UNPKG

cdk-amazon-chime-resources

Version:

![Experimental](https://img.shields.io/badge/experimental-important.svg?style=for-the-badge)

github.com/cdklabs/cdk-amazon-chime-resources

cdklabs/cdk-amazon-chime-resources

52 lines (51 loc) 2.37 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso"; import { CredentialsProviderError } from "@aws-sdk/property-provider"; import { getSSOTokenFromFile } from "@aws-sdk/shared-ini-file-loader"; import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers"; const EXPIRE_WINDOW_MS = 15 * 60 * 1000; const SHOULD_FAIL_CREDENTIAL_CHAIN = false; export const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }) => { let token; const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`; if (ssoSession) { try { const _token = await getSsoTokenProvider({ profile })(); token = { accessToken: _token.token, expiresAt: new Date(_token.expiration).toISOString(), }; } catch (e) { throw new CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN); } } else { try { token = await getSSOTokenFromFile(ssoStartUrl); } catch (e) { throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } } if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) { throw new CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { accessToken } = token; const sso = ssoClient || new SSOClient({ region: ssoRegion }); let ssoResp; try { ssoResp = await sso.send(new GetRoleCredentialsCommand({ accountId: ssoAccountId, roleName: ssoRoleName, accessToken, })); } catch (e) { throw CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp; if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) { throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN); } return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) }; };