From 01fec04ea8c0e33a406e6727801f8bc133a21196 Mon Sep 17 00:00:00 2001
From: Otavio Macedo <288203+otaviomacedo@users.noreply.github.com>
Date: Sat, 14 Dec 2024 08:05:53 +0000
Subject: [PATCH] fix(cli): getting credentials via SSO fails when the region
 is set in the profile (#32520)

We were reading the region from the config file and passing it to the credential providers.
However, in the case of SSO, this makes the credential provider use that region to do the
SSO flow, which is incorrect. The region that should be used for that is the one set in the
`sso_session` section of the config file.

The long term solution is for all the logic for handling regions in the SDK itself, without
forcing consumers to know all the intricacies of all the use cases. As a mitigation for now,
we are using the non-public `parentClientConfig` while we wait for an SDK update.

Fixes https://github.com/aws/aws-cdk/issues/32510.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../aws-cdk/lib/api/aws-auth/awscli-compatible.ts | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
index 319e75e3bdb79..3c1fec2604abd 100644
--- a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -34,6 +34,19 @@ export class AwsCliCompatible {
       requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
       customUserAgent: 'aws-cdk',
       logger: options.logger,
+    };
+
+    // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
+    //
+    // Summary of the problem: we were reading the region from the config file and passing it to
+    // the credential providers. However, in the case of SSO, this makes the credential provider
+    // use that region to do the SSO flow, which is incorrect. The region that should be used for
+    // that is the one set in the sso_session section of the config file.
+    //
+    // The idea here: the "clientConfig" is for configuring the inner auth client directly,
+    // and has the highest priority, whereas "parentClientConfig" is the upper data client
+    // and has lower priority than the sso_region but still higher priority than STS global region.
+    const parentClientConfig = {
       region: await this.region(options.profile),
     };
     /**
@@ -51,6 +64,7 @@ export class AwsCliCompatible {
         ignoreCache: true,
         mfaCodeProvider: tokenCodeFn,
         clientConfig,
+        parentClientConfig,
         logger: options.logger,
       }));
     }
@@ -83,6 +97,7 @@ export class AwsCliCompatible {
     const nodeProviderChain = fromNodeProviderChain({
       profile: envProfile,
       clientConfig,
+      parentClientConfig,
       logger: options.logger,
       mfaCodeProvider: tokenCodeFn,
       ignoreCache: true,