@aws-sdk/credential-providers 3.32.0 → 3.36.0

package/src/fromTemporaryCredentials.spec.ts

@@ -1,199 +0,0 @@
-const sendMock = jest.fn();
-jest.mock("@aws-sdk/client-sts", () => ({
-  STSClient: jest.fn().mockImplementation(function (config) {
-    this.config = config;
-    this.send = jest.fn().mockImplementation(async function (command) {
-      // Mock resolving client credentials provider at send()
-      if (typeof this.config.credentials === "function") this.config.credentials = await this.config.credentials();
-      return await sendMock(command);
-    });
-    return this;
-  }),
-  AssumeRoleCommand: jest.fn().mockImplementation(function (params) {
-    // Return the input so we can assert the input parameters in client's send()
-    return {
-      input: params,
-      command: "ASSUME_ROLE",
-    };
-  }),
-}));
-
-import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-
-import { fromTemporaryCredentials } from "./fromTemporaryCredentials";
-
-describe("fromTemporaryCredentials", () => {
-  const RoleArn = "ROLE_ARN";
-  const RoleSessionName = "ROLE_SESSION_NAME";
-  const masterCredentials = {
-    accessKeyId: "ACCESS_KEY_ID",
-    secretAccessKey: "SECRET_ACCESS_KEY",
-  };
-  const region = "US_BAR_1";
-
-  beforeEach(() => {
-    jest.clearAllMocks();
-    sendMock.mockResolvedValueOnce({
-      Credentials: {
-        AccessKeyId: "ACCESS_KEY_ID",
-        SecretAccessKey: "SECRET_ACCESS_KEY",
-        SessionToken: "SESSION_TOKEN",
-      },
-    });
-  });
-
-  it("should call STS::AssumeRole API with master credentials", async () => {
-    const options = {
-      params: {
-        RoleArn,
-        RoleSessionName,
-      },
-      masterCredentials,
-      clientConfig: { region },
-    };
-    const provider = fromTemporaryCredentials(options);
-    const credential = await provider();
-    expect(credential).toEqual({
-      accessKeyId: "ACCESS_KEY_ID",
-      secretAccessKey: "SECRET_ACCESS_KEY",
-      sessionToken: "SESSION_TOKEN",
-    });
-    expect(STSClient as jest.Mock).toBeCalledWith({
-      credentials: masterCredentials,
-      region,
-    });
-    expect(AssumeRoleCommand as jest.Mock).toBeCalledWith({
-      RoleArn,
-      RoleSessionName,
-    });
-    expect(sendMock as jest.Mock).toBeCalledWith({ command: "ASSUME_ROLE", input: options.params });
-  });
-
-  it("should create STS client if not supplied", async () => {
-    const provider = fromTemporaryCredentials({
-      params: {
-        RoleArn,
-        RoleSessionName,
-      },
-      masterCredentials,
-    });
-    await provider();
-    expect(STSClient as jest.Mock).toBeCalledWith({
-      credentials: masterCredentials,
-    });
-  });
-
-  it("should resolve default credentials if master credential is not supplied", async () => {
-    const provider = fromTemporaryCredentials({
-      params: {
-        RoleArn,
-        RoleSessionName,
-      },
-    });
-    await provider();
-    expect(STSClient as jest.Mock).toBeCalledWith({});
-  });
-
-  it("should create a role session name if none provided", async () => {
-    const provider = fromTemporaryCredentials({
-      params: { RoleArn },
-    });
-    await provider();
-    expect(AssumeRoleCommand as jest.Mock).toBeCalledWith({
-      RoleArn,
-      RoleSessionName: expect.stringMatching(/^aws-sdk-js-/),
-    });
-  });
-
-  it("should allow assume roles assuming roles assuming roles ad infinitum", async () => {
-    const roleArnOf = (id: string) => `arn:aws:iam::123456789:role/${id}`;
-    const idOf = (roleArn: string) => roleArn.split("/")?.[1] ?? "UNKNOWN";
-    const provider = fromTemporaryCredentials({
-      params: { RoleArn: roleArnOf("third") },
-      masterCredentials: fromTemporaryCredentials({
-        params: { RoleArn: roleArnOf("second") },
-        masterCredentials: fromTemporaryCredentials({
-          params: { RoleArn: roleArnOf("first") },
-        }),
-      }),
-    });
-    sendMock.mockReset().mockImplementation((mockCommand) => ({
-      Credentials: {
-        AccessKeyId: `access_id_from_${idOf(mockCommand.input.RoleArn)}`,
-        SecretAccessKey: "SECRET_ACCESS_KEY",
-        SessionToken: "SESSION_TOKEN",
-      },
-    }));
-    const credentials = await provider();
-    expect(sendMock.mock.calls.length).toBe(3);
-    expect((AssumeRoleCommand as jest.Mock).mock.calls.length).toBe(3);
-    expect(credentials.accessKeyId).toBe("access_id_from_third");
-    // Creates STS Client with right master credentials and assume role with
-    // expected role arn.
-    expect((STSClient as jest.Mock).mock.results.length).toBe(3);
-    const outmostClient = (STSClient as jest.Mock).mock.results[0].value;
-    expect(outmostClient.config.credentials).toEqual(expect.objectContaining({ accessKeyId: "access_id_from_second" }));
-    expect((outmostClient.send as jest.Mock).mock.calls.length).toBe(1);
-    expect((outmostClient.send as jest.Mock).mock.calls[0][0].input).toEqual(
-      expect.objectContaining({ RoleArn: roleArnOf("third") })
-    );
-
-    const middleClient = (STSClient as jest.Mock).mock.results[1].value;
-    expect(middleClient.config.credentials).toEqual(expect.objectContaining({ accessKeyId: "access_id_from_first" }));
-    expect((middleClient.send as jest.Mock).mock.calls.length).toBe(1);
-    expect((middleClient.send as jest.Mock).mock.calls[0][0].input).toEqual(
-      expect.objectContaining({ RoleArn: roleArnOf("second") })
-    );
-
-    const innermostClient = (STSClient as jest.Mock).mock.results[2].value;
-    expect(innermostClient.config.credentials).toEqual(undefined);
-    expect((innermostClient.send as jest.Mock).mock.calls.length).toBe(1);
-    expect((innermostClient.send as jest.Mock).mock.calls[0][0].input).toEqual(
-      expect.objectContaining({ RoleArn: roleArnOf("first") })
-    );
-
-    // Call assume role API with expected chronological order
-    expect(sendMock.mock.calls[0][0].input).toEqual(expect.objectContaining({ RoleArn: roleArnOf("first") }));
-    expect(sendMock.mock.calls[1][0].input).toEqual(expect.objectContaining({ RoleArn: roleArnOf("second") }));
-    expect(sendMock.mock.calls[2][0].input).toEqual(expect.objectContaining({ RoleArn: roleArnOf("third") }));
-
-    // Should not create extra clients if credentials is still valid
-    await provider();
-    expect((STSClient as jest.Mock).mock.results.length).toBe(3);
-  });
-
-  it("should support assuming a role with multi-factor authentication", async () => {
-    const SerialNumber = "SERIAL_NUMBER";
-    const mfaCode = "MFA_CODE";
-    const mfaCodeProvider = jest.fn().mockResolvedValue(mfaCode);
-    const provider = fromTemporaryCredentials({
-      params: { RoleArn, SerialNumber, RoleSessionName },
-      mfaCodeProvider,
-    });
-    await provider();
-    expect(mfaCodeProvider).toBeCalledWith(SerialNumber);
-    expect(sendMock).toBeCalledWith(
-      expect.objectContaining({
-        input: {
-          RoleArn,
-          RoleSessionName,
-          SerialNumber,
-          TokenCode: mfaCode,
-        },
-      })
-    );
-  });
-
-  it("should reject the promise with a terminal error if a MFA serial presents but mfaCodeProvider is missing", async () => {
-    const SerialNumber = "SERIAL_NUMBER";
-    try {
-      await fromTemporaryCredentials({
-        params: { RoleArn, SerialNumber, RoleSessionName },
-      })();
-      fail("this test must fail");
-    } catch (e) {
-      expect(e.message).toEqual(expect.stringContaining("Temporary credential requires multi-factor authentication"));
-      expect(e.tryNextLink).toBe(false);
-    }
-  });
-});

package/src/fromTemporaryCredentials.ts

@@ -1,74 +0,0 @@
-import { AssumeRoleCommand, AssumeRoleCommandInput, STSClient, STSClientConfig } from "@aws-sdk/client-sts";
-import { CredentialsProviderError } from "@aws-sdk/property-provider";
-import { CredentialProvider, Credentials } from "@aws-sdk/types";
-
-export interface FromTemporaryCredentialsOptions {
-  params: Omit<AssumeRoleCommandInput, "RoleSessionName"> & { RoleSessionName?: string };
-  masterCredentials?: Credentials | CredentialProvider;
-  clientConfig?: STSClientConfig;
-  mfaCodeProvider?: (mfaSerial: string) => Promise<string>;
-}
-
-/**
- * Creates a credential provider function that retrieves temporary credentials from STS AssumeRole API.
- *
- * ```javascript
- * import { fromTemporaryCredentials } from "@aws-sdk/credential-providers"; // ES6 import
- * // const { fromTemporaryCredentials } = require("@aws-sdk/credential-providers"); // CommonJS import
- *
- * const client = new FooClient({
- *   region,
- *   credentials: fromTemporaryCredentials(
- *     // Optional. The master credentials used to get and refresh temporary credentials from AWS STS. If skipped, it uses
- *     // the default credential resolved by internal STS client.
- *     masterCredentials: fromTemporaryCredentials({
- *       params: { RoleArn: "arn:aws:iam::1234567890:role/RoleA" }
- *     }),
- *     // Required. Options passed to STS AssumeRole operation.
- *     params: {
- *       // Required. ARN of role to assume.
- *       RoleArn: "arn:aws:iam::1234567890:role/RoleB",
- *       // Optional. An identifier for the assumed role session. If skipped, it generates a random session name with
- *       // prefix of 'aws-sdk-js-'.
- *       RoleSessionName: "aws-sdk-js-123",
- *       // Optional. The duration, in seconds, of the role session.
- *       DurationSeconds: 3600
- *       //... For more options see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- *     },
- *     // Optional. Custom STS client configurations overriding the default ones.
- *     clientConfig: { region },
- *     // Optional. A function that returns a promise fulfilled with an MFA token code for the provided MFA Serial code.
- *     // Required if `params` has `SerialNumber` config.
- *     mfaCodeProvider: async mfaSerial => {
- *       return "token"
- *     }
- *   ),
- * });
- * ```
- */
-export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOptions): CredentialProvider => {
-  let stsClient: STSClient;
-  return async (): Promise<Credentials> => {
-    const params = { ...options.params, RoleSessionName: options.params.RoleSessionName ?? "aws-sdk-js-" + Date.now() };
-    if (params?.SerialNumber) {
-      if (!options.mfaCodeProvider) {
-        throw new CredentialsProviderError(
-          `Temporary credential requires multi-factor authentication,` + ` but no MFA code callback was provided.`,
-          false
-        );
-      }
-      params.TokenCode = await options.mfaCodeProvider(params?.SerialNumber);
-    }
-    if (!stsClient) stsClient = new STSClient({ ...options.clientConfig, credentials: options.masterCredentials });
-    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
-    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
-      throw new CredentialsProviderError(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
-    }
-    return {
-      accessKeyId: Credentials.AccessKeyId,
-      secretAccessKey: Credentials.SecretAccessKey,
-      sessionToken: Credentials.SessionToken,
-      expiration: Credentials.Expiration,
-    };
-  };
-};

package/src/fromTokenFile.spec.ts

@@ -1,41 +0,0 @@
-const ROLE_ASSUMER_WITH_WEB_IDENTITY = "ROLE_ASSUMER_WITH_WEB_IDENTITY";
-
-jest.mock("@aws-sdk/client-sts", () => ({
-  getDefaultRoleAssumerWithWebIdentity: jest.fn().mockReturnValue(ROLE_ASSUMER_WITH_WEB_IDENTITY),
-}));
-
-import { getDefaultRoleAssumerWithWebIdentity } from "@aws-sdk/client-sts";
-import { fromTokenFile as coreProvider } from "@aws-sdk/credential-provider-web-identity";
-
-import { fromTokenFile } from "./fromTokenFile";
-
-jest.mock("@aws-sdk/credential-provider-web-identity", () => ({
-  fromTokenFile: jest.fn(),
-}));
-
-describe("fromTokenFile", () => {
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
-  it("should inject default role assumer", () => {
-    fromTokenFile();
-    expect(coreProvider).toBeCalledWith({
-      roleAssumerWithWebIdentity: ROLE_ASSUMER_WITH_WEB_IDENTITY,
-    });
-    expect(getDefaultRoleAssumerWithWebIdentity).toBeCalled();
-  });
-
-  it("should supply sts config to role assumer", () => {
-    const clientConfig = {
-      region: "US_FOO_0",
-    };
-    fromTokenFile({
-      clientConfig,
-    });
-    expect((coreProvider as jest.Mock).mock.calls[0][0]).toMatchObject({
-      roleAssumerWithWebIdentity: ROLE_ASSUMER_WITH_WEB_IDENTITY,
-    });
-    expect(getDefaultRoleAssumerWithWebIdentity).toBeCalledWith(clientConfig);
-  });
-});

package/src/fromTokenFile.ts

@@ -1,42 +0,0 @@
-import { getDefaultRoleAssumerWithWebIdentity, STSClientConfig } from "@aws-sdk/client-sts";
-import {
-  fromTokenFile as _fromTokenFile,
-  FromTokenFileInit as _FromTokenFileInit,
-} from "@aws-sdk/credential-provider-web-identity";
-import { CredentialProvider } from "@aws-sdk/types";
-
-export interface FromTokenFileInit extends _FromTokenFileInit {
-  clientConfig?: STSClientConfig;
-}
-
-/**
- * Creates a credential provider function that reads OIDC token from given file, then call STS.AssumeRoleWithWebIdentity
- * API. The configurations must be specified in environmental variables:
- *
- * - Reads file location of where the OIDC token is stored from either provided option `webIdentityTokenFile` or
- *   environment variable `AWS_WEB_IDENTITY_TOKEN_FILE`.
- * - Reads IAM role wanting to be assumed from either provided option `roleArn` or environment variable `AWS_ROLE_ARN`.
- * - Reads optional role session name to be used to distinguish sessions from provided option `roleSessionName` or
- *   environment variable `AWS_ROLE_SESSION_NAME`.
- *   If session name is not defined, it comes up with a role session name.
- * - Reads OIDC token from file on disk.
- * - Calls sts:AssumeRoleWithWebIdentity via `roleAssumerWithWebIdentity` option to get credentials.
- *
- * ```javascript
- * import { fromTokenFile } from "@aws-sdk/credential-providers"; // ES6 import
- * // const { fromTokenFile } = require("@aws-sdk/credential-providers"); // CommonJS import
- *
- * const client = new FooClient({
- *   credentials: fromTokenFile({
- *     // Optional. STS client config to make the assume role request.
- *     clientConfig: { region }
- *   });
- * });
- * ```
- */
-export const fromTokenFile = (init: FromTokenFileInit = {}): CredentialProvider =>
-  _fromTokenFile({
-    ...init,
-    roleAssumerWithWebIdentity:
-      init.roleAssumerWithWebIdentity ?? getDefaultRoleAssumerWithWebIdentity(init.clientConfig),
-  });

package/src/fromWebToken.spec.ts

@@ -1,51 +0,0 @@
-const ROLE_ASSUMER_WITH_WEB_IDENTITY = "ROLE_ASSUMER_WITH_WEB_IDENTITY";
-
-jest.mock("@aws-sdk/client-sts", () => ({
-  getDefaultRoleAssumerWithWebIdentity: jest.fn().mockReturnValue(ROLE_ASSUMER_WITH_WEB_IDENTITY),
-}));
-
-import { getDefaultRoleAssumerWithWebIdentity } from "@aws-sdk/client-sts";
-import { fromWebToken as coreProvider } from "@aws-sdk/credential-provider-web-identity";
-
-import { fromWebToken } from "./fromWebToken";
-
-jest.mock("@aws-sdk/credential-provider-web-identity", () => ({
-  fromWebToken: jest.fn(),
-}));
-
-describe("fromWebToken", () => {
-  const roleArn = "ROLE_ARN";
-  const webIdentityToken = "WEB_IDENTITY_TOKEN";
-
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
-  it("should inject default role assumer", () => {
-    fromWebToken({
-      roleArn,
-      webIdentityToken,
-    });
-    expect(coreProvider).toBeCalledWith({
-      roleArn,
-      webIdentityToken,
-      roleAssumerWithWebIdentity: ROLE_ASSUMER_WITH_WEB_IDENTITY,
-    });
-    expect(getDefaultRoleAssumerWithWebIdentity).toBeCalled();
-  });
-
-  it("should supply sts config to role assumer", () => {
-    const clientConfig = {
-      region: "US_FOO_0",
-    };
-    fromWebToken({
-      roleArn,
-      webIdentityToken,
-      clientConfig,
-    });
-    expect((coreProvider as jest.Mock).mock.calls[0][0]).toMatchObject({
-      roleAssumerWithWebIdentity: ROLE_ASSUMER_WITH_WEB_IDENTITY,
-    });
-    expect(getDefaultRoleAssumerWithWebIdentity).toBeCalledWith(clientConfig);
-  });
-});

package/src/fromWebToken.ts

@@ -1,51 +0,0 @@
-import { getDefaultRoleAssumerWithWebIdentity, STSClientConfig } from "@aws-sdk/client-sts";
-import {
-  fromWebToken as _fromWebToken,
-  FromWebTokenInit as _FromWebTokenInit,
-} from "@aws-sdk/credential-provider-web-identity";
-import { CredentialProvider } from "@aws-sdk/types";
-
-export interface FromWebTokenInit extends _FromWebTokenInit {
-  clientConfig?: STSClientConfig;
-}
-
-/**
- * Creates a credential provider function that gets credentials calling STS
- * AssumeRoleWithWebIdentity API.
- *
- * ```javascript
- * import { fromWebToken } from "@aws-sdk/credential-providers"; // ES6 import
- * // const { fromWebToken } = require("@aws-sdk/credential-providers"); // CommonJS import
- *
- * const dynamodb = new DynamoDBClient({
- *   region,
- *   credentials: fromWebToken({
- *     // Required. ARN of the role that the caller is assuming.
- *     roleArn: "arn:aws:iam::1234567890:role/RoleA",
- *     // Required. The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider.
- *     webIdentityToken: await openIdProvider()
- *     // Optional. Custom STS client configurations overriding the default ones.
- *     clientConfig: { region }
- *     // Optional. A function that assumes a role with web identity and returns a promise fulfilled with credentials for
- *     // the assumed role.
- *     roleAssumerWithWebIdentity,
- *     // Optional. An identifier for the assumed role session.
- *     roleSessionName: "session_123",
- *     // Optional. The fully qualified host component of the domain name of the identity provider.
- *     providerId: "graph.facebook.com",
- *     // Optional. ARNs of the IAM managed policies that you want to use as managed session.
- *     policyArns: [{arn: "arn:aws:iam::1234567890:policy/SomePolicy"}],
- *     // Optional. An IAM policy in JSON format that you want to use as an inline session policy.
- *     policy: "JSON_STRING",
- *     // Optional. The duration, in seconds, of the role session. Default to 3600.
- *     durationSeconds: 7200
- *   }),
- * });
- * ```
- */
-export const fromWebToken = (init: FromWebTokenInit): CredentialProvider =>
-  _fromWebToken({
-    ...init,
-    roleAssumerWithWebIdentity:
-      init.roleAssumerWithWebIdentity ?? getDefaultRoleAssumerWithWebIdentity(init.clientConfig),
-  });

package/tsconfig.cjs.json

@@ -1,10 +0,0 @@
-{
-  "compilerOptions": {
-    "declarationDir": "./dist/types",
-    "rootDir": "./src",
-    "outDir": "./dist/cjs",
-    "baseUrl": "."
-  },
-  "extends": "../../tsconfig.cjs.json",
-  "include": ["src/"]
-}

package/tsconfig.es.json

@@ -1,11 +0,0 @@
-{
-  "compilerOptions": {
-    "lib": ["es5", "es2015.promise", "es2015.collection"],
-    "declarationDir": "./dist/types",
-    "rootDir": "./src",
-    "outDir": "./dist/es",
-    "baseUrl": "."
-  },
-  "extends": "../../tsconfig.es.json",
-  "include": ["src/"]
-}