Skip to content

Commit

Permalink
fix(cli): credential plugin exceptions stop the entire CLI (#26244)
Browse files Browse the repository at this point in the history
Credential provider plugins may sometimes misbehave.

Catch any exceptions they may throw and continue.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
rix0rrr authored Jul 12, 2023
1 parent c755f50 commit 1a8f5ad
Showing 1 changed file with 21 additions and 3 deletions.
24 changes: 21 additions & 3 deletions packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { debug } from './_env';
import { Mode } from './credentials';
import { warning } from '../../logging';
import { CredentialProviderSource, PluginHost } from '../plugin';

/**
Expand Down Expand Up @@ -33,12 +34,29 @@ export class CredentialPlugins {
const triedSources: CredentialProviderSource[] = [];
// Otherwise, inspect the various credential sources we have
for (const source of PluginHost.instance.credentialProviderSources) {
if (!(await source.isAvailable())) {
let available: boolean;
try {
available = await source.isAvailable();
} catch (e: any) {
// This shouldn't happen, but let's guard against it anyway
warning(`Uncaught exception in ${source.name}: ${e.message}`);
available = false;
}

if (!available) {
debug('Credentials source %s is not available, ignoring it.', source.name);
continue;
}
triedSources.push(source);
if (!(await source.canProvideCredentials(awsAccountId))) { continue; }
let canProvide: boolean;
try {
canProvide = await source.canProvideCredentials(awsAccountId);
} catch (e: any) {
// This shouldn't happen, but let's guard against it anyway
warning(`Uncaught exception in ${source.name}: ${e.message}`);
canProvide = false;
}
if (!canProvide) { continue; }
debug(`Using ${source.name} credentials for account ${awsAccountId}`);
const providerOrCreds = await source.getProvider(awsAccountId, mode);

Expand All @@ -55,4 +73,4 @@ export class CredentialPlugins {
export interface PluginCredentials {
readonly credentials: AWS.Credentials;
readonly pluginName: string;
}
}

0 comments on commit 1a8f5ad

Please sign in to comment.