fix(provider-awscloudformation): MFA role assumption fails with cached credentials after v14.2.2.

danrivett · danrivett · commit 9644c0bbe514 · 2026-02-26T15:43:29.000-08:00
This commit fixes three related bugs in the credential caching logic for MFA-based role assumption that were introduced in commit 04f7bcf (PR aws-amplify#14315 "fix: role assumption through profiles not working properly"). Bug 1: MFA prompt never appears ---------------------------------------- getCachedRoleCredentials() always returned an object `{ credentials: {} }` even when no valid cached credentials existed. This caused the check `if (!roleCredentials)` in getRoleCredentials() to always be false, so the STS AssumeRole call with MFA token was never executed. Fix: Return undefined when no valid cached credentials exist. Bug 2: Credential cache validation always fails ---------------------------------------- Credentials were cached in nested format `{ credentials: { accessKeyId, ... } }` but validateCachedCredentials() expected flat format `{ accessKeyId, ... }`. This caused cache validation to always fail, prompting for MFA on every call. Fix: Cache the flat credentials object (roleCredentials.credentials) instead of the nested wrapper. Bug 3: "identity.expiration.getTime is not a function" error ---------------------------------------- When credentials are read from the JSON cache file, the Date object for expiration is deserialized as a string. The AWS SDK's @smithy/core module calls expiration.getTime() which fails on a string. The fix in PR aws-amplify#14315 only addressed this in getConfiguredAWSClientConfig(), but getProfiledAwsConfig() is called directly during env checkout without going through that code path. Fix: Convert expiration to Date when returning cached credentials.
diff --git a/packages/amplify-provider-awscloudformation/src/system-config-manager.ts b/packages/amplify-provider-awscloudformation/src/system-config-manager.ts
@@ -186,7 +186,7 @@ const getRoleCredentials = async (context: $TSContext, profileName: string, prof
       log(ex);
     }
     if (profileConfig.role_arn && roleSessionName && roleCredentials) {
-      cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials);
+      cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials.credentials);
     }
   }
 
@@ -245,9 +245,14 @@ const getCachedRoleCredentials = (roleArn: string, sessionName: string): $TSAny
       return undefined;
     }
   }
+  if (!roleCredentials) {
+    return undefined;
+  }
   return {
     credentials: {
       ...roleCredentials,
+      // Ensure expiration is a Date object (JSON serialization converts it to string)
+      expiration: roleCredentials.expiration ? new Date(roleCredentials.expiration) : undefined,
     },
   };
 };

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ const getRoleCredentials = async (context: $TSContext, profileName: string, prof`
`186`	`186`	`log(ex);`
`187`	`187`	`}`
`188`	`188`	`if (profileConfig.role_arn && roleSessionName && roleCredentials) {`
`189`		`- cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials);`
	`189`	`+ cacheRoleCredentials(profileConfig.role_arn, roleSessionName, roleCredentials.credentials);`
`190`	`190`	`}`
`191`	`191`	`}`
`192`	`192`
`@@ -245,9 +245,14 @@ const getCachedRoleCredentials = (roleArn: string, sessionName: string): $TSAny`
`245`	`245`	`return undefined;`
`246`	`246`	`}`
`247`	`247`	`}`
	`248`	`+ if (!roleCredentials) {`
	`249`	`+ return undefined;`
	`250`	`+ }`
`248`	`251`	`return {`
`249`	`252`	`credentials: {`
`250`	`253`	`...roleCredentials,`
	`254`	`+ // Ensure expiration is a Date object (JSON serialization converts it to string)`
	`255`	`+ expiration: roleCredentials.expiration ? new Date(roleCredentials.expiration) : undefined,`
`251`	`256`	`},`
`252`	`257`	`};`
`253`	`258`	`};`