Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow customizable credential provider chain #6272

Closed
1 of 2 tasks
mxxk opened this issue Jul 11, 2024 · 5 comments
Closed
1 of 2 tasks

Allow customizable credential provider chain #6272

mxxk opened this issue Jul 11, 2024 · 5 comments
Assignees
@kuhe @aBurmeseDev @zshzbh
Labels
closed-for-staleness feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.

Comments

@mxxk
Copy link
Contributor

mxxk commented Jul 11, 2024
edited
Loading

Describe the feature

Provide a construct to allow users of the AWS SDK for JavaScript v3 to express a chain of credential providers. An example of this is the @aws-sdk/credential-provider-node provider, but its chain of credentials is not customizable. This was possible in v2 using CredentialProviderChain, but there is no equivalent v3.

Use Case

Here are some example use cases which are not currently supported due to lack of custom composition of credential providers:

  • Credential provider exclusion. There is no way to remove specific credential providers from the chain for security purposes. For example, if credentials should only be sourced from ECS container metadata or a file, but not from environment variables, there is no way to chain only those two credential providers.
  • Custom credential providers. If there is a custom credential providers, there is no way to compose it into a chain of other credential providers.

Proposed Solution

Since @aws-sdk/credential-provider-node relies on chain to compose multiple credential providers,

aws-sdk-js-v3/packages/credential-provider-node/src/defaultProvider.ts

Lines 58 to 60 in 794a37e

export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvider<AwsCredentialIdentity> =>
memoize(
chain(

one possible way forward might be to expose chain (and possibly memoize) for public consumption. Both currently belong to @smithy/property-provider, an internal package.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

SDK version used

3.614.0

Environment details (OS name and version, etc.)

macOS 14.5
@mxxk mxxk added feature-request New feature or enhancement. May require GitHub community feedback. needs-triage This issue or PR still needs to be triaged. labels Jul 11, 2024
@kuhe
Copy link
Contributor

kuhe commented Jul 17, 2024

You can use promises to create a credential chain.

import { fromEnv, fromSSO, fromIni, fromHttp } from "@aws-sdk/credential-providers";

const myCredentialProvider = async () => ({ secretAccessKey, ... })

new AWSSDKClient({
  credentials: () => 
    fromEnv()()
      .catch(fromSSO())
      .catch(fromHttp())
      .catch(fromIni())
      .catch(myCredentialProvider)
});

@mxxk
Copy link
Contributor Author

mxxk commented Jul 17, 2024

Thanks @kuhe, if this is the best way, I can explore it further. One discrepancy I noticed right off the bat is that the .catch() in your example will catch all promise rejections, but chain only proceeds to the next provider if err?.tryNextLink property is set:

try {
  const credentials = await provider();
  return credentials;
} catch (err) {
  lastProviderError = err;
  if (err?.tryNextLink) {
    continue;
  }
  throw err;
}

Of course, this consideration can be rolled into a similar helper to chain, but wanted to call it out.

@aBurmeseDev aBurmeseDev removed the needs-triage This issue or PR still needs to be triaged. label Jul 18, 2024
@zshzbh
Copy link
Contributor

zshzbh commented Jul 22, 2024

Hey @mxxk,

This tryNextLink is specifically for the error handling. Please refer to this part of code/comment

If a provider in the chain is rejected with an error, the chain will only proceed to the next provider if the value of the tryNextLink property on the error is truthy. This allows individual providers to halt the chain and also ensures the chain will stop if an entirely unexpected error is encountered.

It seems that you want us to export it, this was discussed by the team and the feature won’t be considered at this time unfortunately. I'd suggest to try the solution that @kuhe posted. And please don't hesitate to let us know if you have any questions!

Thanks!
Maggie

@zshzbh zshzbh added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jul 22, 2024
@mxxk
Copy link
Contributor Author

mxxk commented Jul 23, 2024

@zshzbh yep, that makes sense. Let me summarize your recommendation for this issue...

In order to create a custom credential provider chain, developers using AWS SDK for JavaScript v3 can implement a helper like the following:

function chainCredentialProviders(providers) {
  return async function getCredentials() {
    for (const provider of providers) {
      try {
        return await provider();
      } catch (error) {
        if (!error?.tryNextLink) {
          throw error;
        }
      }
    }
  };
}

This helper can be used as follows:

const myCustomCredentialProvider = async () => ({ secretAccessKey, ... });

const s3Client = new S3Client({
  region: "us-west-2",
  credentials: chainCredentialProviders([
    fromSSO(),
    fromHttp(),
    fromIni(),
    myCustomCredentialProvider,
  ]),
});

Since there is no additional action here, I can close this issue as "not planned", and hope the workaround documented here can help future readers.

@mxxk mxxk closed this as not planned Won't fix, can't repro, duplicate, stale Jul 23, 2024
@kuhe kuhe reopened this Jul 30, 2024
@kuhe kuhe added p2 This is a standard priority issue and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 30, 2024
@kuhe kuhe self-assigned this Jul 30, 2024
@kuhe kuhe mentioned this issue Jul 30, 2024
Closed
2 tasks
@kuhe kuhe added the queued This issues is on the AWS team's backlog label Aug 1, 2024
@kuhe kuhe mentioned this issue Aug 9, 2024
Merged
@kuhe kuhe added closing-soon This issue will automatically close in 4 days unless further comments are made. pending-release This issue will be fixed by an approved PR that hasn't been released yet. and removed queued This issues is on the AWS team's backlog labels Aug 12, 2024
@github-actions github-actions bot added closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Aug 13, 2024
@kuhe kuhe mentioned this issue Aug 13, 2024
Merged
@github-actions GitHub Actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kuhe kuhe

@aBurmeseDev aBurmeseDev

@zshzbh zshzbh

Labels
closed-for-staleness feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue pending-release This issue will be fixed by an approved PR that hasn't been released yet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kuhe @mxxk @aBurmeseDev @zshzbh