ -92,2 +93,8 @@ }
         else {
+            // Allow `AWS.ProcessCredentials` to search the default config location `~/.aws/config` in addition to `credentials`
+            // This matches most other CLI / SDK implementations (including AWS JS SDK v3) and the behaviour of most `credential_process` helper tools
+            // With this enabled, `AWS_CONFIG_FILE` must not contains an invalid path, but `AWS_SHARED_CREDENTIALS_FILE` can be missing.
+            if (!userConfig.awsCredentialsFileName) {
+                process.env.AWS_SDK_LOAD_CONFIG = '1';
+            }
             credentials = new aws_sdk_1.default.ProcessCredentials({
@@ -99,10 +106,3 @@ profile: userConfig.profile,
         }
-        Object.entries(envVarValues).forEach(([key, value]) => {
-            if (process.env[key] === undefined) {
-                delete process.env[key];
-            }
-            else {
-                process.env[key] = value;
-            }
-        });
+        resetEnvironmentVariables(envVarValues);
         if (!credentials.accessKeyId) {
@@ -157,2 +157,12 @@ throw new Error('Cannot load profile ' +
 exports.getAWSUserFromGoldstackConfig = getAWSUserFromGoldstackConfig;
+function resetEnvironmentVariables(envVarValues) {
+    Object.entries(envVarValues).forEach(([key, value]) => {
+        if (process.env[key] === undefined) {
+            delete process.env[key];
+        }
+        else {
+            process.env[key] = value;
+        }
+    });
+}
 //# sourceMappingURL=awsUserUtils.js.map

dist/src/infraAws.spec.js

@@ -10,4 +10,49 @@ "use strict";
 const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
 describe('AWS User config', () => {
-    it.skip('Should read AWS config from Goldstack config file', async () => {
+    it('Should read from AWS credentials in user folder if no config provided', async () => {
+        // Skip if not in CI https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
+        if (!process.env.GITHUB_ACTION) {
+            return;
+        }
+        console.log('RUN IN CI');
+        const awsCredentials = `
+[default]
+aws_access_key_id=fromProfileKey
+aws_secret_access_key=fromProfileSecret
+    `;
+        (0, utils_sh_1.mkdir)('-p', `${os_1.default.homedir()}/.aws`);
+        await (0, utils_sh_1.rmSafe)(`${os_1.default.homedir}/.aws/config`);
+        (0, utils_sh_1.write)(awsCredentials, `${os_1.default.homedir}/.aws/credentials`);
+        const credentials = await (0, infraAws_1.getAWSUser)('default', './invalid');
+        expect(credentials.accessKeyId).toEqual('fromProfileKey');
+        expect(credentials.secretAccessKey).toEqual('fromProfileSecret');
+    });
+    it('Should read AWS credentials process in user folder if no config provided', async () => {
+        // Skip if not in CI https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
+        if (!process.env.GITHUB_ACTION) {
+            return;
+        }
+        const awsConfig = `
+[default]
+region=us-west-2
+credential_process=cat ~/processCredentials.json
+    `;
+        (0, utils_sh_1.mkdir)('-p', `${os_1.default.homedir()}/.aws`);
+        await (0, utils_sh_1.rmSafe)(`${os_1.default.homedir}/.aws/credentials`);
+        (0, utils_sh_1.write)(awsConfig, `${os_1.default.homedir}/.aws/config`);
+        const processCredentials = `
+{
+  "Version": 1,
+  "AccessKeyId": "fromProcessCredentialsKey",
+  "SecretAccessKey": "fromProcessCredentialsSecret",
+  "SessionToken": "the AWS session token for temporary credentials",
+  "Expiration": "ISO8601 timestamp when the credentials expire"
+}`;
+        (0, utils_sh_1.write)(processCredentials, `${os_1.default.homedir}/processCredentials.json`);
+        const credentials = await (0, infraAws_1.getAWSUser)('default', './invalid');
+        expect(credentials.accessKeyId).toEqual('fromProcessCredentialsKey');
+        expect(credentials.secretAccessKey).toEqual('fromProcessCredentialsSecret');
+    });
+    it('Should read AWS config from Goldstack config file', async () => {
         const awsConfig = `{
@@ -43,8 +88,2 @@ "users": [
     });
-    // problems when initialising AWS config more than once, so leaving this as one test for now
-    // following difficult to test
-    it.skip('Should read from AWS config in user folder if no config provided', async () => {
-        const credentials = await (0, infraAws_1.getAWSUser)('default', './invalid');
-        (0, assert_1.default)(credentials.accessKeyId);
-    });
     it('Should read from AWS credentials file', async () => {
@@ -51,0 +90,0 @@ const testDir = './goldstackLocal/tests/getAWSUser';

package.json

 {
   "name": "@goldstack/infra-aws",
-  "version": "0.3.35",
+  "version": "0.3.36",
   "description": "Utilities to work with AWS infrastructure via the cli.",
@@ -5,0 +5,0 @@ "keywords": [

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

59325

increased by7.17%

Lines of code

984

increased by5.24%

Worsened metrics

Number of low supply chain risk alerts

29

increased by16%

No dependency changes