feat: defer to node chain in cliv2compat

Author: kuhe

packages/credential-providers/README.md

@@ -827,7 +827,7 @@ Successfully signed out of all SSO profiles.
 ### Sample files
 
 This credential provider is only applicable if the profile specified in shared configuration and
-credentials files contain ALL of the following entries.
+credentials files contain ALL the following entries.
 
 #### `~/.aws/credentials`
 
@@ -950,7 +950,47 @@ new S3({
 });
 ```
 
-## `resolveAwsCliV2Region()`
+## `fromAwsCliV2CompatibleProviderChain()`
+
+- Not available in browsers & native apps.
+
+A credential provider that follows the same priority order as the AWS CLI v2 credential resolution.
+This credential provider will attempt to find credentials from the following sources (listed in
+order of precedence):
+
+- Inline code static credentials
+- **when a profile is specified**:
+  - Same resolution as the [fromIni](#fromini) provider.
+- **when a profile is not specified**:
+  - [Environment variables exposed via `process.env`](#fromenv)
+  - [Web identity token credentials](#fromtokenfile)
+  - [SSO credentials from token cache](#fromsso)
+  - [From Credential Process](#fromprocess)
+  - [From Instance and Container Metadata Service](#fromcontainermetadata-and-frominstancemetadata)
+
+```js
+import { fromAwsCliV2CompatibleProviderChain, resolveAwsCliV2Region } from "@aws-sdk/credential-providers";
+import { S3Client } from "@aws-sdk/client-s3";
+
+const s3Client = new S3Client({
+  profile: "my-profile",
+
+  // Implements AWS CLI v2-compatible credential resolution and proxy settings.
+  credentials: fromAwsCliV2CompatibleProviderChain({}),
+
+  // Implements AWS CLI v2 region resolution logic.
+  region: resolveAwsCliV2Region({
+    // (!) this duplication is required if not using the "default" profile.
+    profile: "my-profile",
+    defaultRegion: "us-east-1", // optional
+  }),
+});
+```
+
+### `resolveAwsCliV2Region()`
+
+- This is not a credential resolver. It is a region resolver included here for ease of access.
+- Not available in browsers & native apps.
 
 The region is resolved using the following order of precedence (highest to lowest) in the cli v2.
 
@@ -971,56 +1011,6 @@ The region is resolved using the following order of precedence (highest to lowes
    - Uses provided default region if specified
    - Returns undefined if no region can be determined
 
-Basic Usage
-
-```
-import { resolveAwsCliV2Region } from "@aws-sdk/credential-providers";
-import { S3Client } from "@aws-sdk/client-s3";
-
-const client = new S3Client({
-  region: await resolveAwsCliV2Region({})
-});
-
-```
-
-## `fromAwsCliV2CompatibleProviderChain()`
-
-A credential provider that follows the same priority chain as AWS CLI v2 for credential resolution.
-This credential provider will attempt to find credentials from the following sources (listed in
-order of precedence):
-
-- Static credentials
-- [Shared credentials and config ini files](#fromini) when a profile is specified
-- [Environment variables exposed via `process.env`](#fromenv)
-- [Web identity token credentials](#fromtokenfile)
-- [SSO credentials from token cache](#fromsso)
-- [From Credential Process](#fromprocess)
-- [From Instance and Container Metadata Service](#fromcontainermetadata-and-frominstancemetadata)
-
-Example:
-
-```
-Import {
-  fromAwsCliV2CompatibleProviderChain,
-  resolveAwsCliV2Region
-} from "@aws-sdk/credential-providers";
-import { S3Client } from "@aws-sdk/client-s3";
-
-const s3Client = new S3Client({
-  profile: 'application-profile',
-
-  // Implements AWS CLI-compatible credential resolution and proxy settings.
-  credentials: fromAwsCliV2CompatibleProviderChain({
-    proxyUrl: "http://localhost:8080", // Optional: Uses proxy settings.
-    certificateBundle: "/home/user/certificate.pem", // Optional: Custom CA bundle.
-  }),
-
-  // Implements AWS CLI region resolution logic.
-  region: resolveAwsCliV2Region(),
-  // Other configurations like retry strategy, logging, etc.
-});
-```
-
 ## Add Custom Headers to STS assume-role calls
 
 You can specify the plugins--groups of middleware, to inject to the STS client.

packages/credential-providers/src/fromAwsCliV2CompatibleProviderChain.spec.ts

@@ -1,16 +1,19 @@
-import { fromInstanceMetadata } from "@smithy/credential-provider-imds";
-import { CredentialsProviderError } from "@smithy/property-provider";
+import type { Exact } from "@smithy/types";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 
-import { fromAwsCliV2CompatibleProviderChain } from "./fromAwsCliV2CompatibleProviderChain";
+import {
+  AwsCliV2CompatibleProviderOptions,
+  fromAwsCliV2CompatibleProviderChain,
+} from "./fromAwsCliV2CompatibleProviderChain";
+
+// the options type should have no required fields.
+type Assert = Exact<AwsCliV2CompatibleProviderOptions, Partial<AwsCliV2CompatibleProviderOptions>>;
+const typeAssertion: Assert = true as const;
+void typeAssertion;
 
 describe("fromAwsCliV2CompatibleProviderChain", () => {
   let mockFromIni: any;
-  let mockFromEnv: any;
-  let mockFromTokenFile: any;
-  let mockFromSSO: any;
-  let mockFromProcess: any;
-  let mockFromInstanceMetadata: any;
+  let mockFromNodeProviderChain: any;
 
   const mockLogger = {
     debug: vi.fn(),
@@ -33,61 +36,14 @@ describe("fromAwsCliV2CompatibleProviderChain", () => {
       fromIni: mockFromIni,
     }));
 
-    mockFromEnv = vi.fn(async () => ({
-      accessKeyId: "ENV_ACCESS_KEY",
-      secretAccessKey: "ENV_SECRET_KEY",
-    }));
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => mockFromEnv,
-    }));
-    mockFromEnv = vi.fn(async () => {
-      return {
-        accessKeyId: "ENV_ACCESS_KEY",
-        secretAccessKey: "ENV_SECRET_KEY",
-      };
-    });
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => mockFromEnv,
-    }));
-
-    mockFromTokenFile = vi.fn(async () => {
-      return {
-        accessKeyId: "TOKEN_ACCESS_KEY",
-        secretAccessKey: "TOKEN_SECRET_KEY",
-      };
-    });
-    vi.doMock("@aws-sdk/credential-provider-web-identity", () => ({
-      fromTokenFile: () => mockFromTokenFile,
-    }));
-
-    mockFromSSO = vi.fn(async () => {
-      return {
-        accessKeyId: "SSO_ACCESS_KEY",
-        secretAccessKey: "SSO_SECRET_KEY",
-      };
-    });
-    vi.doMock("@aws-sdk/credential-provider-sso", () => ({
-      fromSSO: () => mockFromSSO,
-    }));
-
-    mockFromProcess = vi.fn(async () => {
-      return {
-        accessKeyId: "PROCESS_ACCESS_KEY",
-        secretAccessKey: "PROCESS_SECRET_KEY",
-      };
-    });
-    vi.doMock("@aws-sdk/credential-provider-process", () => ({
-      fromProcess: () => mockFromProcess,
-    }));
-
-    mockFromInstanceMetadata = vi.fn(async () => {
-      return {
-        accessKeyId: "REMOTE_ACCESS_KEY",
-        secretAccessKey: "REMOTE_SECRET_KEY",
-      };
-    });
-    vi.doMock("@smithy/credential-provider-imds", () => ({
-      fromInstanceMetadata: () => mockFromInstanceMetadata,
+    mockFromNodeProviderChain = vi.fn(() =>
+      vi.fn(async () => ({
+        accessKeyId: "AWS_SDK_CHAIN_AK",
+        secretAccessKey: "AWS_SDK_CHAIN_SK",
+      }))
+    );
+    vi.doMock("@aws-sdk/credential-provider-node", () => ({
+      defaultProvider: mockFromNodeProviderChain,
     }));
   });
 
@@ -109,170 +65,22 @@ describe("fromAwsCliV2CompatibleProviderChain", () => {
     });
 
     expect(mockFromIni).toHaveBeenCalled();
-    expect(mockLogger.debug).toHaveBeenCalledWith(expect.stringContaining("Using fromIni with profile:test-profile"));
-  });
-
-  it("should fall back to environment variables if no profile is provided", async () => {
-    const provider = fromAwsCliV2CompatibleProviderChain({
-      logger: mockLogger,
-    });
-
-    const result = await provider();
-
-    expect(result).toEqual({
-      accessKeyId: "ENV_ACCESS_KEY",
-      secretAccessKey: "ENV_SECRET_KEY",
-    });
-
-    expect(mockFromEnv).toHaveBeenCalled();
-    expect(mockLogger.debug).toHaveBeenCalledWith(expect.stringContaining("Using from custom credential chain"));
-  });
-
-  it("should fall back to web identity credentials when environment variables are unavailable", async () => {
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.reject(new CredentialsProviderError("No env credentials")),
-    }));
-
-    const provider = fromAwsCliV2CompatibleProviderChain({ logger: mockLogger });
-
-    const result = await provider();
-
-    expect(result).toEqual({
-      accessKeyId: "TOKEN_ACCESS_KEY",
-      secretAccessKey: "TOKEN_SECRET_KEY",
-    });
-
-    expect(mockFromTokenFile).toHaveBeenCalled();
-  });
-
-  it("should fall back to SSO credentials when web identity is unavailable", async () => {
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.reject(new CredentialsProviderError("No env credentials")),
-    }));
-    vi.doMock("@aws-sdk/credential-provider-web-identity", () => ({
-      fromTokenFile: () => () => Promise.reject(new CredentialsProviderError("No token file")),
-    }));
-
-    const provider = fromAwsCliV2CompatibleProviderChain({ logger: mockLogger });
-
-    const result = await provider();
-
-    expect(result).toEqual({
-      accessKeyId: "SSO_ACCESS_KEY",
-      secretAccessKey: "SSO_SECRET_KEY",
-    });
-
-    expect(mockFromSSO).toHaveBeenCalled();
-  });
-
-  it("should fall back to process credentials when SSO is unavailable", async () => {
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.reject(new CredentialsProviderError("No env credentials")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-ini", () => ({
-      fromIni: () => () => Promise.reject(new CredentialsProviderError("No ini credentials")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-web-identity", () => ({
-      fromTokenFile: () => () => Promise.reject(new CredentialsProviderError("No token file")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-sso", () => ({
-      fromSSO: () => () => Promise.reject(new CredentialsProviderError("No SSO credentials")),
-    }));
-
-    mockFromProcess = vi.fn().mockResolvedValue({
-      accessKeyId: "PROCESS_ACCESS_KEY",
-      secretAccessKey: "PROCESS_SECRET_KEY",
-    });
-
-    vi.doMock("@aws-sdk/credential-provider-process", () => ({
-      fromProcess: () => mockFromProcess,
-    }));
-
-    vi.doMock("@smithy/credential-provider-imds", () => ({
-      fromInstanceMetadata: () => mockFromInstanceMetadata,
-    }));
-
-    const { fromAwsCliV2CompatibleProviderChain } = await import("./fromAwsCliV2CompatibleProviderChain");
-    const provider = fromAwsCliV2CompatibleProviderChain({
-      logger: mockLogger,
-    });
-
-    const result = await provider();
-
-    expect(result).toEqual({
-      accessKeyId: "PROCESS_ACCESS_KEY",
-      secretAccessKey: "PROCESS_SECRET_KEY",
-    });
-    expect(mockFromProcess).toHaveBeenCalled();
+    expect(mockLogger.debug).toHaveBeenCalledWith(
+      `@aws-sdk/credential-providers - fromAwsCliV2CompatibleProviderChain - Using fromIni with profile: test-profile`
+    );
   });
 
-  it("should fall back to remote credentials when process credentials are unavailable", async () => {
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.reject(new CredentialsProviderError("No env credentials")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-ini", () => ({
-      fromIni: () => () => Promise.reject(new CredentialsProviderError("No ini credentials")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-web-identity", () => ({
-      fromTokenFile: () => () => Promise.reject(new CredentialsProviderError("No token file")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-sso", () => ({
-      fromSSO: () => () => Promise.reject(new CredentialsProviderError("No SSO credentials")),
-    }));
-
-    vi.doMock("@aws-sdk/credential-provider-process", () => ({
-      fromProcess: () => () => Promise.reject(new CredentialsProviderError("No process credentials")),
-    }));
-
-    mockFromInstanceMetadata = vi.fn().mockResolvedValue({
-      accessKeyId: "REMOTE_ACCESS_KEY",
-      secretAccessKey: "REMOTE_SECRET_KEY",
-    });
-
-    vi.doMock("@smithy/credential-provider-imds", () => ({
-      fromInstanceMetadata: () => mockFromInstanceMetadata,
-    }));
-
-    const { fromAwsCliV2CompatibleProviderChain } = await import("./fromAwsCliV2CompatibleProviderChain");
+  it.only("should fall back to fromNodeProviderChain when no profile is specified", async () => {
     const provider = fromAwsCliV2CompatibleProviderChain({
-      logger: mockLogger,
+      logger: console,
     });
 
     const result = await provider();
 
     expect(result).toEqual({
-      accessKeyId: "REMOTE_ACCESS_KEY",
-      secretAccessKey: "REMOTE_SECRET_KEY",
+      accessKeyId: "AWS_SDK_CHAIN_AK",
+      secretAccessKey: "AWS_SDK_CHAIN_SK",
     });
-    expect(mockFromInstanceMetadata).toHaveBeenCalled();
-  });
-
-  it("should throw error when no credentials are found", async () => {
-    vi.doMock("@aws-sdk/credential-provider-env", () => ({
-      fromEnv: () => () => Promise.reject(new CredentialsProviderError("No env credentials")),
-    }));
-    vi.doMock("@aws-sdk/credential-provider-web-identity", () => ({
-      fromTokenFile: () => () => Promise.reject(new CredentialsProviderError("No token file")),
-    }));
-    vi.doMock("@aws-sdk/credential-provider-sso", () => ({
-      fromSSO: () => () => Promise.reject(new CredentialsProviderError("No SSO credentials")),
-    }));
-    vi.doMock("@aws-sdk/credential-provider-process", () => ({
-      fromProcess: () => () => Promise.reject(new CredentialsProviderError("No process credentials")),
-    }));
-    vi.doMock("@smithy/credential-provider-imds", () => ({
-      fromInstanceMetadata: () => () => Promise.reject(new CredentialsProviderError("No remote credentials")),
-    }));
-    const { fromAwsCliV2CompatibleProviderChain } = await import("./fromAwsCliV2CompatibleProviderChain");
-    const provider = fromAwsCliV2CompatibleProviderChain({ logger: mockLogger });
-
-    await expect(provider()).rejects.toThrow(CredentialsProviderError);
-    await expect(provider()).rejects.toThrow("Could not load credentials from any providers");
+    expect(mockFromNodeProviderChain).toHaveBeenCalled();
   });
 });