Allow profiles defined in ~/.aws/credentials to assume roles with source profiles defined in ~/.aws/config

Author: jeskew

lib/credentials/shared_ini_file_credentials.js

@@ -1,11 +1,8 @@
 var AWS = require('../core');
 var path = require('path');
+var SharedIniFile = require('../shared_ini');
 var STS = require('../../clients/sts');
 
-var configOptInEnv = 'AWS_SDK_LOAD_CONFIG';
-var sharedFileEnv = 'AWS_SHARED_CREDENTIALS_FILE';
-var defaultProfile = 'default';
-
 /**
  * Represents credentials loaded from shared credentials file
  * (defaulting to ~/.aws/credentials or defined by the
@@ -57,7 +54,7 @@ AWS.SharedIniFileCredentials = AWS.util.inherit(AWS.Credentials, {
     options = options || {};
 
     this.filename = options.filename;
-    this.profile = options.profile || process.env.AWS_PROFILE || defaultProfile;
+    this.profile = options.profile || process.env.AWS_PROFILE || AWS.util.defaultProfile;
     this.disableAssumeRole = Boolean(options.disableAssumeRole);
     this.get(function() {});
   },
@@ -76,19 +73,27 @@ AWS.SharedIniFileCredentials = AWS.util.inherit(AWS.Credentials, {
   refresh: function refresh(callback) {
     if (!callback) callback = function(err) { if (err) throw err; };
     try {
-      var profile = {};
-      if (process.env[configOptInEnv]) {
-        var config = new AWS.SharedIniFile({
+      var profiles = {};
+      if (process.env[AWS.util.configOptInEnv]) {
+        var config = new SharedIniFile({
           isConfig: true,
-          filename: process.env.AWS_CONFIG_FILE
+          filename: process.env[AWS.util.sharedConfigFileEnv]
         });
-        profile = AWS.util.merge(profile, config.getProfile(this.profile));
+        for (var i = 0, availableProfiles = config.getProfiles(); i < availableProfiles.length; i++) {
+          profiles[availableProfiles[i]] = config.getProfile(availableProfiles[i]);
+        }
       }
-      var creds = new AWS.SharedIniFile({
+      var creds = new SharedIniFile({
         filename: this.filename ||
-          (process.env[configOptInEnv] && process.env[sharedFileEnv])
+          (process.env[AWS.util.configOptInEnv] && process.env[AWS.util.sharedCredentialsFileEnv])
       });
-      profile = AWS.util.merge(profile, creds.getProfile(this.profile));
+      for (var i = 0, availableProfiles = creds.getProfiles(); i < availableProfiles.length; i++) {
+        profiles[availableProfiles[i]] = AWS.util.merge(
+          profiles[availableProfiles[i]] || {},
+          creds.getProfile(availableProfiles[i])
+        );
+      }
+      var profile = profiles[this.profile] || {};
 
       if (Object.keys(profile).length === 0) {
         throw AWS.util.error(
@@ -98,7 +103,7 @@ AWS.SharedIniFileCredentials = AWS.util.inherit(AWS.Credentials, {
       }
 
       if (profile['role_arn']) {
-        this.loadRoleProfile(creds, profile, callback);
+        this.loadRoleProfile(profiles, profile, callback);
         return;
       }
 
@@ -126,7 +131,8 @@ AWS.SharedIniFileCredentials = AWS.util.inherit(AWS.Credentials, {
     if (this.disableAssumeRole) {
       throw AWS.util.error(
         new Error('Role assumption profiles are disabled. ' +
-                  'Failed to load profile ' + this.profile),
+                  'Failed to load profile ' + this.profile +
+                  ' from ' + creds.filename),
         { code: 'SharedIniFileCredentialsProviderFailure' }
       );
     }
@@ -144,7 +150,7 @@ AWS.SharedIniFileCredentials = AWS.util.inherit(AWS.Credentials, {
       );
     }
 
-    var sourceProfile = creds.getProfile(sourceProfileName);
+    var sourceProfile = creds[sourceProfileName];
 
     if (typeof sourceProfile !== 'object') {
       throw AWS.util.error(

lib/node_loader.js

@@ -19,16 +19,15 @@ AWS.XML.Parser = require('./xml/node_parser');
 // Load Node HTTP client
 require('./http/node');
 
-// Load Node shared ini file loader
-require('./shared_ini');
-
 // Load custom credential providers
 require('./credentials/ec2_metadata_credentials');
 require('./credentials/ecs_credentials');
 require('./credentials/environment_credentials');
 require('./credentials/file_system_credentials');
 require('./credentials/shared_ini_file_credentials');
 
+var SharedIniFile = require('./shared_ini');
+
 // Setup default chain providers
 // If this changes, please update documentation for
 // AWS.CredentialProviderChain.defaultProviders in
@@ -64,15 +63,18 @@ AWS.util.update(AWS.Config.prototype.keys, {
   region: function() {
     var env = process.env;
     var region = env.AWS_REGION || env.AMAZON_REGION;
-    if (!region && env.AWS_SDK_LOAD_CONFIG) {
-      var configFile = new AWS.SharedIniFile({
-        isConfig: true,
-        filename: process.env.AWS_CONFIG_FILE
-      });
-      var profile = configFile.getProfile(
-        env.AWS_PROFILE || AWS.util.defaultProfile
-      );
-      region = profile && profile.region;
+    if (env[AWS.util.configOptInEnv]) {
+      var toCheck = [
+        {filename: env[AWS.util.sharedCredentialsFileEnv]},
+        {isConfig: true, filename: env[AWS.util.sharedConfigFileEnv]}
+      ];
+      while (!region && toCheck.length) {
+        var configFile = new SharedIniFile(toCheck.shift());
+        var profile = configFile.getProfile(
+          env.AWS_PROFILE || AWS.util.defaultProfile
+        );
+        region = profile && profile.region;
+      }
     }
     return region;
   }

lib/shared_ini.js

@@ -5,18 +5,18 @@ var path = require('path');
 /**
  * @api private
  */
-AWS.SharedIniFile = AWS.util.inherit({
+module.exports = AWS.util.inherit({
   constructor: function SharedIniFile(options) {
     options = options || {};
 
-    this.filename = options.filename;
     this.isConfig = options.isConfig === true;
+    this.filename = options.filename || this.getDefaultFilepath();
   },
 
   ensureFileLoaded: function loadFile() {
     if (!this.parsedContents) {
       this.parsedContents = AWS.util.ini.parse(
-        AWS.util.readFileSync(this.filename || this.getDefaultFilepath())
+        AWS.util.readFileSync(this.filename)
       );
     }
   },
@@ -55,5 +55,18 @@ AWS.SharedIniFile = AWS.util.inherit({
       'profile ' + profile : profile;
 
     return this.parsedContents[profileIndex];
+  },
+
+  getProfiles: function loadProfileNames() {
+    this.ensureFileLoaded();
+    var isConfig = this.isConfig;
+
+    return Object.keys(this.parsedContents).map(function(profileName) {
+      if (isConfig) {
+        return profileName.replace(/^profile\s/, '');
+      }
+
+      return profileName;
+    });
   }
 });

lib/util.js

@@ -897,7 +897,22 @@ var util = {
   /**
    * @api private
    */
-  defaultProfile: 'default'
+  defaultProfile: 'default',
+
+  /**
+   * @api private
+   */
+  configOptInEnv: 'AWS_SDK_LOAD_CONFIG',
+
+  /**
+   * @api private
+   */
+  sharedCredentialsFileEnv: 'AWS_SHARED_CREDENTIALS_FILE',
+
+  /**
+   * @api private
+   */
+  sharedConfigFileEnv: 'AWS_CONFIG_FILE'
 };
 
 module.exports = util;

test/config.spec.coffee

@@ -1,5 +1,6 @@
 helpers = require('./helpers')
 AWS = helpers.AWS
+SharedIniFile = require('../lib/shared_ini')
 
 configure = (options) -> new AWS.Config(options)
 
@@ -55,46 +56,98 @@ describe 'AWS.Config', ->
           os = require('os')
           helpers.spyOn(os, 'homedir').andReturn('/home/user')
 
+        it 'grabs region from shared credentials file if AWS_SDK_LOAD_CONFIG is set', ->
+          process.env.AWS_SDK_LOAD_CONFIG = '1'
+          helpers.spyOn(AWS.util, 'readFileSync').andCallFake (path) ->
+            if (path.match(/[\/\\]home[\/\\]user[\/\\].aws[\/\\]credentials/))
+              '''
+              [default]
+              region = us-west-2
+              '''
+            else
+              '''
+              [default]
+              region = eu-east-1
+              '''
+
+          config = new AWS.Config()
+          expect(config.region).to.equal('us-west-2')
+
+        it 'loads file from path specified in AWS_SHARED_CREDENTIALS_FILE if AWS_SDK_LOAD_CONFIG is set', ->
+          process.env.AWS_SDK_LOAD_CONFIG = '1'
+          process.env.AWS_SHARED_CREDENTIALS_FILE = '/path/to/user/config/file'
+          helpers.spyOn(AWS.util, 'readFileSync').andCallFake (path) ->
+            if (path == '/path/to/user/config/file')
+              '''
+              [default]
+              region = us-west-2
+              '''
+            else
+              '''
+              [default]
+              region = eu-east-1
+              '''
+
+          config = new AWS.Config()
+          expect(config.region).to.equal('us-west-2')
+
         it 'grabs region from shared config if AWS_SDK_LOAD_CONFIG is set', ->
           process.env.AWS_SDK_LOAD_CONFIG = '1'
-          mock = '''
-          [default]
-          region = us-west-2
-          '''
-          helpers.spyOn(AWS.util, 'readFileSync').andReturn(mock)
+          helpers.spyOn(AWS.util, 'readFileSync').andCallFake (path) ->
+            if (path.match(/[\/\\]home[\/\\]user[\/\\].aws[\/\\]config/))
+              '''
+              [default]
+              region = us-west-2
+              '''
+            else
+              '''
+              [default]
+              aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+              aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+              '''
 
           config = new AWS.Config()
           expect(config.region).to.equal('us-west-2')
-          expect(AWS.util.readFileSync.calls[0].arguments[0]).to.match(/[\/\\]home[\/\\]user[\/\\].aws[\/\\]config/)
 
         it 'loads file from path specified in AWS_CONFIG_FILE if AWS_SDK_LOAD_CONFIG is set', ->
           process.env.AWS_SDK_LOAD_CONFIG = '1'
           process.env.AWS_CONFIG_FILE = '/path/to/user/config/file'
-          mock = '''
-          [default]
-          region = us-west-2
-          '''
-          helpers.spyOn(AWS.util, 'readFileSync').andReturn(mock)
+          helpers.spyOn(AWS.util, 'readFileSync').andCallFake (path) ->
+            if (path == '/path/to/user/config/file')
+              '''
+              [default]
+              region = us-west-2
+              '''
+            else
+              '''
+              [default]
+              aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+              aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+              '''
 
           config = new AWS.Config()
           expect(config.region).to.equal('us-west-2')
-          expect(AWS.util.readFileSync.calls[0].arguments[0]).to.equal('/path/to/user/config/file')
 
         it 'uses the profile specified in AWS_PROFILE', ->
           process.env.AWS_SDK_LOAD_CONFIG = '1'
           process.env.AWS_PROFILE = 'foo'
-          mock = '''
-          [default]
-          region = us-west-1
-
-          [profile foo]
-          region = us-west-2
-          '''
-          helpers.spyOn(AWS.util, 'readFileSync').andReturn(mock)
+          helpers.spyOn(AWS.util, 'readFileSync').andCallFake (path) ->
+            if (path.match(/[\/\\]home[\/\\]user[\/\\].aws[\/\\]config/))
+              '''
+              [default]
+              region = us-west-1
+
+              [profile foo]
+              region = us-west-2
+              '''
+            else
+              '''
+              [default]
+              region = eu-east-1
+              '''
 
           config = new AWS.Config()
           expect(config.region).to.equal('us-west-2')
-          expect(AWS.util.readFileSync.calls[0].arguments[0]).to.match(/[\/\\]home[\/\\]user[\/\\].aws[\/\\]config/)
 
         it 'prefers AWS_REGION to the shared config file', ->
           process.env.AWS_REGION = 'us-east-1'