fix(integration-platform): AWS evidence automations report "not configured" (regions array collapsed)#3003
Merged
Conversation
…idence checks see regions The manual "Run" path for App Automations (task-integrations + checks controllers) ran decrypted credentials through toStringCredentials, which collapses every value via getStringValue — turning AWS `regions: string[]` into a single string. assumeAwsSession only accepts regions as an array, so it resolved regions=[] and returned null, logging "AWS IAM check: connection not configured — skipping" even though a valid AWS connection exists (and works in Cloud Tests and on the scheduled/daily path, which use ensure-valid-credentials and preserve the array). Fix: stop flattening credentials on the run paths and let array fields survive. - Widen CheckContext.credentials and CheckContextOptions.credentials to Record<string, string | string[]> (the runtime already read `regions` as an array; the type now matches reality). String-only auth schemes (api key, basic) read a scalar via a local credString() coercion. - task-integrations.controller + checks.controller: pass the decrypted credentials through unchanged instead of toStringCredentials(...). Remove the now-unused toStringCredentials helper (getStringValue stays for access_token). - Extract assumeAwsSession's input resolution into a pure resolveAwsCredentialInputs() that also tolerates a single region string / legacy `region` key, and unit-test it. Scheduled/auto-run paths were already correct (they consume ensure-valid-credentials). GCP/OAuth unaffected. apps/api/src/cloud-security untouched. 211 package tests pass (5 new); package build clean; api source type-clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This was referenced Jun 3, 2026
claudfuen
pushed a commit
that referenced
this pull request
Jun 3, 2026
# [3.68.0](v3.67.0...v3.68.0) (2026-06-03) ### Bug Fixes * **app:** count only added evidence tasks on the service card ([f6048a2](f6048a2)) * **app:** hide evidence tasks not added to the org in integration views ([0b55cd2](0b55cd2)) * **app:** keep addedTemplateIds undefined when taskTemplates absent ([8e6f4ef](8e6f4ef)) * **app:** keep integration check dropdowns open ([0d7c7fe](0d7c7fe)) * **integration-platform:** address cubic review of d59e4c7 (2 P2s) ([4a6b64a](4a6b64a)) * **integration-platform:** address cubic round-4 review (27 findings) ([a467ff9](a467ff9)) * **integration-platform:** align Azure diagnostic-export evidence with enabled logs ([ecc98cf](ecc98cf)) * **integration-platform:** assume AWS customer role via the roleAssumer (two-hop) ([23e68d2](23e68d2)), closes [#3003](#3003) * **integration-platform:** attach evidence to all IAM/CloudTrail check outcomes ([7624405](7624405)) * **integration-platform:** close GCP IAM silent pass, harden CloudTrail region, tag per-service checks ([cdde662](cdde662)) * **integration-platform:** enrich evidence with the determining value on every check outcome ([2d09795](2d09795)) * **integration-platform:** extend round-4 patterns to sibling check files ([6ef7ad0](6ef7ad0)) * **integration-platform:** include out-of-scope role defs in azure rbac wildcard scan ([05d1cce](05d1cce)), closes [hi#privilege](https://github.com/hi/issues/privilege) * **integration-platform:** never let a read failure end as a silent/false verdict ([d59e4c7](d59e4c7)) * **integration-platform:** preserve array credential fields so AWS evidence checks see regions ([777fe9d](777fe9d)) * **integration-platform:** resolve 3 P1s from cubic review of fix commits ([3ec918a](3ec918a)) * **integration-platform:** resolve 4 cubic findings (RBAC gate + read-error states) ([b1b5579](b1b5579)) * **integration-platform:** resolve cubic findings on latest commit (4 of 5) ([239aea4](239aea4)) * **integrations:** address cubic 2nd-pass review (10 findings) ([d1c6368](d1c6368)) * **integrations:** address cubic review — fix 30 verified cloud-check bugs ([5f6bebc](5f6bebc)) * **integrations:** cubic 3rd-pass — scan continuity, Aurora backups, IPv6 wording ([220982b](220982b)) * **integrations:** harden oauth refresh handling ([20041cf](20041cf)) * **integrations:** make config dropdown clickable via pointer-events, not portal={false} ([ffa5c91](ffa5c91)) * **integrations:** refresh oauth tokens during checks ([8960820](8960820)) * **integrations:** render config dropdowns inline so they work inside the modal ([a93f479](a93f479)) ### Features * **integrations:** add cloud services as evidence integrations (GCP/Azure/AWS) ([665f454](665f454))
Contributor
|
🎉 This PR is included in version 3.68.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
yerramasu
pushed a commit
to iagentic/compliance-ai
that referenced
this pull request
Jun 5, 2026
…er (two-hop) After the regions fix (trycompai#3003), the AWS evidence checks reach the STS AssumeRole step and fail with "Could not assume AWS role" — STS reports the task role is not authorized. Cloud Tests assumes customer roles through a two-hop chain (aws-security.service.ts): base/task creds -> Comp's dedicated roleAssumer role -> customer role. Customer trust policies whitelist the roleAssumer ARN, NOT the raw task role, so the single direct hop the check did was always rejected. Replicate the two-hop chain in the package's assumeAwsSession (independent copy; does not import or touch apps/api/src/cloud-security): 1. assume SECURITY_HUB_ROLE_ASSUMER_ARN (RoleSessionName 'CompRoleAssumer') from the task/base creds (commercial uses the default chain; GovCloud uses SECURITY_HUB_GOVCLOUD_* keys), 2. assume the customer roleArn + externalId with the roleAssumer creds. Partition (commercial vs GovCloud) is detected from the region, mirroring the cloud-security helpers. Requires SECURITY_HUB_ROLE_ASSUMER_ARN in the runtime env. The manual "Run" path runs in the API (which already has it + the trust, since Cloud Tests works there); the scheduled trigger.dev runs need the same env var + the trigger task role permitted to assume the roleAssumer. Package builds clean; 211 tests pass. The two-hop mirrors the verified Cloud Tests chain (no STS mock harness exists to unit-test it here). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On a compliance task's Automations tab, clicking Run for an AWS evidence check logs
AWS IAM check: connection not configured — skippingand reports 0 passed — even though the AWS connection is valid and scans fine in Cloud Security Tests (sameIntegrationConnection+ credential vault). GCP automations are unaffected.Root cause (verified + reproduced)
The manual "Run" path (
task-integrations.controller.ts,checks.controller.ts) runs decrypted credentials throughtoStringCredentials(), which collapses every value viagetStringValue→ for an array it returnsvalue[0]. So AWSregions: ["us-east-1", ...]becomes the single string"us-east-1".assumeAwsSessiononly acceptsregionsas an array, so post-collapse it resolvesregions = []and returnsnull→ "connection not configured".The scheduled/daily and auto-run paths were already correct — they consume
ensure-valid-credentials, which returnsgetDecryptedCredentials()verbatim (array preserved). That divergence is why this looked inconsistent (daily would work; the Run button wouldn't).CheckContext.credentialswas typedRecord<string, string>while the runtime already readregionsas an array — the type was lying.Fix
CheckContext.credentials/CheckContextOptions.credentialstoRecord<string, string | string[]>(matches runtime reality). String-only auth schemes (api key, basic) read a scalar via a localcredString()coercion.toStringCredentials(...). Removed the now-unusedtoStringCredentials(keptgetStringValueforaccess_token).assumeAwsSession's input resolution into a pureresolveAwsCredentialInputs()that also tolerates a single region string / legacyregionkey, with unit tests.GCP/OAuth unaffected.
apps/api/src/cloud-securityuntouched.Testing
bun run build(tsc) clean; 211 package tests pass (5 new credential-resolution tests covering array / single-string / empty / missing role fields)..spec.tstypecheck errors onmainare unrelated and not in this diff).🤖 Generated with Claude Code
Summary by cubic
Fixes AWS evidence automations showing “connection not configured” on manual Run by preserving array credentials (e.g.,
regions) and aligning types. Manual runs now match scheduled runs, so AWS checks receive regions and execute correctly.Bug Fixes
regionviaresolveAwsCredentialInputsto avoid false “not configured”.Refactors
CheckContext.credentialstoRecord<string, string | string[]>and use a local scalar coercion for API key/basic auth.assumeAwsSessionintoresolveAwsCredentialInputs, with unit tests; removetoStringCredentials.Written for commit 777fe9d. Summary will update on new commits.