cli: AWS CDK CLI Exposes Credentials in Output

[wiget]

Describe the bug

When a credential provider is used, the CDK CLI prints the credentials received from the plugin in the console output.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

CDK CLI should not print credentials in the output to avoid security risks.

Current Behavior

The output includes sensitive information, such as accessKeyId, secretAccessKey, and sessionToken, as shown below:

{
  accessKeyId: 'ASIAXXXXXXXXXXXXXXXXX',
  secretAccessKey: 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY',
  sessionToken: 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ',
  expiration: 2025-02-11T17:27:31.000Z,
  '$source': { CREDENTIALS_SSO: 's', CREDENTIALS_PROFILE_SSO: 'r' }
} 1739276852684

Reproduction Steps

1. Configure a credential provider in AWS CDK.
2. Run a CDK command that triggers credential fetching (e.g., cdk diff).
3. Observe that the credentials are printed in the console output.

Possible Solution

Remove this line:

aws-cdk/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts

Line 154 in c400e0e

info(format(current), Date.now());

Additional Information/Context

No response

CDK CLI Version

2.178.1

Framework Version

No response

Node.js Version

22.11.0

OS

Ubuntu 24.04

Language

TypeScript

Language Version

5.7.3

Other information

No response