UNPKG

@aws-sdk/credential-provider-web-identity

Version:

AWS credential provider that calls STS assumeRole for temporary AWS credentials

59 lines (55 loc) 2.64 kB
const { setCredentialFeature } = require("@aws-sdk/core/client"); const { CredentialsProviderError, externalDataInterceptor } = require("@smithy/core/config"); const { readFileSync } = require("node:fs"); const fromWebToken = (init) => async (awsIdentityProperties) => { init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken"); const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init; let { roleAssumerWithWebIdentity } = init; if (!roleAssumerWithWebIdentity) { const { getDefaultRoleAssumerWithWebIdentity } = require('@aws-sdk/nested-clients/sts'); roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity({ ...init.clientConfig, credentialProviderLogger: init.logger, parentClientConfig: { ...awsIdentityProperties?.callerClientConfig, ...init.parentClientConfig, }, }, init.clientPlugins); } return roleAssumerWithWebIdentity({ RoleArn: roleArn, RoleSessionName: roleSessionName ?? `aws-sdk-js-session-${Date.now()}`, WebIdentityToken: webIdentityToken, ProviderId: providerId, PolicyArns: policyArns, Policy: policy, DurationSeconds: durationSeconds, }); }; const ENV_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE"; const ENV_ROLE_ARN = "AWS_ROLE_ARN"; const ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME"; const fromTokenFile = (init = {}) => async (awsIdentityProperties) => { init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile"); const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE]; const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN]; const roleSessionName = init?.roleSessionName ?? process.env[ENV_ROLE_SESSION_NAME]; if (!webIdentityTokenFile || !roleArn) { throw new CredentialsProviderError("Web identity configuration not specified", { logger: init.logger, }); } const credentials = await fromWebToken({ ...init, webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ?? readFileSync(webIdentityTokenFile, { encoding: "ascii" }), roleArn, roleSessionName, })(awsIdentityProperties); if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) { setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h"); } return credentials; }; exports.fromTokenFile = fromTokenFile; exports.fromWebToken = fromWebToken;