@aws-sdk/credential-provider-sso 3.51.0 → 3.52.0

package/CHANGELOG.md

@@ -3,6 +3,17 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [3.52.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.51.0...v3.52.0) (2022-02-18)
+
+
+### Features
+
+* **credential-provider-sso:** refactor into modular components ([#3296](https://github.com/aws/aws-sdk-js-v3/issues/3296)) ([eece76f](https://github.com/aws/aws-sdk-js-v3/commit/eece76f7ba9b6d58ad87327cfc70cd793baee615))
+
+
+
+
+
 # [3.51.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.50.0...v3.51.0) (2022-02-12)
 
 **Note:** Version bump only for package @aws-sdk/credential-provider-sso

package/dist-cjs/fromSSO.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fromSSO = void 0;
+const property_provider_1 = require("@aws-sdk/property-provider");
+const util_credentials_1 = require("@aws-sdk/util-credentials");
+const isSsoProfile_1 = require("./isSsoProfile");
+const resolveSSOCredentials_1 = require("./resolveSSOCredentials");
+const validateSsoProfile_1 = require("./validateSsoProfile");
+const fromSSO = (init = {}) => async () => {
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
+    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
+        const profiles = await util_credentials_1.parseKnownFiles(init);
+        const profileName = util_credentials_1.getMasterProfileName(init);
+        const profile = profiles[profileName];
+        if (!isSsoProfile_1.isSsoProfile(profile)) {
+            throw new property_provider_1.CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
+        }
+        const { sso_start_url, sso_account_id, sso_region, sso_role_name } = validateSsoProfile_1.validateSsoProfile(profile);
+        return resolveSSOCredentials_1.resolveSSOCredentials({
+            ssoStartUrl: sso_start_url,
+            ssoAccountId: sso_account_id,
+            ssoRegion: sso_region,
+            ssoRoleName: sso_role_name,
+            ssoClient: ssoClient,
+        });
+    }
+    else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
+        throw new property_provider_1.CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
+            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
+    }
+    else {
+        return resolveSSOCredentials_1.resolveSSOCredentials({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
+    }
+};
+exports.fromSSO = fromSSO;

package/dist-cjs/index.js

@@ -1,88 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isSsoProfile = exports.validateSsoProfile = exports.fromSSO = exports.EXPIRE_WINDOW_MS = void 0;
-const client_sso_1 = require("@aws-sdk/client-sso");
-const property_provider_1 = require("@aws-sdk/property-provider");
-const shared_ini_file_loader_1 = require("@aws-sdk/shared-ini-file-loader");
-const util_credentials_1 = require("@aws-sdk/util-credentials");
-const crypto_1 = require("crypto");
-const fs_1 = require("fs");
-const path_1 = require("path");
-exports.EXPIRE_WINDOW_MS = 15 * 60 * 1000;
-const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
-const fromSSO = (init = {}) => async () => {
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient } = init;
-    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName) {
-        const profiles = await util_credentials_1.parseKnownFiles(init);
-        const profileName = util_credentials_1.getMasterProfileName(init);
-        const profile = profiles[profileName];
-        if (!exports.isSsoProfile(profile)) {
-            throw new property_provider_1.CredentialsProviderError(`Profile ${profileName} is not configured with SSO credentials.`);
-        }
-        const { sso_start_url, sso_account_id, sso_region, sso_role_name } = exports.validateSsoProfile(profile);
-        return resolveSSOCredentials({
-            ssoStartUrl: sso_start_url,
-            ssoAccountId: sso_account_id,
-            ssoRegion: sso_region,
-            ssoRoleName: sso_role_name,
-            ssoClient: ssoClient,
-        });
-    }
-    else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
-        throw new property_provider_1.CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
-            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
-    }
-    else {
-        return resolveSSOCredentials({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient });
-    }
-};
-exports.fromSSO = fromSSO;
-const resolveSSOCredentials = async ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }) => {
-    const hasher = crypto_1.createHash("sha1");
-    const cacheName = hasher.update(ssoStartUrl).digest("hex");
-    const tokenFile = path_1.join(shared_ini_file_loader_1.getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
-    let token;
-    try {
-        token = JSON.parse(fs_1.readFileSync(tokenFile, { encoding: "utf-8" }));
-        if (new Date(token.expiresAt).getTime() - Date.now() <= exports.EXPIRE_WINDOW_MS) {
-            throw new Error("SSO token is expired.");
-        }
-    }
-    catch (e) {
-        throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session ` +
-            `run aws sso login with the corresponding profile.`, SHOULD_FAIL_CREDENTIAL_CHAIN);
-    }
-    const { accessToken } = token;
-    const sso = ssoClient || new client_sso_1.SSOClient({ region: ssoRegion });
-    let ssoResp;
-    try {
-        ssoResp = await sso.send(new client_sso_1.GetRoleCredentialsCommand({
-            accountId: ssoAccountId,
-            roleName: ssoRoleName,
-            accessToken,
-        }));
-    }
-    catch (e) {
-        throw property_provider_1.CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN);
-    }
-    const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp;
-    if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
-        throw new property_provider_1.CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
-    }
-    return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) };
-};
-const validateSsoProfile = (profile) => {
-    const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
-    if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
-        throw new property_provider_1.CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
-            `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, SHOULD_FAIL_CREDENTIAL_CHAIN);
-    }
-    return profile;
-};
-exports.validateSsoProfile = validateSsoProfile;
-const isSsoProfile = (arg) => arg &&
-    (typeof arg.sso_start_url === "string" ||
-        typeof arg.sso_account_id === "string" ||
-        typeof arg.sso_region === "string" ||
-        typeof arg.sso_role_name === "string");
-exports.isSsoProfile = isSsoProfile;
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./fromSSO"), exports);
+tslib_1.__exportStar(require("./isSsoProfile"), exports);
+tslib_1.__exportStar(require("./types"), exports);
+tslib_1.__exportStar(require("./validateSsoProfile"), exports);

package/dist-cjs/isSsoProfile.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSsoProfile = void 0;
+const isSsoProfile = (arg) => arg &&
+    (typeof arg.sso_start_url === "string" ||
+        typeof arg.sso_account_id === "string" ||
+        typeof arg.sso_region === "string" ||
+        typeof arg.sso_role_name === "string");
+exports.isSsoProfile = isSsoProfile;

package/dist-cjs/resolveSSOCredentials.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveSSOCredentials = void 0;
+const client_sso_1 = require("@aws-sdk/client-sso");
+const property_provider_1 = require("@aws-sdk/property-provider");
+const shared_ini_file_loader_1 = require("@aws-sdk/shared-ini-file-loader");
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const EXPIRE_WINDOW_MS = 15 * 60 * 1000;
+const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
+const { readFile } = fs_1.promises;
+const resolveSSOCredentials = async ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }) => {
+    const hasher = crypto_1.createHash("sha1");
+    const cacheName = hasher.update(ssoStartUrl).digest("hex");
+    const tokenFile = path_1.join(shared_ini_file_loader_1.getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
+    let token;
+    const refreshMessage = `To refresh this SSO session run aws sso login with the corresponding profile.`;
+    try {
+        token = JSON.parse(await readFile(tokenFile, "utf8"));
+    }
+    catch (e) {
+        throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile is invalid. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
+        throw new property_provider_1.CredentialsProviderError(`The SSO session associated with this profile has expired. ${refreshMessage}`, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    const { accessToken } = token;
+    const sso = ssoClient || new client_sso_1.SSOClient({ region: ssoRegion });
+    let ssoResp;
+    try {
+        ssoResp = await sso.send(new client_sso_1.GetRoleCredentialsCommand({
+            accountId: ssoAccountId,
+            roleName: ssoRoleName,
+            accessToken,
+        }));
+    }
+    catch (e) {
+        throw property_provider_1.CredentialsProviderError.from(e, SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp;
+    if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
+        throw new property_provider_1.CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
+    }
+    return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) };
+};
+exports.resolveSSOCredentials = resolveSSOCredentials;

package/dist-cjs/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist-cjs/validateSsoProfile.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateSsoProfile = void 0;
+const property_provider_1 = require("@aws-sdk/property-provider");
+const validateSsoProfile = (profile) => {
+    const { sso_start_url, sso_account_id, sso_region, sso_role_name } = profile;
+    if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
+        throw new property_provider_1.CredentialsProviderError(`Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", "sso_region", ` +
+            `"sso_role_name", "sso_start_url". Got ${Object.keys(profile).join(", ")}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`, false);
+    }
+    return profile;
+};
+exports.validateSsoProfile = validateSsoProfile;

package/dist-es/fromSSO.js

@@ -0,0 +1,45 @@
+import { __awaiter, __generator } from "tslib";
+import { CredentialsProviderError } from "@aws-sdk/property-provider";
+import { getMasterProfileName, parseKnownFiles } from "@aws-sdk/util-credentials";
+import { isSsoProfile } from "./isSsoProfile";
+import { resolveSSOCredentials } from "./resolveSSOCredentials";
+import { validateSsoProfile } from "./validateSsoProfile";
+export var fromSSO = function (init) {
+    if (init === void 0) { init = {}; }
+    return function () { return __awaiter(void 0, void 0, void 0, function () {
+        var ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profiles, profileName, profile, _a, sso_start_url, sso_account_id, sso_region, sso_role_name;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0:
+                    ssoStartUrl = init.ssoStartUrl, ssoAccountId = init.ssoAccountId, ssoRegion = init.ssoRegion, ssoRoleName = init.ssoRoleName, ssoClient = init.ssoClient;
+                    if (!(!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName)) return [3, 2];
+                    return [4, parseKnownFiles(init)];
+                case 1:
+                    profiles = _b.sent();
+                    profileName = getMasterProfileName(init);
+                    profile = profiles[profileName];
+                    if (!isSsoProfile(profile)) {
+                        throw new CredentialsProviderError("Profile " + profileName + " is not configured with SSO credentials.");
+                    }
+                    _a = validateSsoProfile(profile), sso_start_url = _a.sso_start_url, sso_account_id = _a.sso_account_id, sso_region = _a.sso_region, sso_role_name = _a.sso_role_name;
+                    return [2, resolveSSOCredentials({
+                            ssoStartUrl: sso_start_url,
+                            ssoAccountId: sso_account_id,
+                            ssoRegion: sso_region,
+                            ssoRoleName: sso_role_name,
+                            ssoClient: ssoClient,
+                        })];
+                case 2:
+                    if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
+                        throw new CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
+                            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
+                    }
+                    else {
+                        return [2, resolveSSOCredentials({ ssoStartUrl: ssoStartUrl, ssoAccountId: ssoAccountId, ssoRegion: ssoRegion, ssoRoleName: ssoRoleName, ssoClient: ssoClient })];
+                    }
+                    _b.label = 3;
+                case 3: return [2];
+            }
+        });
+    }); };
+};

package/dist-es/index.js

@@ -1,110 +1,4 @@
-import { __awaiter, __generator } from "tslib";
-import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
-import { CredentialsProviderError } from "@aws-sdk/property-provider";
-import { getHomeDir } from "@aws-sdk/shared-ini-file-loader";
-import { getMasterProfileName, parseKnownFiles } from "@aws-sdk/util-credentials";
-import { createHash } from "crypto";
-import { readFileSync } from "fs";
-import { join } from "path";
-export var EXPIRE_WINDOW_MS = 15 * 60 * 1000;
-var SHOULD_FAIL_CREDENTIAL_CHAIN = false;
-export var fromSSO = function (init) {
-    if (init === void 0) { init = {}; }
-    return function () { return __awaiter(void 0, void 0, void 0, function () {
-        var ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, profiles, profileName, profile, _a, sso_start_url, sso_account_id, sso_region, sso_role_name;
-        return __generator(this, function (_b) {
-            switch (_b.label) {
-                case 0:
-                    ssoStartUrl = init.ssoStartUrl, ssoAccountId = init.ssoAccountId, ssoRegion = init.ssoRegion, ssoRoleName = init.ssoRoleName, ssoClient = init.ssoClient;
-                    if (!(!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName)) return [3, 2];
-                    return [4, parseKnownFiles(init)];
-                case 1:
-                    profiles = _b.sent();
-                    profileName = getMasterProfileName(init);
-                    profile = profiles[profileName];
-                    if (!isSsoProfile(profile)) {
-                        throw new CredentialsProviderError("Profile " + profileName + " is not configured with SSO credentials.");
-                    }
-                    _a = validateSsoProfile(profile), sso_start_url = _a.sso_start_url, sso_account_id = _a.sso_account_id, sso_region = _a.sso_region, sso_role_name = _a.sso_role_name;
-                    return [2, resolveSSOCredentials({
-                            ssoStartUrl: sso_start_url,
-                            ssoAccountId: sso_account_id,
-                            ssoRegion: sso_region,
-                            ssoRoleName: sso_role_name,
-                            ssoClient: ssoClient,
-                        })];
-                case 2:
-                    if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
-                        throw new CredentialsProviderError('Incomplete configuration. The fromSSO() argument hash must include "ssoStartUrl",' +
-                            ' "ssoAccountId", "ssoRegion", "ssoRoleName"');
-                    }
-                    else {
-                        return [2, resolveSSOCredentials({ ssoStartUrl: ssoStartUrl, ssoAccountId: ssoAccountId, ssoRegion: ssoRegion, ssoRoleName: ssoRoleName, ssoClient: ssoClient })];
-                    }
-                    _b.label = 3;
-                case 3: return [2];
-            }
-        });
-    }); };
-};
-var resolveSSOCredentials = function (_a) {
-    var ssoStartUrl = _a.ssoStartUrl, ssoAccountId = _a.ssoAccountId, ssoRegion = _a.ssoRegion, ssoRoleName = _a.ssoRoleName, ssoClient = _a.ssoClient;
-    return __awaiter(void 0, void 0, void 0, function () {
-        var hasher, cacheName, tokenFile, token, accessToken, sso, ssoResp, e_1, _b, _c, accessKeyId, secretAccessKey, sessionToken, expiration;
-        return __generator(this, function (_d) {
-            switch (_d.label) {
-                case 0:
-                    hasher = createHash("sha1");
-                    cacheName = hasher.update(ssoStartUrl).digest("hex");
-                    tokenFile = join(getHomeDir(), ".aws", "sso", "cache", cacheName + ".json");
-                    try {
-                        token = JSON.parse(readFileSync(tokenFile, { encoding: "utf-8" }));
-                        if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
-                            throw new Error("SSO token is expired.");
-                        }
-                    }
-                    catch (e) {
-                        throw new CredentialsProviderError("The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session " +
-                            "run aws sso login with the corresponding profile.", SHOULD_FAIL_CREDENTIAL_CHAIN);
-                    }
-                    accessToken = token.accessToken;
-                    sso = ssoClient || new SSOClient({ region: ssoRegion });
-                    _d.label = 1;
-                case 1:
-                    _d.trys.push([1, 3, , 4]);
-                    return [4, sso.send(new GetRoleCredentialsCommand({
-                            accountId: ssoAccountId,
-                            roleName: ssoRoleName,
-                            accessToken: accessToken,
-                        }))];
-                case 2:
-                    ssoResp = _d.sent();
-                    return [3, 4];
-                case 3:
-                    e_1 = _d.sent();
-                    throw CredentialsProviderError.from(e_1, SHOULD_FAIL_CREDENTIAL_CHAIN);
-                case 4:
-                    _b = ssoResp.roleCredentials, _c = _b === void 0 ? {} : _b, accessKeyId = _c.accessKeyId, secretAccessKey = _c.secretAccessKey, sessionToken = _c.sessionToken, expiration = _c.expiration;
-                    if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
-                        throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
-                    }
-                    return [2, { accessKeyId: accessKeyId, secretAccessKey: secretAccessKey, sessionToken: sessionToken, expiration: new Date(expiration) }];
-            }
-        });
-    });
-};
-export var validateSsoProfile = function (profile) {
-    var sso_start_url = profile.sso_start_url, sso_account_id = profile.sso_account_id, sso_region = profile.sso_region, sso_role_name = profile.sso_role_name;
-    if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
-        throw new CredentialsProviderError("Profile is configured with invalid SSO credentials. Required parameters \"sso_account_id\", \"sso_region\", " +
-            ("\"sso_role_name\", \"sso_start_url\". Got " + Object.keys(profile).join(", ") + "\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html"), SHOULD_FAIL_CREDENTIAL_CHAIN);
-    }
-    return profile;
-};
-export var isSsoProfile = function (arg) {
-    return arg &&
-        (typeof arg.sso_start_url === "string" ||
-            typeof arg.sso_account_id === "string" ||
-            typeof arg.sso_region === "string" ||
-            typeof arg.sso_role_name === "string");
-};
+export * from "./fromSSO";
+export * from "./isSsoProfile";
+export * from "./types";
+export * from "./validateSsoProfile";

package/dist-es/isSsoProfile.js

@@ -0,0 +1,7 @@
+export var isSsoProfile = function (arg) {
+    return arg &&
+        (typeof arg.sso_start_url === "string" ||
+            typeof arg.sso_account_id === "string" ||
+            typeof arg.sso_region === "string" ||
+            typeof arg.sso_role_name === "string");
+};

package/dist-es/resolveSSOCredentials.js

@@ -0,0 +1,62 @@
+import { __awaiter, __generator } from "tslib";
+import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
+import { CredentialsProviderError } from "@aws-sdk/property-provider";
+import { getHomeDir } from "@aws-sdk/shared-ini-file-loader";
+import { createHash } from "crypto";
+import { promises as fsPromises } from "fs";
+import { join } from "path";
+var EXPIRE_WINDOW_MS = 15 * 60 * 1000;
+var SHOULD_FAIL_CREDENTIAL_CHAIN = false;
+var readFile = fsPromises.readFile;
+export var resolveSSOCredentials = function (_a) {
+    var ssoStartUrl = _a.ssoStartUrl, ssoAccountId = _a.ssoAccountId, ssoRegion = _a.ssoRegion, ssoRoleName = _a.ssoRoleName, ssoClient = _a.ssoClient;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var hasher, cacheName, tokenFile, token, refreshMessage, _b, _c, e_1, accessToken, sso, ssoResp, e_2, _d, _e, accessKeyId, secretAccessKey, sessionToken, expiration;
+        return __generator(this, function (_f) {
+            switch (_f.label) {
+                case 0:
+                    hasher = createHash("sha1");
+                    cacheName = hasher.update(ssoStartUrl).digest("hex");
+                    tokenFile = join(getHomeDir(), ".aws", "sso", "cache", cacheName + ".json");
+                    refreshMessage = "To refresh this SSO session run aws sso login with the corresponding profile.";
+                    _f.label = 1;
+                case 1:
+                    _f.trys.push([1, 3, , 4]);
+                    _c = (_b = JSON).parse;
+                    return [4, readFile(tokenFile, "utf8")];
+                case 2:
+                    token = _c.apply(_b, [_f.sent()]);
+                    return [3, 4];
+                case 3:
+                    e_1 = _f.sent();
+                    throw new CredentialsProviderError("The SSO session associated with this profile is invalid. " + refreshMessage, SHOULD_FAIL_CREDENTIAL_CHAIN);
+                case 4:
+                    if (new Date(token.expiresAt).getTime() - Date.now() <= EXPIRE_WINDOW_MS) {
+                        throw new CredentialsProviderError("The SSO session associated with this profile has expired. " + refreshMessage, SHOULD_FAIL_CREDENTIAL_CHAIN);
+                    }
+                    accessToken = token.accessToken;
+                    sso = ssoClient || new SSOClient({ region: ssoRegion });
+                    _f.label = 5;
+                case 5:
+                    _f.trys.push([5, 7, , 8]);
+                    return [4, sso.send(new GetRoleCredentialsCommand({
+                            accountId: ssoAccountId,
+                            roleName: ssoRoleName,
+                            accessToken: accessToken,
+                        }))];
+                case 6:
+                    ssoResp = _f.sent();
+                    return [3, 8];
+                case 7:
+                    e_2 = _f.sent();
+                    throw CredentialsProviderError.from(e_2, SHOULD_FAIL_CREDENTIAL_CHAIN);
+                case 8:
+                    _d = ssoResp.roleCredentials, _e = _d === void 0 ? {} : _d, accessKeyId = _e.accessKeyId, secretAccessKey = _e.secretAccessKey, sessionToken = _e.sessionToken, expiration = _e.expiration;
+                    if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
+                        throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
+                    }
+                    return [2, { accessKeyId: accessKeyId, secretAccessKey: secretAccessKey, sessionToken: sessionToken, expiration: new Date(expiration) }];
+            }
+        });
+    });
+};

package/dist-es/types.js

@@ -0,0 +1 @@
+export {};

package/dist-es/validateSsoProfile.js

@@ -0,0 +1,9 @@
+import { CredentialsProviderError } from "@aws-sdk/property-provider";
+export var validateSsoProfile = function (profile) {
+    var sso_start_url = profile.sso_start_url, sso_account_id = profile.sso_account_id, sso_region = profile.sso_region, sso_role_name = profile.sso_role_name;
+    if (!sso_start_url || !sso_account_id || !sso_region || !sso_role_name) {
+        throw new CredentialsProviderError("Profile is configured with invalid SSO credentials. Required parameters \"sso_account_id\", \"sso_region\", " +
+            ("\"sso_role_name\", \"sso_start_url\". Got " + Object.keys(profile).join(", ") + "\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html"), false);
+    }
+    return profile;
+};

package/dist-types/fromSSO.d.ts

@@ -0,0 +1,29 @@
+import { SSOClient } from "@aws-sdk/client-sso";
+import { CredentialProvider } from "@aws-sdk/types";
+import { SourceProfileInit } from "@aws-sdk/util-credentials";
+export interface SsoCredentialsParameters {
+    /**
+     * The URL to the AWS SSO service.
+     */
+    ssoStartUrl: string;
+    /**
+     * The ID of the AWS account to use for temporary credentials.
+     */
+    ssoAccountId: string;
+    /**
+     * The AWS region to use for temporary credentials.
+     */
+    ssoRegion: string;
+    /**
+     * The name of the AWS role to assume.
+     */
+    ssoRoleName: string;
+}
+export interface FromSSOInit extends SourceProfileInit {
+    ssoClient?: SSOClient;
+}
+/**
+ * Creates a credential provider that will read from a credential_process specified
+ * in ini files.
+ */
+export declare const fromSSO: (init?: FromSSOInit & Partial<SsoCredentialsParameters>) => CredentialProvider;

package/dist-types/index.d.ts

@@ -1,54 +1,4 @@
-import { SSOClient } from "@aws-sdk/client-sso";
-import { Profile } from "@aws-sdk/shared-ini-file-loader";
-import { CredentialProvider } from "@aws-sdk/types";
-import { SourceProfileInit } from "@aws-sdk/util-credentials";
-/**
- * The time window (15 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
- * This is needed because server side may have invalidated the token before the defined expiration date.
- *
- * @internal
- */
-export declare const EXPIRE_WINDOW_MS: number;
-export interface SsoCredentialsParameters {
-    /**
-     * The URL to the AWS SSO service.
-     */
-    ssoStartUrl: string;
-    /**
-     * The ID of the AWS account to use for temporary credentials.
-     */
-    ssoAccountId: string;
-    /**
-     * The AWS region to use for temporary credentials.
-     */
-    ssoRegion: string;
-    /**
-     * The name of the AWS role to assume.
-     */
-    ssoRoleName: string;
-}
-export interface FromSSOInit extends SourceProfileInit {
-    ssoClient?: SSOClient;
-}
-/**
- * Creates a credential provider that will read from a credential_process specified
- * in ini files.
- */
-export declare const fromSSO: (init?: FromSSOInit & Partial<SsoCredentialsParameters>) => CredentialProvider;
-/**
- * @internal
- */
-export interface SsoProfile extends Profile {
-    sso_start_url: string;
-    sso_account_id: string;
-    sso_region: string;
-    sso_role_name: string;
-}
-/**
- * @internal
- */
-export declare const validateSsoProfile: (profile: Partial<SsoProfile>) => SsoProfile;
-/**
- * @internal
- */
-export declare const isSsoProfile: (arg: Profile) => arg is Partial<SsoProfile>;
+export * from "./fromSSO";
+export * from "./isSsoProfile";
+export * from "./types";
+export * from "./validateSsoProfile";

package/dist-types/isSsoProfile.d.ts

@@ -0,0 +1,6 @@
+import { Profile } from "@aws-sdk/shared-ini-file-loader";
+import { SsoProfile } from "./types";
+/**
+ * @internal
+ */
+export declare const isSsoProfile: (arg: Profile) => arg is Partial<SsoProfile>;

package/dist-types/resolveSSOCredentials.d.ts

@@ -0,0 +1,3 @@
+import { Credentials } from "@aws-sdk/types";
+import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
+export declare const resolveSSOCredentials: ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }: FromSSOInit & SsoCredentialsParameters) => Promise<Credentials>;

package/dist-types/ts3.4/fromSSO.d.ts

@@ -0,0 +1,18 @@
+import { SSOClient } from "@aws-sdk/client-sso";
+import { CredentialProvider } from "@aws-sdk/types";
+import { SourceProfileInit } from "@aws-sdk/util-credentials";
+export interface SsoCredentialsParameters {
+    
+    ssoStartUrl: string;
+    
+    ssoAccountId: string;
+    
+    ssoRegion: string;
+    
+    ssoRoleName: string;
+}
+export interface FromSSOInit extends SourceProfileInit {
+    ssoClient?: SSOClient;
+}
+
+export declare const fromSSO: (init?: FromSSOInit & Partial<SsoCredentialsParameters>) => CredentialProvider;

package/dist-types/ts3.4/index.d.ts

@@ -1,32 +1,4 @@
-import { SSOClient } from "@aws-sdk/client-sso";
-import { Profile } from "@aws-sdk/shared-ini-file-loader";
-import { CredentialProvider } from "@aws-sdk/types";
-import { SourceProfileInit } from "@aws-sdk/util-credentials";
-
-export declare const EXPIRE_WINDOW_MS: number;
-export interface SsoCredentialsParameters {
-    
-    ssoStartUrl: string;
-    
-    ssoAccountId: string;
-    
-    ssoRegion: string;
-    
-    ssoRoleName: string;
-}
-export interface FromSSOInit extends SourceProfileInit {
-    ssoClient?: SSOClient;
-}
-
-export declare const fromSSO: (init?: FromSSOInit & Partial<SsoCredentialsParameters>) => CredentialProvider;
-
-export interface SsoProfile extends Profile {
-    sso_start_url: string;
-    sso_account_id: string;
-    sso_region: string;
-    sso_role_name: string;
-}
-
-export declare const validateSsoProfile: (profile: Partial<SsoProfile>) => SsoProfile;
-
-export declare const isSsoProfile: (arg: Profile) => arg is Partial<SsoProfile>;
+export * from "./fromSSO";
+export * from "./isSsoProfile";
+export * from "./types";
+export * from "./validateSsoProfile";

package/dist-types/ts3.4/isSsoProfile.d.ts

@@ -0,0 +1,4 @@
+import { Profile } from "@aws-sdk/shared-ini-file-loader";
+import { SsoProfile } from "./types";
+
+export declare const isSsoProfile: (arg: Profile) => arg is Partial<SsoProfile>;

package/dist-types/ts3.4/resolveSSOCredentials.d.ts

@@ -0,0 +1,3 @@
+import { Credentials } from "@aws-sdk/types";
+import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
+export declare const resolveSSOCredentials: ({ ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, }: FromSSOInit & SsoCredentialsParameters) => Promise<Credentials>;

package/dist-types/ts3.4/types.d.ts

@@ -0,0 +1,15 @@
+import { Profile } from "@aws-sdk/shared-ini-file-loader";
+
+export interface SSOToken {
+    accessToken: string;
+    expiresAt: string;
+    region?: string;
+    startUrl?: string;
+}
+
+export interface SsoProfile extends Profile {
+    sso_start_url: string;
+    sso_account_id: string;
+    sso_region: string;
+    sso_role_name: string;
+}

package/dist-types/ts3.4/validateSsoProfile.d.ts

@@ -0,0 +1,3 @@
+import { SsoProfile } from "./types";
+
+export declare const validateSsoProfile: (profile: Partial<SsoProfile>) => SsoProfile;

package/dist-types/types.d.ts

@@ -0,0 +1,19 @@
+import { Profile } from "@aws-sdk/shared-ini-file-loader";
+/**
+ * Cached SSO token retrieved from SSO login flow.
+ */
+export interface SSOToken {
+    accessToken: string;
+    expiresAt: string;
+    region?: string;
+    startUrl?: string;
+}
+/**
+ * @internal
+ */
+export interface SsoProfile extends Profile {
+    sso_start_url: string;
+    sso_account_id: string;
+    sso_region: string;
+    sso_role_name: string;
+}

package/dist-types/validateSsoProfile.d.ts

@@ -0,0 +1,5 @@
+import { SsoProfile } from "./types";
+/**
+ * @internal
+ */
+export declare const validateSsoProfile: (profile: Partial<SsoProfile>) => SsoProfile;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-sso",
-  "version": "3.51.0",
+  "version": "3.52.0",
   "description": "AWS credential provider that exchanges a resolved SSO login token file for temporary AWS credentials",
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -10,7 +10,7 @@
     "build:es": "tsc -p tsconfig.es.json",
     "build:types": "tsc -p tsconfig.types.json",
     "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
-    "clean": "rimraf ./dist-*",
+    "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
     "test": "jest"
   },
   "keywords": [
@@ -23,11 +23,11 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/client-sso": "3.51.0",
-    "@aws-sdk/property-provider": "3.50.0",
-    "@aws-sdk/shared-ini-file-loader": "3.51.0",
-    "@aws-sdk/types": "3.50.0",
-    "@aws-sdk/util-credentials": "3.51.0",
+    "@aws-sdk/client-sso": "3.52.0",
+    "@aws-sdk/property-provider": "3.52.0",
+    "@aws-sdk/shared-ini-file-loader": "3.52.0",
+    "@aws-sdk/types": "3.52.0",
+    "@aws-sdk/util-credentials": "3.52.0",
     "tslib": "^2.3.0"
   },
   "devDependencies": {