UNPKG

cdk-amazon-chime-resources

Version:

![Experimental](https://img.shields.io/badge/experimental-important.svg?style=for-the-badge)

github.com/cdklabs/cdk-amazon-chime-resources

cdklabs/cdk-amazon-chime-resources

56 lines (55 loc) 2.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.resolveSSOCredentials = void 0; const client_sso_1 = require("@aws-sdk/client-sso"); const property_provider_1 = require("@aws-sdk/property-provider"); const shared_ini_file_loader_1 = require("@aws-sdk/shared-ini-file-loader"); const token_providers_1 = require("@aws-sdk/token-providers"); const EXPIRE_WINDOW_MS = 15 * 60 * 1000; const SHOULD_FAIL_CREDENTIAL_CHAIN = false; const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }) => { let token; const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`; if (ssoSession) { try { const _token = await (0, token_providers_1.fromSso)({ profile })(); token = { accessToken: _token.token, expiresAt: new Date(_token.expiration).toISOString(), }; } catch (e) { throw new property_provider_1.CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN); } } else { try { token = await (0, shared_ini_file_loader_1.getSSOTokenFromFile)(ssoStartUrl); } catch (e) { throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } } if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) { throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { accessToken } = token; const sso = ssoClient || new client_sso_1.SSOClient({ region: ssoRegion }); let ssoResp; try { ssoResp = await sso.send(new client_sso_1.GetRoleCredentialsCommand({ accountId: ssoAccountId, roleName: ssoRoleName, accessToken, })); } catch (e) { throw property_provider_1.CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp; if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) { throw new property_provider_1.CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN); } return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) }; }; exports.resolveSSOCredentials = resolveSSOCredentials;