UNPKG

@aws/bedrock-token-generator

Version:

A lightweight library for generating short-term bearer tokens for AWS Bedrock API authentication

77 lines 3.33 kB
"use strict"; /** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0 */ Object.defineProperty(exports, "__esModule", { value: true }); exports.BedrockTokenGenerator = void 0; const util_format_url_1 = require("@aws-sdk/util-format-url"); const protocol_http_1 = require("@smithy/protocol-http"); const signature_v4_1 = require("@smithy/signature-v4"); const hash_node_1 = require("@smithy/hash-node"); /** * BedrockTokenGenerator provides a lightweight utility to generate short-lived AWS Bearer tokens * for use with the Amazon Bedrock API. * * The class exposes `getToken()`, a stateless method that returns a fresh token * valid for 12 hours using AWS SigV4 signing. */ class BedrockTokenGenerator { /** * Creates a new BedrockTokenGenerator instance. * * The generator is stateless and doesn't maintain any internal state. */ constructor() { } /** * Generates a bearer token for AWS Bedrock API authentication. * * @param credentials - AWS credentials to use for signing. * Must contain access_key and secret_key. May optionally contain session_token. * @param region - AWS region to use for the token (e.g., "us-west-2", "eu-west-1"). * @returns Promise that resolves to a bearer token string valid for 12 hours. * @throws Error if credentials or region are invalid. */ async getToken(credentials, region) { if (!credentials) { throw new Error("Credentials cannot be null"); } if (!region || typeof region !== 'string' || region.trim().length === 0) { throw new Error("Region must be a non-empty string"); } const signer = new signature_v4_1.SignatureV4({ service: BedrockTokenGenerator.SERVICE_NAME, region: region, credentials: credentials, sha256: hash_node_1.Hash.bind(null, "sha256"), }); const request = new protocol_http_1.HttpRequest({ method: 'POST', protocol: 'https', hostname: BedrockTokenGenerator.DEFAULT_HOST, headers: { host: BedrockTokenGenerator.DEFAULT_HOST, }, path: '/', query: { Action: 'CallWithBearerToken', }, }); const presigned = await signer.presign(request, { expiresIn: BedrockTokenGenerator.TOKEN_EXPIRES_IN }); // Remove the protocol prefix and add version const presignedUrl = (0, util_format_url_1.formatUrl)(presigned).replace('https://', '') + BedrockTokenGenerator.TOKEN_VERSION; // Base64 encode the URI const encodedString = Buffer.from(presignedUrl, 'utf-8').toString('base64'); return `${BedrockTokenGenerator.AUTH_PREFIX}${encodedString}`; } } exports.BedrockTokenGenerator = BedrockTokenGenerator; BedrockTokenGenerator.DEFAULT_HOST = "bedrock.amazonaws.com"; BedrockTokenGenerator.DEFAULT_URL = "https://bedrock.amazonaws.com/"; BedrockTokenGenerator.SERVICE_NAME = "bedrock"; BedrockTokenGenerator.AUTH_PREFIX = "bedrock-api-key-"; BedrockTokenGenerator.TOKEN_VERSION = "&Version=1"; BedrockTokenGenerator.TOKEN_EXPIRES_IN = 43200; //# sourceMappingURL=BedrockTokenGenerator.js.map