mira/dist/src/assume-role.js

NearForm Accelerator for Cloud Native Serverless AWS

'use strict';
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getRoleArn = exports.assumeRole = void 0;
const aws_sdk_1 = __importDefault(require("aws-sdk"));
const child_process_1 = require("child_process");
const fs_1 = __importDefault(require("fs"));
/**
 * Allow Mira to assume a role based on a given arn. This is used for deployment
 * and allows Mira to use the account specified in the configuration file.
 *
 * @internal
 * @throws Cannot assume role ${roleArn}: Invalid Role
 * @throws Cannot assume role ${roleArn}: <other reason>
 */
async function assumeRole(roleArn) {
    console.log(`Assuming role ${roleArn}`);
    const sts = new aws_sdk_1.default.STS();
    try {
        const roleData = await sts.assumeRole({
            RoleArn: `${roleArn}`,
            RoleSessionName: 'mira-assumed-role'
        }).promise();
        if (roleData.Credentials) {
            aws_sdk_1.default.config = new aws_sdk_1.default.Config({
                accessKeyId: roleData.Credentials.AccessKeyId,
                secretAccessKey: roleData.Credentials.SecretAccessKey,
                sessionToken: roleData.Credentials.SessionToken
            });
            // update environment
            const authData = [
                { name: 'aws_access_key_id', value: roleData.Credentials.AccessKeyId },
                { name: 'aws_secret_access_key', value: roleData.Credentials.SecretAccessKey },
                { name: 'aws_session_token', value: roleData.Credentials.SessionToken }
            ];
            authData.forEach((token) => {
                const commandOptions = [
                    'configure',
                    'set',
                    token.name,
                    token.value,
                    '--profile=client'
                ];
                child_process_1.execFileSync('aws', commandOptions, {
                    stdio: 'inherit',
                    env: {
                        ...process.env
                    }
                });
            });
            return aws_sdk_1.default.config;
        }
        else {
            throw new Error(`Cannot assume role ${roleArn}: Invalid Role`);
        }
    }
    catch (error) {
        throw new Error(`Cannot assume role ${roleArn}: ${error.message}`);
    }
}
exports.assumeRole = assumeRole;
/**
 * Given a provided profile, reads the users local ~/.aws/config file and
 * @param {*} profile
 */
exports.getRoleArn = (profile) => {
    const cwd = process.cwd();
    process.chdir(process.env.HOME || '');
    if (!fs_1.default.existsSync('.aws/config')) {
        // TODO: Throw an error?
        process.chdir(cwd);
        throw new Error('Role not found');
    }
    const lines = fs_1.default.readFileSync('.aws/config', 'utf8').split(/\n/g);
    process.chdir(cwd);
    const idx = lines.findIndex((line) => {
        const regexp = new RegExp(`\\[profile ${profile}`);
        return !!regexp.exec(line);
    });
    if (idx === -1) {
        // TODO: Throw an error?
        throw new Error('Role not found');
    }
    const roleLine = lines.slice(idx).find((line) => !!line.match(/^\s*role_arn\s*=/));
    if (!roleLine) {
        // TODO: Throw an error if roleLine is null?
        throw new Error('Role not found');
    }
    return roleLine.split(/=/).slice(1).join('=').trim();
};
//# sourceMappingURL=assume-role.js.map