MCPcopy
hub / github.com/codeaashu/claude-code / getAwsCredsFromCredentialExport

Function getAwsCredsFromCredentialExport

src/utils/auth.ts:705–780  ·  view source on GitHub ↗

* Run awsCredentialExport to get credentials and set environment variables * Expects JSON output containing AWS credentials

()

Source from the content-addressed store, hash-verified

703 * Expects JSON output containing AWS credentials
704 */
705async function getAwsCredsFromCredentialExport(): Promise<{
706 accessKeyId: string
707 secretAccessKey: string
708 sessionToken: string
709} | null> {
710 const awsCredentialExport = getConfiguredAwsCredentialExport()
711
712 if (!awsCredentialExport) {
713 return null
714 }
715
716 // SECURITY: Check if awsCredentialExport is from project settings
717 if (isAwsCredentialExportFromProjectSettings()) {
718 // Check if trust has been established for this project
719 const hasTrust = checkHasTrustDialogAccepted()
720 if (!hasTrust && !getIsNonInteractiveSession()) {
721 const error = new Error(
722 `Security: awsCredentialExport executed before workspace trust is confirmed. If you see this message, post in ${MACRO.FEEDBACK_CHANNEL}.`,
723 )
724 logAntError('awsCredentialExport invoked before trust check', error)
725 logEvent('tengu_awsCredentialExport_missing_trust', {})
726 return null
727 }
728 }
729
730 try {
731 logForDebugging(
732 'Fetching AWS caller identity for credential export command',
733 )
734 await checkStsCallerIdentity()
735 logForDebugging(
736 'Fetched AWS caller identity, skipping AWS credential export command',
737 )
738 return null
739 } catch {
740 // only actually do the export if caller-identity calls
741 try {
742 logForDebugging('Running AWS credential export command')
743 const result = await execa(awsCredentialExport, {
744 shell: true,
745 reject: false,
746 })
747 if (result.exitCode !== 0 || !result.stdout) {
748 throw new Error('awsCredentialExport did not return a valid value')
749 }
750
751 // Parse the JSON output from aws sts commands
752 const awsOutput = jsonParse(result.stdout.trim())
753
754 if (!isValidAwsStsOutput(awsOutput)) {
755 throw new Error(
756 'awsCredentialExport did not return valid AWS STS output structure',
757 )
758 }
759
760 logForDebugging('AWS credentials retrieved from awsCredentialExport')
761 return {
762 accessKeyId: awsOutput.Credentials.AccessKeyId,

Callers 1

auth.tsFile · 0.85

Calls 11

logAntErrorFunction · 0.85
logEventFunction · 0.85
logForDebuggingFunction · 0.85
checkStsCallerIdentityFunction · 0.85
jsonParseFunction · 0.85
isValidAwsStsOutputFunction · 0.85
errorMethod · 0.45

Tested by

no test coverage detected