AWS Security ChangesHomeSearch

AWS cdk documentation change

Service: cdk · 2025-07-25 · Documentation low

File: cdk/v2/guide/plugins.md

Summary

Updated plugin code examples to use TypeScript/JavaScript type annotations and SDKv3-compatible credential patterns

Security assessment

Changes demonstrate updated plugin development patterns for credential providers but do not address specific security vulnerabilities or introduce new security features. Updates focus on code structure and SDK compatibility rather than security enhancements.

Diff

diff --git a/cdk/v2/guide/plugins.md b/cdk/v2/guide/plugins.md
index cab78fa69..157b09fc6 100644
--- a//cdk/v2/guide/plugins.md
+++ b//cdk/v2/guide/plugins.md
@@ -33 +33 @@ TypeScript
-    import type { IPluginHost } from '@aws-cdk/cli-plugin-contract';
+    import type { IPluginHost, Plugin } from '@aws-cdk/cli-plugin-contract';
@@ -35 +35 @@ TypeScript
-    export = {
+    const plugin: Plugin = {
@@ -45,0 +46,2 @@ TypeScript
+    export = plugin;
+
@@ -50 +52 @@ JavaScript
-    module.exports = {
+    const plugin = {
@@ -60,0 +63,2 @@ JavaScript
+    module.exports = plugin;
+
@@ -164,3 +168 @@ TypeScript
-    import type { IPluginHost } from '@aws-cdk/cli-plugin-contract';
-    import { registerCredentialProviderSource, Mode, CredentialProviderSource } from '@aws-cdk/cli-plugin-contract';
-    import { Credentials } from '@aws-sdk/client-sts';
+    import type { CredentialProviderSource, ForReading, ForWriting, IPluginHost, Plugin, PluginProviderResult, SDKv3CompatibleCredentials } from '@aws-cdk/cli-plugin-contract';
@@ -193 +195 @@ TypeScript
-      public async getProvider(accountId: string, mode: Mode): Promise<PluginProviderResult> {
+      public async getProvider(accountId: string, mode: ForReading | ForWriting): Promise<PluginProviderResult> {
@@ -195 +197 @@ TypeScript
-        const readOnly = mode === Mode.ForReading;
+        const readOnly = mode === 0 satisfies ForReading;
@@ -198,2 +200 @@ TypeScript
-        // In this example we're using AWS SDK v3 credentials
-        const credentials = new Credentials({
+        const credentials: SDKv3CompatibleCredentials = {
@@ -205 +206 @@ TypeScript
-        });
+        };
@@ -211,2 +212,2 @@ TypeScript
-    export = {
-      version = '1',
+    const plugin: Plugin = {
+      version: '1',
@@ -219 +220 @@ TypeScript
-JavaScript
+    export = plugin;
@@ -220,0 +222 @@ JavaScript
+JavaScript
@@ -223,2 +224,0 @@ JavaScript
-    const { Mode, registerCredentialProviderSource, CredentialProviderSource } = require('@aws-cdk/cli-plugin-contract');
-    const { Credentials } = require('@aws-sdk/client-sts');
@@ -227 +227 @@ JavaScript
-    class CustomCredentialProviderSource extends CredentialProviderSource {
+    class CustomCredentialProviderSource {
@@ -229 +228,0 @@ JavaScript
-        super();
@@ -257 +256 @@ JavaScript
-        const readOnly = mode === Mode.ForReading;
+        const readOnly = mode === 0; // 0 indicates ForReading; 1 indicates ForWriting
@@ -260,2 +259 @@ JavaScript
-        // In this example we're using AWS SDK v3 credentials
-        const credentials = new Credentials({
+        const credentials = {
@@ -267 +265 @@ JavaScript
-        });
+        };
@@ -273,2 +271,2 @@ JavaScript
-    module.exports = {
-      version = '1',
+    const plugin = {
+      version: '1',
@@ -280,0 +279,2 @@ JavaScript
+    module.exports = plugin;
+