UNPKG

cdk-ssm-secure-iam-access-key

Version:

Creates an IAM Access Key for a provided IAM User and stores the result in an SSM SecureString Parameter

github.com/dkershner6/cdk-ssm-secure-iam-access-key

dkershner6/cdk-ssm-secure-iam-access-key

52 lines (51 loc) 2.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso"; import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers"; import { CredentialsProviderError } from "@smithy/property-provider"; import { getSSOTokenFromFile } from "@smithy/shared-ini-file-loader"; const SHOULD_FAIL_CREDENTIAL_CHAIN = false; export const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }) => { let token; const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`; if (ssoSession) { try { const _token = await getSsoTokenProvider({ profile })(); token = { accessToken: _token.token, expiresAt: new Date(_token.expiration).toISOString(), }; } catch (e) { throw new CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN); } } else { try { token = await getSSOTokenFromFile(ssoStartUrl); } catch (e) { throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } } if (new Date(token.expiresAt).getTime() - Date.now() <= 0) { throw new CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { accessToken } = token; const sso = ssoClient || new SSOClient({ region: ssoRegion }); let ssoResp; try { ssoResp = await sso.send(new GetRoleCredentialsCommand({ accountId: ssoAccountId, roleName: ssoRoleName, accessToken, })); } catch (e) { throw CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN); } const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp; const credentialScope = ssoResp?.roleCredentials?.credentialScope; if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) { throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN); } return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration), credentialScope }; };