(cli): CLI may fail on credentials coming from credential provider plugins

[HBobertz]

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

Regression introduced here: #32354

It seems credential plugins returning empty credentials, or credentials with null expiration fields, would cause the CLI to throw an exception from CDK versions >=2.172.0 and <=2.173.1

UPDATE: As of patch release 2.173.2 it appears some customers are still reporting impact, if you are impacted please downgrade your cdk version to <= 2.171.0.

Complete Error Message:

Plugin returned a value that doesn't resemble AWS credentials: myAwesomeCredentials {
  expired: false,
  expireTime: 1970-01-01T00:00:00.000Z,
  // ...
}

or

TypeError: Cannot read properties of null (reading 'getTime')

Workaround:

Downgrade to CDK version <=2.171.0

Solution:

Upgrade to CDK version 2.173.2

Some users are reporting that even after upgrading to version 2.173.2, they are still seeing the same failures. If upgrading to version <=2.171.0

Related Issues:

---

Original issue

Describe the bug

The CDK Cli from versions 2.172.0 to 2.173.1 improperly handled edge case scenarios related to credential providers.
Specifically the scenarios where the CLI would throw an error were:

Credential Provider plugins providing initially empty credentials, which would fail a property check validating if the credentials were SDKv2 configured, causing the CLI to reject the credentials:

Plugin returned a value that doesn't resemble AWS credentials: myAwesomeCredentials {
  expired: false,
  expireTime: 1970-01-01T00:00:00.000Z,
  // ...
}

Or if the credentials specifically had a null value for expiration time which would result in an expiration time check throwing an exception:

TypeError: Cannot read properties of null (reading 'getTime')

If your CLI credential provider plugin was returning credentials in either state, then any CDK Command requiring credentials would fail.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.171.0

Expected Behavior

CLI should not throw exceptions when receiving empty credentials or credentials with null expiration times as these are potentially valid states for a credential provider to return.

Current Behavior

If the credential provider returns empty credentials the, CLI Throws with the error:

Plugin returned a value that doesn't resemble AWS credentials:

and if the credentials expiration field is null instead of undefined the CLI throws with the error:

TypeError: Cannot read properties of null (reading 'getTime')

Reproduction Steps

Run any cdk cli command which requires credentials with a credential provider returning either empty credentials, or a null value for expiration

cdk bootstrap

Possible Solution

Upgrade to cdk version 2.173.2

Additional Information/Context

No response

CDK CLI Version

2.173.0

Framework Version

No response

Node.js Version

v22.12.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[HBobertz]

Fixed by #32554 and #32552

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[HBobertz]

Re-opening issue as some customers are still reporting impact on version 2.173.2

Unfortunately this happened on Christmas eve, but calling out to downgrade version if you are affected for now