@aws-sdk/client-sts 3.35.0 → 3.38.0

package/src/commands/GetFederationTokenCommand.ts

@@ -1,235 +0,0 @@
-import { getSerdePlugin } from "@aws-sdk/middleware-serde";
-import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
-import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
-import { Command as $Command } from "@aws-sdk/smithy-client";
-import {
-  FinalizeHandlerArguments,
-  Handler,
-  HandlerExecutionContext,
-  HttpHandlerOptions as __HttpHandlerOptions,
-  MetadataBearer as __MetadataBearer,
-  MiddlewareStack,
-  SerdeContext as __SerdeContext,
-} from "@aws-sdk/types";
-
-import { GetFederationTokenRequest, GetFederationTokenResponse } from "../models/models_0";
-import {
-  deserializeAws_queryGetFederationTokenCommand,
-  serializeAws_queryGetFederationTokenCommand,
-} from "../protocols/Aws_query";
-import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient";
-
-export interface GetFederationTokenCommandInput extends GetFederationTokenRequest {}
-export interface GetFederationTokenCommandOutput extends GetFederationTokenResponse, __MetadataBearer {}
-
-/**
- * <p>Returns a set of temporary security credentials (consisting of an access key ID, a
- *          secret access key, and a security token) for a federated user. A typical use is in a proxy
- *          application that gets temporary security credentials on behalf of distributed applications
- *          inside a corporate network. You must call the <code>GetFederationToken</code> operation
- *          using the long-term security credentials of an IAM user. As a result, this call is
- *          appropriate in contexts where those credentials can be safely stored, usually in a
- *          server-based application. For a comparison of <code>GetFederationToken</code> with the
- *          other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             STS API operations</a> in the <i>IAM User Guide</i>.</p>
- *          <note>
- *             <p>You can create a mobile-based or browser-based app that can authenticate users using
- *             a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
- *             Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
- *                <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
- *                <i>IAM User Guide</i>.</p>
- *          </note>
- *          <p>You can also call <code>GetFederationToken</code> using the security credentials of an
- *          Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create
- *          an IAM user for the purpose of the proxy application. Then attach a policy to the IAM
- *          user that limits federated users to only the actions and resources that they need to
- *          access. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">IAM Best Practices</a> in the
- *             <i>IAM User Guide</i>. </p>
- *          <p>
- *             <b>Session duration</b>
- *          </p>
- *          <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
- *          minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
- *          43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account
- *          root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>You can use the temporary credentials created by <code>GetFederationToken</code> in any
- *          Amazon Web Services service except the following:</p>
- *          <ul>
- *             <li>
- *                <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API. </p>
- *             </li>
- *             <li>
- *                <p>You cannot call any STS operations except <code>GetCallerIdentity</code>.</p>
- *             </li>
- *          </ul>
- *          <p>You must pass an inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policy</a> to
- *          this operation. You can pass a single JSON policy document to use as an inline session
- *          policy. You can also specify up to 10 managed policies to use as managed session policies.
- *          The plaintext that you use for both inline and managed session policies can't exceed 2,048
- *          characters.</p>
- *          <p>Though the session policy parameters are optional, if you do not pass a policy, then the
- *          resulting federated user session has no permissions. When you pass session policies, the
- *          session permissions are the intersection of the IAM user policies and the session
- *          policies that you pass. This gives you a way to further restrict the permissions for a
- *          federated user. You cannot use session policies to grant more permissions than those that
- *          are defined in the permissions policy of the IAM user. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>. For information about
- *          using <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
- *          <p>You can use the credentials to access a resource that has a resource-based policy. If
- *          that policy specifically references the federated user session in the
- *             <code>Principal</code> element of the policy, the session has the permissions allowed by
- *          the policy. These permissions are granted in addition to the permissions granted by the
- *          session policies.</p>
- *          <p>
- *             <b>Tags</b>
- *          </p>
- *          <p>(Optional) You can pass tag key-value pairs to your session. These are called session
- *          tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
- *             <i>IAM User Guide</i>.</p>
- *         <note>
- *             <p>You can create a mobile-based or browser-based app that can authenticate users
- *                 using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
- *                 Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
- *                     <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
- *                     <i>IAM User Guide</i>.</p>
- *         </note>
- *         <p>You can also call <code>GetFederationToken</code> using the security credentials of an
- *             Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you
- *             create an IAM user for the purpose of the proxy application. Then attach a policy to
- *             the IAM user that limits federated users to only the actions and resources that they
- *             need to access. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">IAM Best Practices</a> in the
- *                 <i>IAM User Guide</i>. </p>
- *         <p>
- *             <b>Session duration</b>
- *          </p>
- *         <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
- *             minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
- *             43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services
- *             account root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
- *         <p>
- *             <b>Permissions</b>
- *         </p>
- *         <p>You can use the temporary credentials created by <code>GetFederationToken</code> in
- *             any Amazon Web Services service except the following:</p>
- *         <ul>
- *             <li>
- *                 <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API.
- *                 </p>
- *             </li>
- *             <li>
- *                 <p>You cannot call any STS operations except
- *                     <code>GetCallerIdentity</code>.</p>
- *             </li>
- *          </ul>
- *         <p>You must pass an inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policy</a> to
- *             this operation. You can pass a single JSON policy document to use as an inline session
- *             policy. You can also specify up to 10 managed policies to use as managed session
- *             policies. The plain text that you use for both inline and managed session policies can't
- *             exceed 2,048 characters.</p>
- *         <p>Though the session policy parameters are optional, if you do not pass a policy, then
- *             the resulting federated user session has no permissions. When you pass session policies,
- *             the session permissions are the intersection of the IAM user policies and the session
- *             policies that you pass. This gives you a way to further restrict the permissions for a
- *             federated user. You cannot use session policies to grant more permissions than those
- *             that are defined in the permissions policy of the IAM user. For more information, see
- *                 <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session Policies</a>
- *             in the <i>IAM User Guide</i>. For information about using
- *                 <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
- *         <p>You can use the credentials to access a resource that has a resource-based policy. If
- *             that policy specifically references the federated user session in the
- *                 <code>Principal</code> element of the policy, the session has the permissions
- *             allowed by the policy. These permissions are granted in addition to the permissions
- *             granted by the session policies.</p>
- *         <p>
- *             <b>Tags</b>
- *          </p>
- *         <p>(Optional) You can pass tag key-value pairs to your session. These are called session
- *             tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
- *             the <i>IAM User Guide</i>.</p>
- *         <p>An administrator must grant you the permissions necessary to pass session tags. The
- *             administrator can also create granular permissions to allow you to pass only specific
- *             session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using
- *                 Tags for Attribute-Based Access Control</a> in the
- *                 <i>IAM User Guide</i>.</p>
- *         <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
- *             cannot have separate <code>Department</code> and <code>department</code> tag keys.
- *             Assume that the user that you are federating has the
- *                 <code>Department</code>=<code>Marketing</code> tag and you pass the
- *                 <code>department</code>=<code>engineering</code> session tag.
- *                 <code>Department</code> and <code>department</code> are not saved as separate tags,
- *             and the session tag passed in the request takes precedence over the user tag.</p>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, GetFederationTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, GetFederationTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new GetFederationTokenCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GetFederationTokenCommandInput} for command's `input` shape.
- * @see {@link GetFederationTokenCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-export class GetFederationTokenCommand extends $Command<
-  GetFederationTokenCommandInput,
-  GetFederationTokenCommandOutput,
-  STSClientResolvedConfig
-> {
-  // Start section: command_properties
-  // End section: command_properties
-
-  constructor(readonly input: GetFederationTokenCommandInput) {
-    // Start section: command_constructor
-    super();
-    // End section: command_constructor
-  }
-
-  /**
-   * @internal
-   */
-  resolveMiddleware(
-    clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
-    configuration: STSClientResolvedConfig,
-    options?: __HttpHandlerOptions
-  ): Handler<GetFederationTokenCommandInput, GetFederationTokenCommandOutput> {
-    this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
-    this.middlewareStack.use(getAwsAuthPlugin(configuration));
-
-    const stack = clientStack.concat(this.middlewareStack);
-
-    const { logger } = configuration;
-    const clientName = "STSClient";
-    const commandName = "GetFederationTokenCommand";
-    const handlerExecutionContext: HandlerExecutionContext = {
-      logger,
-      clientName,
-      commandName,
-      inputFilterSensitiveLog: GetFederationTokenRequest.filterSensitiveLog,
-      outputFilterSensitiveLog: GetFederationTokenResponse.filterSensitiveLog,
-    };
-    const { requestHandler } = configuration;
-    return stack.resolve(
-      (request: FinalizeHandlerArguments<any>) =>
-        requestHandler.handle(request.request as __HttpRequest, options || {}),
-      handlerExecutionContext
-    );
-  }
-
-  private serialize(input: GetFederationTokenCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
-    return serializeAws_queryGetFederationTokenCommand(input, context);
-  }
-
-  private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<GetFederationTokenCommandOutput> {
-    return deserializeAws_queryGetFederationTokenCommand(output, context);
-  }
-
-  // Start section: command_body_extra
-  // End section: command_body_extra
-}

package/src/commands/GetSessionTokenCommand.ts

@@ -1,148 +0,0 @@
-import { getSerdePlugin } from "@aws-sdk/middleware-serde";
-import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
-import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
-import { Command as $Command } from "@aws-sdk/smithy-client";
-import {
-  FinalizeHandlerArguments,
-  Handler,
-  HandlerExecutionContext,
-  HttpHandlerOptions as __HttpHandlerOptions,
-  MetadataBearer as __MetadataBearer,
-  MiddlewareStack,
-  SerdeContext as __SerdeContext,
-} from "@aws-sdk/types";
-
-import { GetSessionTokenRequest, GetSessionTokenResponse } from "../models/models_0";
-import {
-  deserializeAws_queryGetSessionTokenCommand,
-  serializeAws_queryGetSessionTokenCommand,
-} from "../protocols/Aws_query";
-import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient";
-
-export interface GetSessionTokenCommandInput extends GetSessionTokenRequest {}
-export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, __MetadataBearer {}
-
-/**
- * <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
- *          credentials consist of an access key ID, a secret access key, and a security token.
- *          Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect
- *          programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>.
- *          MFA-enabled IAM users would need to call <code>GetSessionToken</code> and submit an MFA
- *          code that is associated with their MFA device. Using the temporary security credentials
- *          that are returned from the call, IAM users can then make programmatic calls to API
- *          operations that require MFA authentication. If you do not supply a correct MFA code, then
- *          the API returns an access denied error. For a comparison of <code>GetSessionToken</code>
- *          with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
- *             Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             STS API operations</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Session Duration</b>
- *          </p>
- *          <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services
- *          security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
- *          created by IAM users are valid for the duration that you specify. This duration can range
- *          from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
- *          of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
- *          seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>The temporary security credentials created by <code>GetSessionToken</code> can be used
- *          to make API calls to any Amazon Web Services service with the following exceptions:</p>
- *          <ul>
- *             <li>
- *                <p>You cannot call any IAM API operations unless MFA authentication information is
- *                included in the request.</p>
- *             </li>
- *             <li>
- *                <p>You cannot call any STS API <i>except</i>
- *                   <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p>
- *             </li>
- *          </ul>
- *          <note>
- *             <p>We recommend that you do not call <code>GetSessionToken</code> with Amazon Web Services account
- *             root user credentials. Instead, follow our <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users">best practices</a> by
- *             creating one or more IAM users, giving them the necessary permissions, and using IAM
- *             users for everyday interaction with Amazon Web Services. </p>
- *          </note>
- *          <p>The credentials that are returned by <code>GetSessionToken</code> are based on
- *          permissions associated with the user whose credentials were used to call the operation. If
- *             <code>GetSessionToken</code> is called using Amazon Web Services account root user credentials, the
- *          temporary credentials have root user permissions. Similarly, if
- *             <code>GetSessionToken</code> is called using the credentials of an IAM user, the
- *          temporary credentials have the same permissions as the IAM user. </p>
- *          <p>For more information about using <code>GetSessionToken</code> to create temporary
- *          credentials, go to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken">Temporary
- *             Credentials for Users in Untrusted Environments</a> in the
- *             <i>IAM User Guide</i>. </p>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, GetSessionTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, GetSessionTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new GetSessionTokenCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GetSessionTokenCommandInput} for command's `input` shape.
- * @see {@link GetSessionTokenCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-export class GetSessionTokenCommand extends $Command<
-  GetSessionTokenCommandInput,
-  GetSessionTokenCommandOutput,
-  STSClientResolvedConfig
-> {
-  // Start section: command_properties
-  // End section: command_properties
-
-  constructor(readonly input: GetSessionTokenCommandInput) {
-    // Start section: command_constructor
-    super();
-    // End section: command_constructor
-  }
-
-  /**
-   * @internal
-   */
-  resolveMiddleware(
-    clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
-    configuration: STSClientResolvedConfig,
-    options?: __HttpHandlerOptions
-  ): Handler<GetSessionTokenCommandInput, GetSessionTokenCommandOutput> {
-    this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
-    this.middlewareStack.use(getAwsAuthPlugin(configuration));
-
-    const stack = clientStack.concat(this.middlewareStack);
-
-    const { logger } = configuration;
-    const clientName = "STSClient";
-    const commandName = "GetSessionTokenCommand";
-    const handlerExecutionContext: HandlerExecutionContext = {
-      logger,
-      clientName,
-      commandName,
-      inputFilterSensitiveLog: GetSessionTokenRequest.filterSensitiveLog,
-      outputFilterSensitiveLog: GetSessionTokenResponse.filterSensitiveLog,
-    };
-    const { requestHandler } = configuration;
-    return stack.resolve(
-      (request: FinalizeHandlerArguments<any>) =>
-        requestHandler.handle(request.request as __HttpRequest, options || {}),
-      handlerExecutionContext
-    );
-  }
-
-  private serialize(input: GetSessionTokenCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
-    return serializeAws_queryGetSessionTokenCommand(input, context);
-  }
-
-  private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<GetSessionTokenCommandOutput> {
-    return deserializeAws_queryGetSessionTokenCommand(output, context);
-  }
-
-  // Start section: command_body_extra
-  // End section: command_body_extra
-}

package/src/defaultRoleAssumers.ts

@@ -1,41 +0,0 @@
-// Please do not touch this file. It's generated from template in:
-// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultRoleAssumers.ts
-import {
-  DefaultCredentialProvider,
-  getDefaultRoleAssumer as StsGetDefaultRoleAssumer,
-  getDefaultRoleAssumerWithWebIdentity as StsGetDefaultRoleAssumerWithWebIdentity,
-  RoleAssumer,
-  RoleAssumerWithWebIdentity,
-} from "./defaultStsRoleAssumers";
-import { STSClient, STSClientConfig } from "./STSClient";
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
- */
-export const getDefaultRoleAssumer = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler"> = {}
-): RoleAssumer => StsGetDefaultRoleAssumer(stsOptions, STSClient);
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
- */
-export const getDefaultRoleAssumerWithWebIdentity = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler"> = {}
-): RoleAssumerWithWebIdentity => StsGetDefaultRoleAssumerWithWebIdentity(stsOptions, STSClient);
-
-/**
- * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
- * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
- * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
- * dependencies.
- *
- * @internal
- */
-export const decorateDefaultCredentialProvider =
-  (provider: DefaultCredentialProvider): DefaultCredentialProvider =>
-  (input: any) =>
-    provider({
-      roleAssumer: getDefaultRoleAssumer(input),
-      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input),
-      ...input,
-    });

package/src/defaultStsRoleAssumers.ts

@@ -1,126 +0,0 @@
-// Please do not touch this file. It's generated from template in:
-// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
-import { Credentials, Provider } from "@aws-sdk/types";
-
-import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
-import {
-  AssumeRoleWithWebIdentityCommand,
-  AssumeRoleWithWebIdentityCommandInput,
-} from "./commands/AssumeRoleWithWebIdentityCommand";
-import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSClient";
-
-/**
- * @internal
- */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
-
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
-/**
- * Inject the fallback STS region of us-east-1.
- */
-const decorateDefaultRegion = (region: string | Provider<string> | undefined): string | Provider<string> => {
-  if (typeof region !== "function") {
-    return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
-  }
-  return async () => {
-    try {
-      return await region();
-    } catch (e) {
-      return ASSUME_ROLE_DEFAULT_REGION;
-    }
-  };
-};
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
- * @internal
- */
-export const getDefaultRoleAssumer = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
-  stsClientCtor: new (options: STSClientConfig) => STSClient
-): RoleAssumer => {
-  let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
-  return async (sourceCreds, params) => {
-    closureSourceCreds = sourceCreds;
-    if (!stsClient) {
-      const { logger, region, requestHandler } = stsOptions;
-      stsClient = new stsClientCtor({
-        logger,
-        // A hack to make sts client uses the credential in current closure.
-        credentialDefaultProvider: () => async () => closureSourceCreds,
-        region: decorateDefaultRegion(region || stsOptions.region),
-        ...(requestHandler ? { requestHandler } : {}),
-      });
-    }
-    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
-    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
-      throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
-    }
-    return {
-      accessKeyId: Credentials.AccessKeyId,
-      secretAccessKey: Credentials.SecretAccessKey,
-      sessionToken: Credentials.SessionToken,
-      expiration: Credentials.Expiration,
-    };
-  };
-};
-
-/**
- * @internal
- */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
- * @internal
- */
-export const getDefaultRoleAssumerWithWebIdentity = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
-  stsClientCtor: new (options: STSClientConfig) => STSClient
-): RoleAssumerWithWebIdentity => {
-  let stsClient: STSClient;
-  return async (params) => {
-    if (!stsClient) {
-      const { logger, region, requestHandler } = stsOptions;
-      stsClient = new stsClientCtor({
-        logger,
-        region: decorateDefaultRegion(region || stsOptions.region),
-        ...(requestHandler ? { requestHandler } : {}),
-      });
-    }
-    const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
-    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
-      throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
-    }
-    return {
-      accessKeyId: Credentials.AccessKeyId,
-      secretAccessKey: Credentials.SecretAccessKey,
-      sessionToken: Credentials.SessionToken,
-      expiration: Credentials.Expiration,
-    };
-  };
-};
-
-/**
- * @internal
- */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
-
-/**
- * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
- * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
- * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
- * dependencies.
- *
- * @internal
- */
-export const decorateDefaultCredentialProvider =
-  (provider: DefaultCredentialProvider): DefaultCredentialProvider =>
-  (input: STSClientResolvedConfig) =>
-    provider({
-      roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor),
-      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor),
-      ...input,
-    });

package/src/endpoints.ts

@@ -1,91 +0,0 @@
-import { getRegionInfo, PartitionHash, RegionHash } from "@aws-sdk/config-resolver";
-import { RegionInfoProvider } from "@aws-sdk/types";
-
-const regionHash: RegionHash = {
-  "aws-global": {
-    hostname: "sts.amazonaws.com",
-    signingRegion: "us-east-1",
-  },
-  "us-east-1-fips": {
-    hostname: "sts-fips.us-east-1.amazonaws.com",
-    signingRegion: "us-east-1",
-  },
-  "us-east-2-fips": {
-    hostname: "sts-fips.us-east-2.amazonaws.com",
-    signingRegion: "us-east-2",
-  },
-  "us-gov-east-1-fips": {
-    hostname: "sts.us-gov-east-1.amazonaws.com",
-    signingRegion: "us-gov-east-1",
-  },
-  "us-gov-west-1-fips": {
-    hostname: "sts.us-gov-west-1.amazonaws.com",
-    signingRegion: "us-gov-west-1",
-  },
-  "us-west-1-fips": {
-    hostname: "sts-fips.us-west-1.amazonaws.com",
-    signingRegion: "us-west-1",
-  },
-  "us-west-2-fips": {
-    hostname: "sts-fips.us-west-2.amazonaws.com",
-    signingRegion: "us-west-2",
-  },
-};
-
-const partitionHash: PartitionHash = {
-  aws: {
-    regions: [
-      "af-south-1",
-      "ap-east-1",
-      "ap-northeast-1",
-      "ap-northeast-2",
-      "ap-northeast-3",
-      "ap-south-1",
-      "ap-southeast-1",
-      "ap-southeast-2",
-      "aws-global",
-      "ca-central-1",
-      "eu-central-1",
-      "eu-north-1",
-      "eu-south-1",
-      "eu-west-1",
-      "eu-west-2",
-      "eu-west-3",
-      "me-south-1",
-      "sa-east-1",
-      "us-east-1",
-      "us-east-1-fips",
-      "us-east-2",
-      "us-east-2-fips",
-      "us-west-1",
-      "us-west-1-fips",
-      "us-west-2",
-      "us-west-2-fips",
-    ],
-    hostname: "sts.{region}.amazonaws.com",
-  },
-  "aws-cn": {
-    regions: ["cn-north-1", "cn-northwest-1"],
-    hostname: "sts.{region}.amazonaws.com.cn",
-  },
-  "aws-iso": {
-    regions: ["us-iso-east-1"],
-    hostname: "sts.{region}.c2s.ic.gov",
-  },
-  "aws-iso-b": {
-    regions: ["us-isob-east-1"],
-    hostname: "sts.{region}.sc2s.sgov.gov",
-  },
-  "aws-us-gov": {
-    regions: ["us-gov-east-1", "us-gov-east-1-fips", "us-gov-west-1", "us-gov-west-1-fips"],
-    hostname: "sts.{region}.amazonaws.com",
-  },
-};
-
-export const defaultRegionInfoProvider: RegionInfoProvider = async (region: string, options?: any) =>
-  getRegionInfo(region, {
-    ...options,
-    signingService: "sts",
-    regionHash,
-    partitionHash,
-  });

package/src/index.ts

@@ -1,12 +0,0 @@
-export * from "./STSClient";
-export * from "./STS";
-export * from "./commands/AssumeRoleCommand";
-export * from "./commands/AssumeRoleWithSAMLCommand";
-export * from "./commands/AssumeRoleWithWebIdentityCommand";
-export * from "./commands/DecodeAuthorizationMessageCommand";
-export * from "./commands/GetAccessKeyInfoCommand";
-export * from "./commands/GetCallerIdentityCommand";
-export * from "./commands/GetFederationTokenCommand";
-export * from "./commands/GetSessionTokenCommand";
-export * from "./defaultRoleAssumers";
-export * from "./models/index";

package/src/models/index.ts

@@ -1 +0,0 @@
-export * from "./models_0";