UNPKG

minio

Version:

S3 Compatible Cloud Storage client

github.com/minio/minio-js

minio/minio-js

235 lines (202 loc) 7.93 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
import * as fs from 'node:fs/promises' import * as http from 'node:http' import * as https from 'node:https' import { URL, URLSearchParams } from 'node:url' import { CredentialProvider } from './CredentialProvider.ts' import { Credentials } from './Credentials.ts' import { parseXml } from './internal/helper.ts' import { request } from './internal/request.ts' import { readAsString } from './internal/response.ts' interface AssumeRoleResponse { AssumeRoleWithWebIdentityResponse: { AssumeRoleWithWebIdentityResult: { Credentials: { AccessKeyId: string SecretAccessKey: string SessionToken: string Expiration: string } } } } interface EcsCredentials { AccessKeyID: string SecretAccessKey: string Token: string Expiration: string Code: string Message: string } export interface IamAwsProviderOptions { customEndpoint?: string transportAgent?: http.Agent } export class IamAwsProvider extends CredentialProvider { private readonly customEndpoint?: string private _credentials: Credentials | null private readonly transportAgent?: http.Agent private accessExpiresAt = '' constructor({ customEndpoint = undefined, transportAgent = undefined }: IamAwsProviderOptions) { super({ accessKey: '', secretKey: '' }) this.customEndpoint = customEndpoint this.transportAgent = transportAgent /** * Internal Tracking variables */ this._credentials = null } async getCredentials(): Promise<Credentials> { if (!this._credentials || this.isAboutToExpire()) { this._credentials = await this.fetchCredentials() } return this._credentials } private async fetchCredentials(): Promise<Credentials> { try { // check for IRSA (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) const tokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE if (tokenFile) { return await this.fetchCredentialsUsingTokenFile(tokenFile) } // try with IAM role for EC2 instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) let tokenHeader = 'Authorization' let token = process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN const relativeUri = process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI const fullUri = process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI let url: URL if (relativeUri) { url = new URL(relativeUri, 'http://169.254.170.2') } else if (fullUri) { url = new URL(fullUri) } else { token = await this.fetchImdsToken() tokenHeader = 'X-aws-ec2-metadata-token' url = await this.getIamRoleNamedUrl(token) } return this.requestCredentials(url, tokenHeader, token) } catch (err) { throw new Error(`Failed to get Credentials: ${err}`, { cause: err }) } } private async fetchCredentialsUsingTokenFile(tokenFile: string): Promise<Credentials> { const token = await fs.readFile(tokenFile, { encoding: 'utf8' }) const region = process.env.AWS_REGION const stsEndpoint = new URL(region ? `https://sts.${region}.amazonaws.com` : 'https://sts.amazonaws.com') const hostValue = stsEndpoint.hostname const portValue = stsEndpoint.port const qryParams = new URLSearchParams({ Action: 'AssumeRoleWithWebIdentity', Version: '2011-06-15', }) const roleArn = process.env.AWS_ROLE_ARN if (roleArn) { qryParams.set('RoleArn', roleArn) const roleSessionName = process.env.AWS_ROLE_SESSION_NAME qryParams.set('RoleSessionName', roleSessionName ? roleSessionName : Date.now().toString()) } qryParams.set('WebIdentityToken', token) qryParams.sort() const requestOptions = { hostname: hostValue, port: portValue, path: `${stsEndpoint.pathname}?${qryParams.toString()}`, protocol: stsEndpoint.protocol, method: 'POST', headers: {}, agent: this.transportAgent, } satisfies http.RequestOptions const transport = stsEndpoint.protocol === 'http:' ? http : https const res = await request(transport, requestOptions, null) const body = await readAsString(res) const assumeRoleResponse: AssumeRoleResponse = parseXml(body) const creds = assumeRoleResponse.AssumeRoleWithWebIdentityResponse.AssumeRoleWithWebIdentityResult.Credentials this.accessExpiresAt = creds.Expiration return new Credentials({ accessKey: creds.AccessKeyId, secretKey: creds.SecretAccessKey, sessionToken: creds.SessionToken, }) } private async fetchImdsToken() { const endpoint = this.customEndpoint ? this.customEndpoint : 'http://169.254.169.254' const url = new URL('/latest/api/token', endpoint) const requestOptions = { hostname: url.hostname, port: url.port, path: `${url.pathname}${url.search}`, protocol: url.protocol, method: 'PUT', headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '21600', }, agent: this.transportAgent, } satisfies http.RequestOptions const transport = url.protocol === 'http:' ? http : https const res = await request(transport, requestOptions, null) return await readAsString(res) } private async getIamRoleNamedUrl(token: string) { const endpoint = this.customEndpoint ? this.customEndpoint : 'http://169.254.169.254' const url = new URL('latest/meta-data/iam/security-credentials/', endpoint) const roleName = await this.getIamRoleName(url, token) return new URL(`${url.pathname}/${encodeURIComponent(roleName)}`, url.origin) } private async getIamRoleName(url: URL, token: string): Promise<string> { const requestOptions = { hostname: url.hostname, port: url.port, path: `${url.pathname}${url.search}`, protocol: url.protocol, method: 'GET', headers: { 'X-aws-ec2-metadata-token': token, }, agent: this.transportAgent, } satisfies http.RequestOptions const transport = url.protocol === 'http:' ? http : https const res = await request(transport, requestOptions, null) const body = await readAsString(res) const roleNames = body.split(/\r\n|[\n\r\u2028\u2029]/) if (roleNames.length === 0) { throw new Error(`No IAM roles attached to EC2 service ${url}`) } return roleNames[0] as string } private async requestCredentials(url: URL, tokenHeader: string, token: string | undefined): Promise<Credentials> { const headers: Record<string, string> = {} if (token) { headers[tokenHeader] = token } const requestOptions = { hostname: url.hostname, port: url.port, path: `${url.pathname}${url.search}`, protocol: url.protocol, method: 'GET', headers: headers, agent: this.transportAgent, } satisfies http.RequestOptions const transport = url.protocol === 'http:' ? http : https const res = await request(transport, requestOptions, null) const body = await readAsString(res) const ecsCredentials = JSON.parse(body) as EcsCredentials if (!ecsCredentials.Code || ecsCredentials.Code != 'Success') { throw new Error(`${url} failed with code ${ecsCredentials.Code} and message ${ecsCredentials.Message}`) } this.accessExpiresAt = ecsCredentials.Expiration return new Credentials({ accessKey: ecsCredentials.AccessKeyID, secretKey: ecsCredentials.SecretAccessKey, sessionToken: ecsCredentials.Token, }) } private isAboutToExpire() { const expiresAt = new Date(this.accessExpiresAt) const provisionalExpiry = new Date(Date.now() + 1000 * 10) // 10 seconds leeway return provisionalExpiry > expiresAt } } // deprecated default export, please use named exports. // keep for backward compatibility. // eslint-disable-next-line import/no-default-export export default IamAwsProvider