@aws/bedrock-token-generator
Version:
A lightweight library for generating short-term bearer tokens for AWS Bedrock API authentication
77 lines • 3.33 kB
JavaScript
;
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.BedrockTokenGenerator = void 0;
const util_format_url_1 = require("@aws-sdk/util-format-url");
const protocol_http_1 = require("@smithy/protocol-http");
const signature_v4_1 = require("@smithy/signature-v4");
const hash_node_1 = require("@smithy/hash-node");
/**
* BedrockTokenGenerator provides a lightweight utility to generate short-lived AWS Bearer tokens
* for use with the Amazon Bedrock API.
*
* The class exposes `getToken()`, a stateless method that returns a fresh token
* valid for 12 hours using AWS SigV4 signing.
*/
class BedrockTokenGenerator {
/**
* Creates a new BedrockTokenGenerator instance.
*
* The generator is stateless and doesn't maintain any internal state.
*/
constructor() { }
/**
* Generates a bearer token for AWS Bedrock API authentication.
*
* @param credentials - AWS credentials to use for signing.
* Must contain access_key and secret_key. May optionally contain session_token.
* @param region - AWS region to use for the token (e.g., "us-west-2", "eu-west-1").
* @returns Promise that resolves to a bearer token string valid for 12 hours.
* @throws Error if credentials or region are invalid.
*/
async getToken(credentials, region) {
if (!credentials) {
throw new Error("Credentials cannot be null");
}
if (!region || typeof region !== 'string' || region.trim().length === 0) {
throw new Error("Region must be a non-empty string");
}
const signer = new signature_v4_1.SignatureV4({
service: BedrockTokenGenerator.SERVICE_NAME,
region: region,
credentials: credentials,
sha256: hash_node_1.Hash.bind(null, "sha256"),
});
const request = new protocol_http_1.HttpRequest({
method: 'POST',
protocol: 'https',
hostname: BedrockTokenGenerator.DEFAULT_HOST,
headers: {
host: BedrockTokenGenerator.DEFAULT_HOST,
},
path: '/',
query: {
Action: 'CallWithBearerToken',
},
});
const presigned = await signer.presign(request, {
expiresIn: BedrockTokenGenerator.TOKEN_EXPIRES_IN
});
// Remove the protocol prefix and add version
const presignedUrl = (0, util_format_url_1.formatUrl)(presigned).replace('https://', '') + BedrockTokenGenerator.TOKEN_VERSION;
// Base64 encode the URI
const encodedString = Buffer.from(presignedUrl, 'utf-8').toString('base64');
return `${BedrockTokenGenerator.AUTH_PREFIX}${encodedString}`;
}
}
exports.BedrockTokenGenerator = BedrockTokenGenerator;
BedrockTokenGenerator.DEFAULT_HOST = "bedrock.amazonaws.com";
BedrockTokenGenerator.DEFAULT_URL = "https://bedrock.amazonaws.com/";
BedrockTokenGenerator.SERVICE_NAME = "bedrock";
BedrockTokenGenerator.AUTH_PREFIX = "bedrock-api-key-";
BedrockTokenGenerator.TOKEN_VERSION = "&Version=1";
BedrockTokenGenerator.TOKEN_EXPIRES_IN = 43200;
//# sourceMappingURL=BedrockTokenGenerator.js.map