From be3776496993c8be981e91b1602570d894ce1dee Mon Sep 17 00:00:00 2001 From: George Fu Date: Mon, 7 Oct 2024 18:02:28 +0000 Subject: [PATCH] chore(credential-providers): attribute credential feature sources --- .../client-sts/src/defaultStsRoleAssumers.ts | 12 ++++++++++-- .../sts-client-defaultStsRoleAssumers.ts | 12 ++++++++++-- .../core/src/submodules/client/setFeature.ts | 2 +- .../aws_sdk/resolveAwsSdkSigV4Config.ts | 2 +- packages/credential-provider-env/package.json | 1 + .../credential-provider-env/src/fromEnv.ts | 5 +---- .../credential-provider-http/package.json | 1 + .../src/fromHttp/fromHttp.ts | 3 ++- packages/credential-provider-ini/package.json | 1 + .../src/resolveAssumeRoleCredentials.ts | 7 +++++-- .../src/resolveCredentialSource.ts | 12 ++++++++---- .../src/resolveProcessCredentials.ts | 3 ++- .../src/resolveProfileData.ts | 2 +- .../src/resolveSsoCredentials.ts | 17 ++++++++++++++--- .../src/resolveStaticCredentials.ts | 8 ++++++-- .../src/resolveWebIdentityCredentials.ts | 3 ++- .../credential-provider-process/package.json | 1 + .../src/getValidatedProcessCredentials.ts | 7 ++++++- packages/credential-provider-sso/package.json | 1 + .../src/resolveSSOCredentials.ts | 11 ++++++++++- .../package.json | 1 + .../src/fromTokenFile.ts | 4 ++-- packages/credential-providers/package.json | 1 + .../src/fromInstanceMetadata.ts | 4 +++- .../src/check-features.ts | 19 +++++++++++++++++-- 25 files changed, 108 insertions(+), 32 deletions(-) diff --git a/clients/client-sts/src/defaultStsRoleAssumers.ts b/clients/client-sts/src/defaultStsRoleAssumers.ts index 9daf5da2e9128..7bf55daf01f41 100644 --- a/clients/client-sts/src/defaultStsRoleAssumers.ts +++ b/clients/client-sts/src/defaultStsRoleAssumers.ts @@ -1,6 +1,7 @@ // smithy-typescript generated code // Please do not touch this file. It's generated from template in: // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts +import { setCredentialFeature } from "@aws-sdk/core"; import type { CredentialProviderOptions } from "@aws-sdk/types"; import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types"; @@ -118,7 +119,7 @@ export const getDefaultRoleAssumer = ( const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); - return { + const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, @@ -127,6 +128,8 @@ export const getDefaultRoleAssumer = ( ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }), ...(accountId && { accountId }), }; + setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i"); + return credentials; }; }; @@ -174,7 +177,7 @@ export const getDefaultRoleAssumerWithWebIdentity = ( const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); - return { + const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, @@ -183,6 +186,11 @@ export const getDefaultRoleAssumerWithWebIdentity = ( ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }), ...(accountId && { accountId }), }; + if (accountId) { + setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T"); + } + setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k"); + return credentials; }; }; diff --git a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts index f1183d03e993d..018d071f3b819 100644 --- a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts +++ b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import type { CredentialProviderOptions } from "@aws-sdk/types"; import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types"; @@ -115,7 +116,7 @@ export const getDefaultRoleAssumer = ( const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); - return { + const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, @@ -124,6 +125,8 @@ export const getDefaultRoleAssumer = ( ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }), ...(accountId && { accountId }), }; + setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE", "i"); + return credentials; }; }; @@ -171,7 +174,7 @@ export const getDefaultRoleAssumerWithWebIdentity = ( const accountId = getAccountIdFromAssumedRoleUser(AssumedRoleUser); - return { + const credentials = { accessKeyId: Credentials.AccessKeyId, secretAccessKey: Credentials.SecretAccessKey, sessionToken: Credentials.SessionToken, @@ -180,6 +183,11 @@ export const getDefaultRoleAssumerWithWebIdentity = ( ...((Credentials as any).CredentialScope && { credentialScope: (Credentials as any).CredentialScope }), ...(accountId && { accountId }), }; + if (accountId) { + setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T"); + } + setCredentialFeature(credentials, "CREDENTIALS_STS_ASSUME_ROLE_WEB_ID", "k"); + return credentials; }; }; diff --git a/packages/core/src/submodules/client/setFeature.ts b/packages/core/src/submodules/client/setFeature.ts index a525e790260bc..8853878a18e4c 100644 --- a/packages/core/src/submodules/client/setFeature.ts +++ b/packages/core/src/submodules/client/setFeature.ts @@ -33,7 +33,7 @@ export function setFeature( /** * @internal * - * sets feature attribution on the credential object. + * @returns the credentials with source feature attribution. */ export function setCredentialFeature( credentials: AttributedAwsCredentialIdentity, diff --git a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts index 5d19419bccb50..f3b931deb7795 100644 --- a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts +++ b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts @@ -1,4 +1,4 @@ -import { setCredentialFeature } from "@aws-sdk/core/client"; +import { setCredentialFeature } from "@aws-sdk/core"; import { AttributedAwsCredentialIdentity } from "@aws-sdk/types"; import { doesIdentityRequireRefresh, diff --git a/packages/credential-provider-env/package.json b/packages/credential-provider-env/package.json index 7a895656da593..4354ea5a15524 100644 --- a/packages/credential-provider-env/package.json +++ b/packages/credential-provider-env/package.json @@ -24,6 +24,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/types": "*", "@smithy/property-provider": "^3.1.7", "@smithy/types": "^3.5.0", diff --git a/packages/credential-provider-env/src/fromEnv.ts b/packages/credential-provider-env/src/fromEnv.ts index 60e63489e06d3..d2ffb5dfd0885 100644 --- a/packages/credential-provider-env/src/fromEnv.ts +++ b/packages/credential-provider-env/src/fromEnv.ts @@ -1,4 +1,4 @@ -import { setCredentialFeature } from "@aws-sdk/core/client"; +import { setCredentialFeature } from "@aws-sdk/core"; import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types"; import { CredentialsProviderError } from "@smithy/property-provider"; import { AwsCredentialIdentityProvider } from "@smithy/types"; @@ -58,9 +58,6 @@ export const fromEnv = ...(accountId && { accountId }), } as AttributedAwsCredentialIdentity; setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS", "g"); - if (accountId) { - setCredentialFeature(credentials, "RESOLVED_ACCOUNT_ID", "T"); - } return credentials; } diff --git a/packages/credential-provider-http/package.json b/packages/credential-provider-http/package.json index 49e2a5d09a057..23eeab28b3099 100644 --- a/packages/credential-provider-http/package.json +++ b/packages/credential-provider-http/package.json @@ -26,6 +26,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/types": "*", "@smithy/fetch-http-handler": "^3.2.9", "@smithy/node-http-handler": "^3.2.4", diff --git a/packages/credential-provider-http/src/fromHttp/fromHttp.ts b/packages/credential-provider-http/src/fromHttp/fromHttp.ts index 287ab3a12a931..568961fb036f7 100644 --- a/packages/credential-provider-http/src/fromHttp/fromHttp.ts +++ b/packages/credential-provider-http/src/fromHttp/fromHttp.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { NodeHttpHandler } from "@smithy/node-http-handler"; import { CredentialsProviderError } from "@smithy/property-provider"; import { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types"; @@ -81,7 +82,7 @@ Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI } try { const result = await requestHandler.handle(request); - return getCredentials(result.response); + return getCredentials(result.response).then((creds) => setCredentialFeature(creds, "CREDENTIALS_HTTP", "z")); } catch (e: unknown) { throw new CredentialsProviderError(String(e), { logger: options.logger }); } diff --git a/packages/credential-provider-ini/package.json b/packages/credential-provider-ini/package.json index c377d43cc834f..c830be89456ff 100644 --- a/packages/credential-provider-ini/package.json +++ b/packages/credential-provider-ini/package.json @@ -24,6 +24,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/credential-provider-env": "*", "@aws-sdk/credential-provider-http": "*", "@aws-sdk/credential-provider-process": "*", diff --git a/packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts b/packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts index 8cf9ac29c5ae0..fdd1c5e98de64 100644 --- a/packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts +++ b/packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { CredentialsProviderError } from "@smithy/property-provider"; import { getProfileName } from "@smithy/shared-ini-file-loader"; import { AwsCredentialIdentity, IniSection, Logger, ParsedIniData, Profile } from "@smithy/types"; @@ -159,7 +160,7 @@ export const resolveAssumeRoleCredentials = async ( * can use its role_arn instead of redundantly needing another role_arn at * this final layer. */ - return sourceCredsProvider; + return sourceCredsProvider.then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o")); } else { const params: AssumeRoleParams = { RoleArn: data.role_arn!, @@ -181,7 +182,9 @@ export const resolveAssumeRoleCredentials = async ( } const sourceCreds = await sourceCredsProvider; - return options.roleAssumer!(sourceCreds, params); + return options.roleAssumer!(sourceCreds, params).then((creds) => + setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o") + ); } }; diff --git a/packages/credential-provider-ini/src/resolveCredentialSource.ts b/packages/credential-provider-ini/src/resolveCredentialSource.ts index 8c4efb47617f0..fc1d460c95361 100644 --- a/packages/credential-provider-ini/src/resolveCredentialSource.ts +++ b/packages/credential-provider-ini/src/resolveCredentialSource.ts @@ -1,4 +1,5 @@ -import type { CredentialProviderOptions } from "@aws-sdk/types"; +import { setCredentialFeature } from "@aws-sdk/core"; +import type { AwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types"; import { chain, CredentialsProviderError } from "@smithy/property-provider"; import { AwsCredentialIdentityProvider, Logger } from "@smithy/types"; @@ -21,17 +22,17 @@ export const resolveCredentialSource = ( const { fromHttp } = await import("@aws-sdk/credential-provider-http"); const { fromContainerMetadata } = await import("@smithy/credential-provider-imds"); logger?.debug("@aws-sdk/credential-provider-ini - credential_source is EcsContainer"); - return chain(fromHttp(options ?? {}), fromContainerMetadata(options)); + return async () => chain(fromHttp(options ?? {}), fromContainerMetadata(options))().then(setNamedProvider); }, Ec2InstanceMetadata: async (options?: CredentialProviderOptions) => { logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Ec2InstanceMetadata"); const { fromInstanceMetadata } = await import("@smithy/credential-provider-imds"); - return fromInstanceMetadata(options); + return async () => fromInstanceMetadata(options)().then(setNamedProvider); }, Environment: async (options?: CredentialProviderOptions) => { logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Environment"); const { fromEnv } = await import("@aws-sdk/credential-provider-env"); - return fromEnv(options); + return async () => fromEnv(options)().then(setNamedProvider); }, }; if (credentialSource in sourceProvidersMap) { @@ -44,3 +45,6 @@ export const resolveCredentialSource = ( ); } }; + +const setNamedProvider = (creds: AwsCredentialIdentity) => + setCredentialFeature(creds, "CREDENTIALS_PROFILE_NAMED_PROVIDER", "p"); diff --git a/packages/credential-provider-ini/src/resolveProcessCredentials.ts b/packages/credential-provider-ini/src/resolveProcessCredentials.ts index 152f9db5d11a1..b2ac28b7cbda3 100644 --- a/packages/credential-provider-ini/src/resolveProcessCredentials.ts +++ b/packages/credential-provider-ini/src/resolveProcessCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { Credentials, Profile } from "@aws-sdk/types"; import { FromIniInit } from "./fromIni"; @@ -23,5 +24,5 @@ export const resolveProcessCredentials = async (options: FromIniInit, profile: s fromProcess({ ...options, profile, - })() + })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_PROCESS", "v")) ); diff --git a/packages/credential-provider-ini/src/resolveProfileData.ts b/packages/credential-provider-ini/src/resolveProfileData.ts index 42a4b30115dc4..522318b07d8f0 100644 --- a/packages/credential-provider-ini/src/resolveProfileData.ts +++ b/packages/credential-provider-ini/src/resolveProfileData.ts @@ -59,7 +59,7 @@ export const resolveProfileData = async ( } if (isSsoProfile(data)) { - return await resolveSsoCredentials(profileName, options); + return await resolveSsoCredentials(profileName, data, options); } // If the profile cannot be parsed or contains neither static credentials diff --git a/packages/credential-provider-ini/src/resolveSsoCredentials.ts b/packages/credential-provider-ini/src/resolveSsoCredentials.ts index ca0f0271559b1..dddaf2879dbcd 100644 --- a/packages/credential-provider-ini/src/resolveSsoCredentials.ts +++ b/packages/credential-provider-ini/src/resolveSsoCredentials.ts @@ -1,16 +1,27 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import type { SsoProfile } from "@aws-sdk/credential-provider-sso"; import type { CredentialProviderOptions } from "@aws-sdk/types"; -import type { Profile } from "@smithy/types"; +import type { IniSection, Profile } from "@smithy/types"; /** * @internal */ -export const resolveSsoCredentials = async (profile: string, options: CredentialProviderOptions = {}) => { +export const resolveSsoCredentials = async ( + profile: string, + profileData: IniSection, + options: CredentialProviderOptions = {} +) => { const { fromSSO } = await import("@aws-sdk/credential-provider-sso"); return fromSSO({ profile, logger: options.logger, - })(); + })().then((creds) => { + if (profileData.sso_session) { + return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r"); + } else { + return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO_LEGACY", "t"); + } + }); }; /** diff --git a/packages/credential-provider-ini/src/resolveStaticCredentials.ts b/packages/credential-provider-ini/src/resolveStaticCredentials.ts index a778252f1d95d..8468b5fbf2965 100644 --- a/packages/credential-provider-ini/src/resolveStaticCredentials.ts +++ b/packages/credential-provider-ini/src/resolveStaticCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { AwsCredentialIdentity, Profile } from "@smithy/types"; import { FromIniInit } from "./fromIni"; @@ -32,11 +33,14 @@ export const resolveStaticCredentials = ( options?: FromIniInit ): Promise => { options?.logger?.debug("@aws-sdk/credential-provider-ini - resolveStaticCredentials"); - return Promise.resolve({ + + const credentials = { accessKeyId: profile.aws_access_key_id, secretAccessKey: profile.aws_secret_access_key, sessionToken: profile.aws_session_token, ...(profile.aws_credential_scope && { credentialScope: profile.aws_credential_scope }), ...(profile.aws_account_id && { accountId: profile.aws_account_id }), - }); + }; + + return Promise.resolve(setCredentialFeature(credentials, "CREDENTIALS_PROFILE", "n")); }; diff --git a/packages/credential-provider-ini/src/resolveWebIdentityCredentials.ts b/packages/credential-provider-ini/src/resolveWebIdentityCredentials.ts index 8eef85d465c4f..702b730a52bb2 100644 --- a/packages/credential-provider-ini/src/resolveWebIdentityCredentials.ts +++ b/packages/credential-provider-ini/src/resolveWebIdentityCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { AwsCredentialIdentity, Profile } from "@smithy/types"; import { FromIniInit } from "./fromIni"; @@ -36,5 +37,5 @@ export const resolveWebIdentityCredentials = async ( roleAssumerWithWebIdentity: options.roleAssumerWithWebIdentity, logger: options.logger, parentClientConfig: options.parentClientConfig, - })() + })().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN", "q")) ); diff --git a/packages/credential-provider-process/package.json b/packages/credential-provider-process/package.json index 000297499a6ec..b73d4720cd89b 100644 --- a/packages/credential-provider-process/package.json +++ b/packages/credential-provider-process/package.json @@ -24,6 +24,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/types": "*", "@smithy/property-provider": "^3.1.7", "@smithy/shared-ini-file-loader": "^3.1.8", diff --git a/packages/credential-provider-process/src/getValidatedProcessCredentials.ts b/packages/credential-provider-process/src/getValidatedProcessCredentials.ts index 6b0284972eca9..bbb56d18093d3 100644 --- a/packages/credential-provider-process/src/getValidatedProcessCredentials.ts +++ b/packages/credential-provider-process/src/getValidatedProcessCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { AwsCredentialIdentity, ParsedIniData } from "@smithy/types"; import { ProcessCredentials } from "./ProcessCredentials"; @@ -31,7 +32,7 @@ export const getValidatedProcessCredentials = ( accountId = profiles[profileName].aws_account_id; } - return { + const credentials = { accessKeyId: data.AccessKeyId, secretAccessKey: data.SecretAccessKey, ...(data.SessionToken && { sessionToken: data.SessionToken }), @@ -39,4 +40,8 @@ export const getValidatedProcessCredentials = ( ...(data.CredentialScope && { credentialScope: data.CredentialScope }), ...(accountId && { accountId }), }; + + setCredentialFeature(credentials, "CREDENTIALS_PROCESS", "w"); + + return credentials; }; diff --git a/packages/credential-provider-sso/package.json b/packages/credential-provider-sso/package.json index e9cf34e486514..0bb7022318289 100644 --- a/packages/credential-provider-sso/package.json +++ b/packages/credential-provider-sso/package.json @@ -24,6 +24,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/client-sso": "*", "@aws-sdk/token-providers": "*", "@aws-sdk/types": "*", diff --git a/packages/credential-provider-sso/src/resolveSSOCredentials.ts b/packages/credential-provider-sso/src/resolveSSOCredentials.ts index 48b598bd092e7..ff47a2e866329 100644 --- a/packages/credential-provider-sso/src/resolveSSOCredentials.ts +++ b/packages/credential-provider-sso/src/resolveSSOCredentials.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers"; import { CredentialsProviderError } from "@smithy/property-provider"; import { getSSOTokenFromFile, SSOToken } from "@smithy/shared-ini-file-loader"; @@ -103,7 +104,7 @@ export const resolveSSOCredentials = async ({ }); } - return { + const credentials = { accessKeyId, secretAccessKey, sessionToken, @@ -111,4 +112,12 @@ export const resolveSSOCredentials = async ({ ...(credentialScope && { credentialScope }), ...(accountId && { accountId }), }; + + if (ssoSession) { + setCredentialFeature(credentials, "CREDENTIALS_SSO", "s"); + } else { + setCredentialFeature(credentials, "CREDENTIALS_SSO_LEGACY", "u"); + } + + return credentials; }; diff --git a/packages/credential-provider-web-identity/package.json b/packages/credential-provider-web-identity/package.json index 2e16d10a0f65e..4f1d855466caa 100644 --- a/packages/credential-provider-web-identity/package.json +++ b/packages/credential-provider-web-identity/package.json @@ -32,6 +32,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/types": "*", "@smithy/property-provider": "^3.1.7", "@smithy/types": "^3.5.0", diff --git a/packages/credential-provider-web-identity/src/fromTokenFile.ts b/packages/credential-provider-web-identity/src/fromTokenFile.ts index 881e5cf54d635..3c954d644d8c0 100644 --- a/packages/credential-provider-web-identity/src/fromTokenFile.ts +++ b/packages/credential-provider-web-identity/src/fromTokenFile.ts @@ -1,4 +1,4 @@ -import { setCredentialFeature } from "@aws-sdk/core/client"; +import { setCredentialFeature } from "@aws-sdk/core"; import { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types"; import { CredentialsProviderError } from "@smithy/property-provider"; import type { AwsCredentialIdentityProvider } from "@smithy/types"; @@ -48,7 +48,7 @@ export const fromTokenFile = roleSessionName, })(); - if (process.env[ENV_TOKEN_FILE]) { + if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) { setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h"); } diff --git a/packages/credential-providers/package.json b/packages/credential-providers/package.json index 1032902aedcf2..d36dd72d8d70c 100644 --- a/packages/credential-providers/package.json +++ b/packages/credential-providers/package.json @@ -29,6 +29,7 @@ }, "license": "Apache-2.0", "dependencies": { + "@aws-sdk/core": "*", "@aws-sdk/client-cognito-identity": "*", "@aws-sdk/client-sso": "*", "@aws-sdk/client-sts": "*", diff --git a/packages/credential-providers/src/fromInstanceMetadata.ts b/packages/credential-providers/src/fromInstanceMetadata.ts index 00347eac5fe1c..ddbff8f97d8e8 100644 --- a/packages/credential-providers/src/fromInstanceMetadata.ts +++ b/packages/credential-providers/src/fromInstanceMetadata.ts @@ -1,3 +1,4 @@ +import { setCredentialFeature } from "@aws-sdk/core"; import type { CredentialProviderOptions } from "@aws-sdk/types"; import { fromInstanceMetadata as _fromInstanceMetadata, @@ -28,5 +29,6 @@ export const fromInstanceMetadata = ( init?: _RemoteProviderInit & CredentialProviderOptions ): AwsCredentialIdentityProvider => { init?.logger?.debug("@smithy/credential-provider-imds", "fromInstanceMetadata"); - return _fromInstanceMetadata(init); + return async () => + _fromInstanceMetadata(init)().then((creds) => setCredentialFeature(creds, "CREDENTIALS_IMDS", "0")); }; diff --git a/packages/middleware-user-agent/src/check-features.ts b/packages/middleware-user-agent/src/check-features.ts index c47446aba3cdb..4a747f89e70cb 100644 --- a/packages/middleware-user-agent/src/check-features.ts +++ b/packages/middleware-user-agent/src/check-features.ts @@ -1,13 +1,18 @@ import { setFeature } from "@aws-sdk/core"; import type { AccountIdEndpointMode } from "@aws-sdk/core/account-id-endpoint"; -import type { AwsHandlerExecutionContext } from "@aws-sdk/types"; +import type { + AttributedAwsCredentialIdentity, + AwsHandlerExecutionContext, + AwsSdkCredentialsFeatures, +} from "@aws-sdk/types"; import type { IHttpRequest } from "@smithy/protocol-http"; -import type { BuildHandlerArguments, Provider } from "@smithy/types"; +import type { AwsCredentialIdentityProvider, BuildHandlerArguments, Provider } from "@smithy/types"; /** * @internal */ type PreviouslyResolved = Partial<{ + credentials?: AwsCredentialIdentityProvider; accountIdEndpointMode?: Provider; }>; @@ -36,4 +41,14 @@ export async function checkFeatures( break; } } + + if (typeof config.credentials === "function") { + const credentials: AttributedAwsCredentialIdentity = await config.credentials?.(); + if (credentials.accountId) { + setFeature(context, "RESOLVED_ACCOUNT_ID", "T"); + } + for (const [key, value] of Object.entries(credentials.$source ?? {})) { + setFeature(context, key as keyof AwsSdkCredentialsFeatures, value); + } + } }