diff --git a/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts b/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts index 60613d1775eb..12d9e1986701 100644 --- a/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts +++ b/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts @@ -572,6 +572,39 @@ describe("credential-provider-node integration test", () => { spy.mockClear(); }); + it("should be able to combine a source_profile having web_identity_token_file and role_arn with an origin profile having role_arn and source_profile", async () => { + iniProfileData.default.source_profile = "credential_source_profile"; + iniProfileData.default.role_arn = "ROLE_ARN_2"; + + iniProfileData.credential_source_profile = { + web_identity_token_file: "token-filepath", + role_arn: "ROLE_ARN_1", + }; + + sts = new STS({ + region: "us-west-2", + requestHandler: mockRequestHandler, + credentials: defaultProvider({ + awsContainerCredentialsFullUri: process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI, + awsContainerAuthorizationToken: process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN, + clientConfig: { + region: "us-west-2", + }, + logger: sink, + }), + }); + await sts.getCallerIdentity({}); + const credentials = await sts.config.credentials(); + expect(credentials).toEqual({ + accessKeyId: "STS_AR_ACCESS_KEY_ID", + secretAccessKey: "STS_AR_SECRET_ACCESS_KEY", + sessionToken: "STS_AR_SESSION_TOKEN", + expiration: new Date("3000-01-01T00:00:00.000Z"), + credentialScope: "us-stsar-1__us-west-2", + }); + expect(assumeRoleArns).toEqual(["ROLE_ARN_1", "ROLE_ARN_2"]); + }); + it("should complete chained role_arn credentials", async () => { process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI = "http://169.254.170.23"; process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN = "container-authorization";