snowflake-sdk/dist/lib/authentication/auth_workload_identity/attestation_aws.js

Node.js driver for Snowflake

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getAwsCredentials = getAwsCredentials;
exports.getAwsRegion = getAwsRegion;
exports.getStsHostname = getStsHostname;
exports.getAwsAttestationToken = getAwsAttestationToken;
const credential_provider_node_1 = require("@aws-sdk/credential-provider-node");
const ec2_metadata_service_1 = require("@aws-sdk/ec2-metadata-service");
const protocol_http_1 = require("@aws-sdk/protocol-http");
const signature_v4_1 = require("@aws-sdk/signature-v4");
const sha256_js_1 = require("@aws-crypto/sha256-js");
const logger_1 = __importDefault(require("../../logger"));
async function getAwsCredentials() {
    try {
        (0, logger_1.default)().debug('Getting AWS credentials from default provider');
        return await (0, credential_provider_node_1.defaultProvider)()();
    }
    catch (error) {
        (0, logger_1.default)().debug('No AWS credentials were found.');
        return null;
    }
}
async function getAwsRegion() {
    if (process.env.AWS_REGION) {
        (0, logger_1.default)().debug('Getting AWS region from AWS_REGION');
        return process.env.AWS_REGION; // Lambda
    }
    else {
        try {
            (0, logger_1.default)().debug('Getting AWS region from EC2 metadata service');
            return await new ec2_metadata_service_1.MetadataService().request('/latest/meta-data/placement/region', {}); // EC2
        }
        catch (error) {
            (0, logger_1.default)().debug(`Failed to fetch AWS region from EC2 metadata service: ${error}`);
            return null;
        }
    }
}
function getStsHostname(region) {
    const domain = region.startsWith('cn-') ? 'amazonaws.com.cn' : 'amazonaws.com';
    return `sts.${region}.${domain}`;
}
/**
 * Tries to create a workload identity attestation for AWS.
 * If the application isn't running on AWS or no credentials were found, returns null.
 */
async function getAwsAttestationToken() {
    const credentials = await getAwsCredentials();
    if (!credentials) {
        return null;
    }
    const region = await getAwsRegion();
    if (!region) {
        return null;
    }
    const stsHostname = getStsHostname(region);
    const request = new protocol_http_1.HttpRequest({
        method: 'POST',
        protocol: 'https',
        hostname: stsHostname,
        path: '/',
        headers: {
            host: stsHostname,
            'x-snowflake-audience': 'snowflakecomputing.com',
        },
        query: {
            Action: 'GetCallerIdentity',
            Version: '2011-06-15',
        },
    });
    const signedRequest = await new signature_v4_1.SignatureV4({
        credentials,
        applyChecksum: false,
        region,
        service: 'sts',
        sha256: sha256_js_1.Sha256,
    }).sign(request);
    const token = {
        url: `https://${stsHostname}/?Action=GetCallerIdentity&Version=2011-06-15`,
        method: 'POST',
        headers: signedRequest.headers,
    };
    return btoa(JSON.stringify(token));
}
//# sourceMappingURL=attestation_aws.js.map