@aws-sdk/credential-provider-web-identity
Version:
AWS credential provider that calls STS assumeRole for temporary AWS credentials
59 lines (55 loc) • 2.64 kB
JavaScript
const { setCredentialFeature } = require("@aws-sdk/core/client");
const { CredentialsProviderError, externalDataInterceptor } = require("@smithy/core/config");
const { readFileSync } = require("node:fs");
const fromWebToken = (init) => async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken");
const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init;
let { roleAssumerWithWebIdentity } = init;
if (!roleAssumerWithWebIdentity) {
const { getDefaultRoleAssumerWithWebIdentity } = require('@aws-sdk/nested-clients/sts');
roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity({
...init.clientConfig,
credentialProviderLogger: init.logger,
parentClientConfig: {
...awsIdentityProperties?.callerClientConfig,
...init.parentClientConfig,
},
}, init.clientPlugins);
}
return roleAssumerWithWebIdentity({
RoleArn: roleArn,
RoleSessionName: roleSessionName ?? `aws-sdk-js-session-${Date.now()}`,
WebIdentityToken: webIdentityToken,
ProviderId: providerId,
PolicyArns: policyArns,
Policy: policy,
DurationSeconds: durationSeconds,
});
};
const ENV_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
const ENV_ROLE_ARN = "AWS_ROLE_ARN";
const ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME";
const fromTokenFile = (init = {}) => async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile");
const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE];
const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN];
const roleSessionName = init?.roleSessionName ?? process.env[ENV_ROLE_SESSION_NAME];
if (!webIdentityTokenFile || !roleArn) {
throw new CredentialsProviderError("Web identity configuration not specified", {
logger: init.logger,
});
}
const credentials = await fromWebToken({
...init,
webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ??
readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
roleArn,
roleSessionName,
})(awsIdentityProperties);
if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
}
return credentials;
};
exports.fromTokenFile = fromTokenFile;
exports.fromWebToken = fromWebToken;