fix(credential-provider-sso): prefer sso region for inner client if configured

Author: kuhe

packages/credential-provider-sso/src/fromSSO.spec.ts

@@ -101,7 +101,7 @@ describe(fromSSO.name, () => {
       expect(validateSsoProfile).toHaveBeenCalledWith(mockSsoProfile);
     });
 
-    it("calls resolveSSOCredentials with values from validated Sso profile", async () => {
+    it("calls resolveSSOCredentials with values from validated SSO profile", async () => {
       const mockValidatedSsoProfile = {
         sso_start_url: "mock_sso_start_url",
         sso_account_id: "mock_sso_account_id",
@@ -119,7 +119,8 @@ describe(fromSSO.name, () => {
         ssoRoleName: mockValidatedSsoProfile.sso_role_name,
         profile: mockProfileName,
         ssoSession: undefined,
-        ssoClient: expect.any(SSOClient),
+        ssoClient: undefined,
+        clientConfig: undefined,
       });
     });
   });

packages/credential-provider-sso/src/fromSSO.ts

@@ -83,11 +83,7 @@ export const fromSSO =
   async () => {
     init.logger?.debug("@aws-sdk/credential-provider-sso", "fromSSO");
     const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
-    let { ssoClient } = init;
-    if (!ssoClient) {
-      const { SSOClient } = await import("./loadSso");
-      ssoClient = new SSOClient(init.clientConfig ?? {});
-    }
+    const { ssoClient } = init;
     const profileName = getProfileName(init);
 
     if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
@@ -125,6 +121,7 @@ export const fromSSO =
         ssoRegion: sso_region,
         ssoRoleName: sso_role_name,
         ssoClient: ssoClient,
+        clientConfig: init.clientConfig,
         profile: profileName,
       });
     } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
@@ -140,6 +137,7 @@ export const fromSSO =
         ssoRegion,
         ssoRoleName,
         ssoClient,
+        clientConfig: init.clientConfig,
         profile: profileName,
       });
     }

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -18,6 +18,7 @@ export const resolveSSOCredentials = async ({
   ssoRegion,
   ssoRoleName,
   ssoClient,
+  clientConfig,
   profile,
 }: FromSSOInit & SsoCredentialsParameters): Promise<AwsCredentialIdentity> => {
   let token: SSOToken;
@@ -55,7 +56,13 @@ export const resolveSSOCredentials = async ({
 
   const { SSOClient, GetRoleCredentialsCommand } = await import("./loadSso");
 
-  const sso = ssoClient || new SSOClient({ region: ssoRegion });
+  const sso =
+    ssoClient ||
+    new SSOClient(
+      Object.assign({}, clientConfig ?? {}, {
+        region: clientConfig?.region ?? ssoRegion,
+      })
+    );
   let ssoResp: GetRoleCredentialsCommandOutput;
   try {
     ssoResp = await sso.send(