Skip to content

fix(cli): Add the import-utils.ts:207-213 account-mismatch check to... (#761)#43

Draft
aidandaly24 wants to merge 1 commit into
mainfrom
fix/761
Draft

fix(cli): Add the import-utils.ts:207-213 account-mismatch check to... (#761)#43
aidandaly24 wants to merge 1 commit into
mainfrom
fix/761

Conversation

@aidandaly24

Copy link
Copy Markdown
Owner

Refs aws#761

Issues

  • Better error handling during deploy for valid creds but for a different account aws/agentcore-cli#761 — Running agentcore deploy with valid AWS credentials for an account different from the one in aws-targets.json proceeds through load-target, validate, dependency, build, synth, and stack-status steps and only fails at the publish-assets/deploy step with a generic CDK error. The user gets no clear, early "your credentials are for account X but the target is account Y" message even though the CLI already has exactly that check for import.

Root cause

Deploy preflight validateAwsCredentials() (preflight.ts:143 -> account.ts:66-78) only null-checks detectAccount() and never compares caller account to target.account; the mismatch surfaces only when the CDK toolkit publishes assets/assumes roles into aws://{target.account}/{region} (bootstrap.ts:45 used at preflight.ts:333; wrapper.ts:246-256). The guard exists only for import (import-utils.ts:207-213), never ported to deploy.

The fix

Add the import-utils.ts:207-213 account-mismatch check to deploy preflight. Cleanest approach: thread the selected target/account into validateProject() and, after the validateAwsCredentials() call (preflight.ts:143), call detectAccount() and throw a ValidationError when callerAccount !== target.account (reuse the import-utils message and the existing detectAccount() helper — no new design beyond choosing how to pass the resolved target into validateProject). Because both the headless CLI path (commands/deploy/actions.ts handleDeploy) and the TUI path (tui/hooks/useCdkPreflight.ts) route through validateProject(), centralizing it there covers both; also cover the teardown-deferred credential branches (actions.ts:222-226 and useCdkPreflight.ts:442-457) so teardown deploys get the same check after confirmation. Skip the comparison only when detectAccount() returns null (let the existing no-credentials path handle that).

Files touched: src/cli/operations/deploy/preflight.ts (validateProject, add account compare after validateAwsCredentials at ~line 143 — requires threading the selected target into validateProject); src/cli/commands/deploy/actions.ts (target resolved ~line 158; teardown-deferred creds check ~lines 222-226); src/cli/tui/hooks/useCdkPreflight.ts (teardown-deferred creds branch ~lines 442-457); reuse the exact pattern + message from src/cli/commands/import/import-utils.ts:207-213; helpers detectAccount()/validateAwsCredentials() in src/cli/aws/account.ts:22-78

Validation evidence

The fix was verified by reproducing the original symptom and re-running after the change:

BEFORE (symptom reproduced): Reverted only production code (src/cli/operations/deploy/preflight.ts + src/cli/aws/account.ts) to original HEAD while keeping the fix's test file, then ran preflight.test.ts. The 'fails fast when caller account differs from the selected target account' test FAILED: 'AssertionError: promise resolved "{ projectSpec: ... }" instead of rejecting'. This proves the original validateProject() (no-arg signature at preflight.ts:68, only validateAwsCredentials() at line 145) completed preflight successfully on an account mismatch and would have proceeded to build/synth/publish, then failed late with an opaque CDK assume-role/bootstrap error -- exactly the wasted-workflow symptom. AFTER (symptom gone): Restored fixed code. preflight.test.ts 16/16 pass. Real wiring verified: preflight.ts:149-151 resolves selectedTarget ?? awsTargets[0] and calls the real assertCallerAccountMatchesTarget (account.ts:88-95), whose message is byte-identical to import-utils.ts:207-213. Teardown branches guarded at actions.ts:253 and useCdkPreflight.ts:445-448. Adversarial extra: a throwaway test exercising the REAL helper with only the AWS SDK mocked (real detectAccount) confirmed it throws ValidationError naming both accounts (caller 111111111111 vs target "prod"/222222222222) on mismatch, resolves on equal accounts, and skips when detectAccount returns null; removed afterward to keep the diff surgical. Full unit suite green: 377 files / 5454 tests passing.

Test suite: green.


Staged on the fork as a draft for human review. Promote to aws/agentcore-cli after vetting.

…existing detectAccount()/import-utils message, no behavior change when accounts match or no credentials present
@github-actions github-actions Bot added size/m PR size: M agentcore-harness-reviewing AgentCore Harness review in progress and removed agentcore-harness-reviewing AgentCore Harness review in progress labels Jun 25, 2026
@github-actions

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 37.16% 13596 / 36587
🔵 Statements 36.43% 14455 / 39677
🔵 Functions 31.79% 2333 / 7337
🔵 Branches 31.1% 9004 / 28943
Generated in workflow #97 for commit 0df5e07 by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/m PR size: M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant