-
Notifications
You must be signed in to change notification settings - Fork 592
/
Copy pathdefaultStsRoleAssumers.ts
126 lines (117 loc) · 4.67 KB
/
defaultStsRoleAssumers.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// Please do not touch this file. It's generated from template in:
// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
import { Credentials, Provider } from "@aws-sdk/types";
import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
import {
AssumeRoleWithWebIdentityCommand,
AssumeRoleWithWebIdentityCommandInput,
} from "./commands/AssumeRoleWithWebIdentityCommand";
import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSClient";
/**
* @internal
*/
export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
/**
* Inject the fallback STS region of us-east-1.
*/
const decorateDefaultRegion = (region: string | Provider<string> | undefined): string | Provider<string> => {
if (typeof region !== "function") {
return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
}
return async () => {
try {
return await region();
} catch (e) {
return ASSUME_ROLE_DEFAULT_REGION;
}
};
};
/**
* The default role assumer that used by credential providers when sts:AssumeRole API is needed.
* @internal
*/
export const getDefaultRoleAssumer = (
stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
stsClientCtor: new (options: STSClientConfig) => STSClient
): RoleAssumer => {
let stsClient: STSClient;
let closureSourceCreds: Credentials;
return async (sourceCreds, params) => {
closureSourceCreds = sourceCreds;
if (!stsClient) {
const { logger, region, requestHandler } = stsOptions;
stsClient = new stsClientCtor({
logger,
// A hack to make sts client uses the credential in current closure.
credentialDefaultProvider: () => async () => closureSourceCreds,
region: decorateDefaultRegion(region || stsOptions.region),
...(requestHandler ? { requestHandler } : {}),
});
}
const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
}
return {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
expiration: Credentials.Expiration,
};
};
};
/**
* @internal
*/
export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
/**
* The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
* @internal
*/
export const getDefaultRoleAssumerWithWebIdentity = (
stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
stsClientCtor: new (options: STSClientConfig) => STSClient
): RoleAssumerWithWebIdentity => {
let stsClient: STSClient;
return async (params) => {
if (!stsClient) {
const { logger, region, requestHandler } = stsOptions;
stsClient = new stsClientCtor({
logger,
region: decorateDefaultRegion(region || stsOptions.region),
...(requestHandler ? { requestHandler } : {}),
});
}
const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
}
return {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
expiration: Credentials.Expiration,
};
};
};
/**
* @internal
*/
export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
/**
* The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
* sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
* encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
* dependencies.
*
* @internal
*/
export const decorateDefaultCredentialProvider =
(provider: DefaultCredentialProvider): DefaultCredentialProvider =>
(input: STSClientResolvedConfig) =>
provider({
roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor),
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor),
...input,
});