* Run awsCredentialExport to get credentials and set environment variables * Expects JSON output containing AWS credentials
()
| 703 | * Expects JSON output containing AWS credentials |
| 704 | */ |
| 705 | async function getAwsCredsFromCredentialExport(): Promise<{ |
| 706 | accessKeyId: string |
| 707 | secretAccessKey: string |
| 708 | sessionToken: string |
| 709 | } | null> { |
| 710 | const awsCredentialExport = getConfiguredAwsCredentialExport() |
| 711 | |
| 712 | if (!awsCredentialExport) { |
| 713 | return null |
| 714 | } |
| 715 | |
| 716 | // SECURITY: Check if awsCredentialExport is from project settings |
| 717 | if (isAwsCredentialExportFromProjectSettings()) { |
| 718 | // Check if trust has been established for this project |
| 719 | const hasTrust = checkHasTrustDialogAccepted() |
| 720 | if (!hasTrust && !getIsNonInteractiveSession()) { |
| 721 | const error = new Error( |
| 722 | `Security: awsCredentialExport executed before workspace trust is confirmed. If you see this message, post in ${MACRO.FEEDBACK_CHANNEL}.`, |
| 723 | ) |
| 724 | logAntError('awsCredentialExport invoked before trust check', error) |
| 725 | logEvent('tengu_awsCredentialExport_missing_trust', {}) |
| 726 | return null |
| 727 | } |
| 728 | } |
| 729 | |
| 730 | try { |
| 731 | logForDebugging( |
| 732 | 'Fetching AWS caller identity for credential export command', |
| 733 | ) |
| 734 | await checkStsCallerIdentity() |
| 735 | logForDebugging( |
| 736 | 'Fetched AWS caller identity, skipping AWS credential export command', |
| 737 | ) |
| 738 | return null |
| 739 | } catch { |
| 740 | // only actually do the export if caller-identity calls |
| 741 | try { |
| 742 | logForDebugging('Running AWS credential export command') |
| 743 | const result = await execa(awsCredentialExport, { |
| 744 | shell: true, |
| 745 | reject: false, |
| 746 | }) |
| 747 | if (result.exitCode !== 0 || !result.stdout) { |
| 748 | throw new Error('awsCredentialExport did not return a valid value') |
| 749 | } |
| 750 | |
| 751 | // Parse the JSON output from aws sts commands |
| 752 | const awsOutput = jsonParse(result.stdout.trim()) |
| 753 | |
| 754 | if (!isValidAwsStsOutput(awsOutput)) { |
| 755 | throw new Error( |
| 756 | 'awsCredentialExport did not return valid AWS STS output structure', |
| 757 | ) |
| 758 | } |
| 759 | |
| 760 | logForDebugging('AWS credentials retrieved from awsCredentialExport') |
| 761 | return { |
| 762 | accessKeyId: awsOutput.Credentials.AccessKeyId, |
no test coverage detected