@aws-sdk/credential-provider-sso 3.208.0 → 3.210.0

package/dist-cjs/fromSSO.js

@@ -7,29 +7,55 @@ const isSsoProfile_1 = require("./isSsoProfile");
 const resolveSSOCredentials_1 = require("./resolveSSOCredentials");
 const validateSsoProfile_1 = require("./validateSsoProfile");
 const fromSSO = (init = {}) => async () => {
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
-    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, ssoSession } = init;
+    const profileName = (0, shared_ini_file_loader_1.getProfileName)(init);
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
         const profiles = await (0, shared_ini_file_loader_1.parseKnownFiles)(init);
-        const profileName = (0, shared_ini_file_loader_1.getProfileName)(init);
         const profile = profiles[profileName];
+        if (!profile) {
+            throw new property_provider_1.CredentialsProviderError(`Profile ${profileName} was not found.`);
+        }
         if (!(0, isSsoProfile_1.isSsoProfile)(profile)) {
             throw new property_provider_1.CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
         }
-        const { sso_start_url, sso_account_id, sso_region, sso_role_name } = (0, validateSsoProfile_1.validateSsoProfile)(profile);
+        if (profile === null || profile === void 0 ? void 0 : profile.sso_session) {
+            const ssoSessions = await (0, shared_ini_file_loader_1.loadSsoSessionData)(init);
+            const session = ssoSessions[profile.sso_session];
+            const conflictMsg = ` configurations in profile ${profileName} and sso-session ${profile.sso_session}`;
+            if (ssoRegion && ssoRegion !== session.sso_region) {
+                throw new property_provider_1.CredentialsProviderError(`Conflicting SSO region` + conflictMsg, false);
+            }
+            if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+                throw new property_provider_1.CredentialsProviderError(`Conflicting SSO start_url` + conflictMsg, false);
+            }
+            profile.sso_region = session.sso_region;
+            profile.sso_start_url = session.sso_start_url;
+        }
+        const { sso_start_url, sso_account_id, sso_region, sso_role_name, sso_session } = (0, validateSsoProfile_1.validateSsoProfile)(profile);
         return (0, resolveSSOCredentials_1.resolveSSOCredentials)({
             ssoStartUrl: sso_start_url,
+            ssoSession: sso_session,
             ssoAccountId: sso_account_id,
             ssoRegion: sso_region,
             ssoRoleName: sso_role_name,
             ssoClient: ssoClient,
+            profile: profileName,
         });
     }
     else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
-        throw new property_provider_1.CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
-            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
+        throw new property_provider_1.CredentialsProviderError("Incomplete configuration. The fromSSO() argument hash must include " +
+            '"ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"');
     }
     else {
-        return (0, resolveSSOCredentials_1.resolveSSOCredentials)({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+        return (0, resolveSSOCredentials_1.resolveSSOCredentials)({
+            ssoStartUrl,
+            ssoSession,
+            ssoAccountId,
+            ssoRegion,
+            ssoRoleName,
+            ssoClient,
+            profile: profileName,
+        });
     }
 };
 exports.fromSSO = fromSSO;

package/dist-cjs/isSsoProfile.js

@@ -4,6 +4,7 @@ exports.isSsoProfile = void 0;
 const isSsoProfile = (arg) => arg &&
     (typeof arg.sso_start_url === "string" ||
         typeof arg.sso_account_id === "string" ||
+        typeof arg.sso_session === "string" ||
         typeof arg.sso_region === "string" ||
         typeof arg.sso_role_name === "string");
 exports.isSsoProfile = isSsoProfile;

package/dist-cjs/resolveSSOCredentials.js

@@ -4,16 +4,31 @@ exports.resolveSSOCredentials = void 0;
 const client_sso_1 = require("@aws-sdk/client-sso");
 const property_provider_1 = require("@aws-sdk/property-provider");
 const shared_ini_file_loader_1 = require("@aws-sdk/shared-ini-file-loader");
+const token_providers_1 = require("@aws-sdk/token-providers");
 const EXPIRE_WINDOW_MS = 15 * 60 * 1000;
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
-const resolveSSOCredentials = async ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }) => {
+const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }) => {
     let token;
     const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
-    try {
-        token = await (0, shared_ini_file_loader_1.getSSOTokenFromFile)(ssoStartUrl);
+    if (ssoSession) {
+        try {
+            const _token = await (0, token_providers_1.fromSso)({ profile })();
+            token = {
+                accessToken: _token.token,
+                expiresAt: new Date(_token.expiration).toISOString(),
+            };
+        }
+        catch (e) {
+            throw new property_provider_1.CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
     }
-    catch (e) {
-        throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    else {
+        try {
+            token = await (0, shared_ini_file_loader_1.getSSOTokenFromFile)(ssoStartUrl);
+        }
+        catch (e) {
+            throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
     }
     if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
         throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);

package/dist-cjs/validateSsoProfile.js

@@ -5,8 +5,8 @@ const property_provider_1 = require("@aws-sdk/property-provider");
 const validateSsoProfile = (profile) => {
     const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
     if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
-        throw new property_provider_1.CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-            `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
+        throw new property_provider_1.CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+            `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
     }
     return profile;
 };

package/dist-es/fromSSO.js

@@ -1,31 +1,57 @@
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
-import { getProfileName, parseKnownFiles } from "@aws-sdk/shared-ini-file-loader";
+import { getProfileName, loadSsoSessionData, parseKnownFiles, } from "@aws-sdk/shared-ini-file-loader";
 import { isSsoProfile } from "./isSsoProfile";
 import { resolveSSOCredentials } from "./resolveSSOCredentials";
 import { validateSsoProfile } from "./validateSsoProfile";
 export const fromSSO = (init = {}) => async () => {
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
-    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, ssoSession } = init;
+    const profileName = getProfileName(init);
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
         const profiles = await parseKnownFiles(init);
-        const profileName = getProfileName(init);
         const profile = profiles[profileName];
+        if (!profile) {
+            throw new CredentialsProviderError(`Profile ${profileName} was not found.`);
+        }
         if (!isSsoProfile(profile)) {
             throw new CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
         }
-        const { sso_start_url, sso_account_id, sso_region, sso_role_name } = validateSsoProfile(profile);
+        if (profile?.sso_session) {
+            const ssoSessions = await loadSsoSessionData(init);
+            const session = ssoSessions[profile.sso_session];
+            const conflictMsg = ` configurations in profile ${profileName} and sso-session ${profile.sso_session}`;
+            if (ssoRegion && ssoRegion !== session.sso_region) {
+                throw new CredentialsProviderError(`Conflicting SSO region` + conflictMsg, false);
+            }
+            if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+                throw new CredentialsProviderError(`Conflicting SSO start_url` + conflictMsg, false);
+            }
+            profile.sso_region = session.sso_region;
+            profile.sso_start_url = session.sso_start_url;
+        }
+        const { sso_start_url, sso_account_id, sso_region, sso_role_name, sso_session } = validateSsoProfile(profile);
         return resolveSSOCredentials({
             ssoStartUrl: sso_start_url,
+            ssoSession: sso_session,
             ssoAccountId: sso_account_id,
             ssoRegion: sso_region,
             ssoRoleName: sso_role_name,
             ssoClient: ssoClient,
+            profile: profileName,
         });
     }
     else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
-        throw new CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
-            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
+        throw new CredentialsProviderError("Incomplete configuration. The fromSSO() argument hash must include " +
+            '"ssoStartUrl", "ssoAccountId", "ssoRegion", "ssoRoleName"');
     }
     else {
-        return resolveSSOCredentials({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+        return resolveSSOCredentials({
+            ssoStartUrl,
+            ssoSession,
+            ssoAccountId,
+            ssoRegion,
+            ssoRoleName,
+            ssoClient,
+            profile: profileName,
+        });
     }
 };

package/dist-es/isSsoProfile.js

@@ -1,5 +1,6 @@
 export const isSsoProfile = (arg) => arg &&
     (typeof arg.sso_start_url === "string" ||
         typeof arg.sso_account_id === "string" ||
+        typeof arg.sso_session === "string" ||
         typeof arg.sso_region === "string" ||
         typeof arg.sso_role_name === "string");

package/dist-es/resolveSSOCredentials.js

@@ -1,16 +1,31 @@
 import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
 import { CredentialsProviderError } from "@aws-sdk/property-provider";
 import { getSSOTokenFromFile } from "@aws-sdk/shared-ini-file-loader";
+import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers";
 const EXPIRE_WINDOW_MS = 15 * 60 * 1000;
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
-export const resolveSSOCredentials = async ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }) => {
+export const resolveSSOCredentials = async ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }) => {
     let token;
     const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
-    try {
-        token = await getSSOTokenFromFile(ssoStartUrl);
+    if (ssoSession) {
+        try {
+            const _token = await getSsoTokenProvider({ profile })();
+            token = {
+                accessToken: _token.token,
+                expiresAt: new Date(_token.expiration).toISOString(),
+            };
+        }
+        catch (e) {
+            throw new CredentialsProviderError(e.message, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
     }
-    catch (e) {
-        throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    else {
+        try {
+            token = await getSSOTokenFromFile(ssoStartUrl);
+        }
+        catch (e) {
+            throw new CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+        }
     }
     if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
         throw new CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);

package/dist-es/validateSsoProfile.js

@@ -2,8 +2,8 @@ import { CredentialsProviderError } from "@aws-sdk/property-provider";
 export const validateSsoProfile = (profile) => {
     const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
     if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
-        throw new CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-            `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
+        throw new CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+            `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
     }
     return profile;
 };

package/dist-types/fromSSO.d.ts

@@ -6,6 +6,11 @@ export interface SsoCredentialsParameters {
      * The URL to the AWS SSO service.
      */
     ssoStartUrl: string;
+    /**
+     * SSO session identifier.
+     * Presence implies usage of the SSOTokenProvider.
+     */
+    ssoSession?: string;
     /**
      * The ID of the AWS account to use for temporary credentials.
      */
@@ -25,5 +30,30 @@ export interface FromSSOInit extends SourceProfileInit {
 /**
  * Creates a credential provider that will read from a credential_process specified
  * in ini files.
+ *
+ * The SSO credential provider must support both
+ *
+ * 1. the legacy profile format,
+ * @example
+ * ```
+ * [profile sample-profile]
+ * sso_account_id = 012345678901
+ * sso_region = us-east-1
+ * sso_role_name = SampleRole
+ * sso_start_url = https://www.....com/start
+ * ```
+ *
+ * 2. and the profile format for SSO Token Providers.
+ * @example
+ * ```
+ * [profile sso-profile]
+ * sso_session = dev
+ * sso_account_id = 012345678901
+ * sso_role_name = SampleRole
+ *
+ * [sso-session dev]
+ * sso_region = us-east-1
+ * sso_start_url = https://www.....com/start
+ * ```
  */
 export declare const fromSSO: (init?: FromSSOInit & Partial<SsoCredentialsParameters>) => CredentialProvider;

package/dist-types/resolveSSOCredentials.d.ts

@@ -1,3 +1,6 @@
 import { Credentials } from "@aws-sdk/types";
 import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
-export declare const resolveSSOCredentials: ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }: FromSSOInit & SsoCredentialsParameters) => Promise<Credentials>;
+/**
+ * @private
+ */
+export declare const resolveSSOCredentials: ({ ssoStartUrl, ssoSession, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profile, }: FromSSOInit & SsoCredentialsParameters) => Promise<Credentials>;

package/dist-types/ts3.4/fromSSO.d.ts

@@ -3,6 +3,7 @@ import { SourceProfileInit } from "@aws-sdk/shared-ini-file-loader";
 import { CredentialProvider } from "@aws-sdk/types";
 export interface SsoCredentialsParameters {
   ssoStartUrl: string;
+  ssoSession?: string;
   ssoAccountId: string;
   ssoRegion: string;
   ssoRoleName: string;

package/dist-types/ts3.4/resolveSSOCredentials.d.ts

@@ -2,8 +2,10 @@ import { Credentials } from "@aws-sdk/types";
 import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
 export declare const resolveSSOCredentials: ({
   ssoStartUrl,
+  ssoSession,
   ssoAccountId,
   ssoRegion,
   ssoRoleName,
   ssoClient,
+  profile,
 }: FromSSOInit & SsoCredentialsParameters) => Promise<Credentials>;

package/dist-types/ts3.4/types.d.ts

@@ -7,6 +7,7 @@ export interface SSOToken {
 }
 export interface SsoProfile extends Profile {
   sso_start_url: string;
+  sso_session?: string;
   sso_account_id: string;
   sso_region: string;
   sso_role_name: string;

package/dist-types/types.d.ts

@@ -13,6 +13,7 @@ export interface SSOToken {
  */
 export interface SsoProfile extends Profile {
     sso_start_url: string;
+    sso_session?: string;
     sso_account_id: string;
     sso_region: string;
     sso_role_name: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-sso",
-  "version": "3.208.0",
+  "version": "3.210.0",
   "description": "AWS credential provider that exchanges a resolved SSO login token file for temporary AWS credentials",
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -24,9 +24,10 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/client-sso": "3.208.0",
+    "@aws-sdk/client-sso": "3.210.0",
     "@aws-sdk/property-provider": "3.208.0",
-    "@aws-sdk/shared-ini-file-loader": "3.208.0",
+    "@aws-sdk/shared-ini-file-loader": "3.209.0",
+    "@aws-sdk/token-providers": "3.210.0",
     "@aws-sdk/types": "3.208.0",
     "tslib": "^2.3.1"
   },