npm - @backstage/integration-aws-node - Versions diffs - 0.0.0-nightly-20221213023404 - Mend

@backstage/integration-aws-node 0.0.0-nightly-20221213023404

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,13 @@
+# @backstage/integration-aws-node
+## 0.0.0-nightly-20221213023404
+### Minor Changes
+- 13278732f6: New package for AWS integration node library
+### Patch Changes
+- Updated dependencies
+  - @backstage/config@0.0.0-nightly-20221213023404
+  - @backstage/errors@0.0.0-nightly-20221213023404

package/README.md ADDED Viewed

@@ -0,0 +1,162 @@
+# @backstage/integration-aws-node
+This package providers helpers for fetching AWS account credentials
+to be used by AWS SDK clients in backend packages and plugins.
+## Backstage app configuration
+Users of plugins and packages that use this library
+will configure their AWS account information and credentials in their
+Backstage app config.
+Users can configure IAM user credentials, IAM roles, and profile names
+for their AWS accounts in their Backstage config.
+If the AWS integration configuration is missing, the credentials manager
+from this package will fall back to the AWS SDK default credentials chain for
+resources in the main AWS account.
+The default credentials chain for Node resolves credentials in the
+following order of precedence:
+1. Environment variables
+2. SSO credentials from token cache
+3. Web identity token credentials
+4. Shared credentials files
+5. The EC2/ECS Instance Metadata Service
+See more about the AWS SDK default credentials chain in the
+[AWS SDK for Javascript Developer Guide](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html).
+Configuration examples:
+```yaml
+aws:
+  # The main account is used as the source of credentials for calling
+  # the STS AssumeRole API to assume IAM roles in other AWS accounts.
+  # This section can be omitted to fall back to the AWS SDK's default creds chain.
+  mainAccount:
+    accessKeyId: ${MY_ACCESS_KEY_ID}
+    secretAccessKey: ${MY_SECRET_ACCESS_KEY}
+  # Account credentials can be configured individually per account
+  accounts:
+    # Credentials can come from a role in the account
+    - accountId: '111111111111'
+      roleName: 'my-iam-role-name'
+      externalId: 'my-external-id'
+    # Credentials can come from other AWS partitions
+    - accountId: '222222222222'
+      partition: 'aws-other'
+      roleName: 'my-iam-role-name'
+      # The STS region to use for the AssumeRole call
+      region: 'not-us-east-1'
+      # The creds to use when calling AssumeRole
+      accessKeyId: ${MY_ACCESS_KEY_ID_FOR_ANOTHER_PARTITION}
+      secretAccessKey: ${MY_SECRET_ACCESS_KEY_FOR_ANOTHER_PARTITION}
+    # Credentials can come from static credentials
+    - accountId: '333333333333'
+      accessKeyId: ${MY_OTHER_ACCESS_KEY_ID}
+      secretAccessKey: ${MY_OTHER_SECRET_ACCESS_KEY}
+    # Credentials can come from a profile in a shared config file on disk
+    - accountId: '444444444444'
+      profile: my-profile-name
+    # Credentials can come from the AWS SDK's default creds chain
+    - accountId: '555555555555'
+  # Credentials for accounts can fall back to a common role name.
+  # This is useful for account discovery use cases where the account
+  # IDs may not be known when writing the static config.
+  # If all accounts have a role with the same name, then the "accounts"
+  # section can be omitted entirely.
+  accountDefaults:
+    roleName: 'my-backstage-role'
+    externalId: 'my-id'
+```
+## Integrate new plugins
+Backend plugins can provide an AWS ARN or account ID to this library in order to
+retrieve a credential provider for the relevant account that can be fed directly
+to an AWS SDK client.
+The AWS SDK for Javascript V3 must be used.
+```typescript
+const awsCredentialsManager = DefaultAwsCredentialsManager.fromConfig(config);
+// provide the account ID explicitly
+const credProvider = await awsCredentialsManager.getCredentialProvider({
+  accountId,
+});
+// OR extract the account ID from the ARN
+const credProvider = await awsCredentialsManager.getCredentialProvider({ arn });
+// OR provide neither to get main account's credentials
+const credProvider = await awsCredentialsManager.getCredentialProvider({});
+// Example constructing an AWS Proton client with the returned credential provider
+const client = new ProtonClient({
+  region,
+  credentialDefaultProvider: () => credProvider.sdkCredentialProvider,
+});
+```
+Depending on the nature of your plugin, you may either have the user specify the
+relevant ARN or account ID in a catalog entity annotation or in the static Backstage
+app configuration for your plugin.
+For example, you can create a new catalog entity annotation for your plugin containing
+either an AWS account ID or ARN:
+```yaml
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  annotations:
+    # Plugin annotation to specify an AWS account ID
+    my-plugin.io/aws-account-id: '123456789012'
+    # Plugin annotation to specify the AWS ARN of a specific resource
+    my-other-plugin.io/aws-dynamodb-table: 'arn:aws:dynamodb:us-east-2:123456789012:table/example-table'
+```
+In your plugin, read the annotation value so that you can retrieve the credential provider:
+```typescript
+const MY_AWS_ACCOUNT_ID_ANNOTATION = 'my-plugin.io/aws-account-id';
+const getAwsAccountId = (entity: Entity) =>
+  entity.metadata.annotations?.[MY_AWS_ACCOUNT_ID_ANNOTATION]);
+```
+Alternatively, you can create a new Backstage app configuration field for your plugin:
+```yaml
+# app-config.yaml
+my-plugin:
+  # Statically configure the AWS account ID to use
+  awsAccountId: '123456789012'
+my-other-plugin:
+  # Statically configure the AWS ARN of a specific resource
+  awsDynamoDbTable: 'arn:aws:dynamodb:us-east-2:123456789012:table/example-table'
+```
+In your plugin, read the configuration value so that you can retrieve the credential provider:
+```typescript
+// Read an account ID from your plugin's configuration
+const awsCredentialsManager = DefaultAwsCredentialsManager.fromConfig(config);
+const accountId = config.getOptionalString('my-plugin.awsAccountId');
+const credProvider = await awsCredentialsManager.getCredentialProvider({
+  accountId,
+});
+// Or, read an AWS ARN from your plugin's configuration
+const awsCredentialsManager = DefaultAwsCredentialsManager.fromConfig(config);
+const arn = config.getString('my-other-plugin.awsDynamoDbTable');
+const credProvider = await awsCredentialsManager.getCredentialProvider({ arn });
+```
+## Links
+- [The Backstage homepage](https://backstage.io)

package/config.d.ts ADDED Viewed

@@ -0,0 +1,123 @@
+/*
+ * Copyright 2022 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export interface Config {
+  /** Configuration for access to AWS accounts */
+  aws?: {
+    /**
+     * Defaults for retrieving AWS account credentials
+     */
+    accountDefaults?: {
+      /**
+       * The IAM role to assume to retrieve temporary AWS credentials
+       */
+      roleName?: string;
+      /**
+       * The AWS partition of the IAM role, e.g. "aws", "aws-cn"
+       */
+      partition?: string;
+      /**
+       * The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. "ap-northeast-1"
+       */
+      region?: string;
+      /**
+       * The unique identifier needed to assume the role to retrieve temporary AWS credentials
+       * @visibility secret
+       */
+      externalId?: string;
+    };
+    /**
+     * Main account to use for retrieving AWS account credentials
+     */
+    mainAccount?: {
+      /**
+       * The access key ID for a set of static AWS credentials
+       * @visibility secret
+       */
+      accessKeyId?: string;
+      /**
+       * The secret access key for a set of static AWS credentials
+       * @visibility secret
+       */
+      secretAccessKey?: string;
+      /**
+       * The configuration profile from a credentials file at ~/.aws/credentials and
+       * a configuration file at ~/.aws/config.
+       */
+      profile?: string;
+      /**
+       * The STS regional endpoint to use for the main account, e.g. "ap-northeast-1"
+       */
+      region?: string;
+    };
+    /**
+     * Configuration for retrieving AWS accounts credentials
+     */
+    accounts?: Array<{
+      /**
+       * The account ID of the target account that this matches on, e.g. "123456789012"
+       */
+      accountId: string;
+      /**
+       * The access key ID for a set of static AWS credentials
+       * @visibility secret
+       */
+      accessKeyId?: string;
+      /**
+       * The secret access key for a set of static AWS credentials
+       * @visibility secret
+       */
+      secretAccessKey?: string;
+      /**
+       * The configuration profile from a credentials file at ~/.aws/credentials and
+       * a configuration file at ~/.aws/config.
+       */
+      profile?: string;
+      /**
+       * The IAM role to assume to retrieve temporary AWS credentials
+       */
+      roleName?: string;
+      /**
+       * The AWS partition of the IAM role, e.g. "aws", "aws-cn"
+       */
+      partition?: string;
+      /**
+       * The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. "ap-northeast-1"
+       */
+      region?: string;
+      /**
+       * The unique identifier needed to assume the role to retrieve temporary AWS credentials
+       * @visibility secret
+       */
+      externalId?: string;
+    }>;
+  };
+}

package/dist/index.cjs.js ADDED Viewed

@@ -0,0 +1,269 @@
+'use strict';
+Object.defineProperty(exports, '__esModule', { value: true });
+var clientSts = require('@aws-sdk/client-sts');
+var credentialProviders = require('@aws-sdk/credential-providers');
+var utilArnParser = require('@aws-sdk/util-arn-parser');
+function readAwsIntegrationAccountConfig(config) {
+  const accountConfig = {
+    accountId: config.getString("accountId"),
+    accessKeyId: config.getOptionalString("accessKeyId"),
+    secretAccessKey: config.getOptionalString("secretAccessKey"),
+    profile: config.getOptionalString("profile"),
+    roleName: config.getOptionalString("roleName"),
+    region: config.getOptionalString("region"),
+    partition: config.getOptionalString("partition"),
+    externalId: config.getOptionalString("externalId")
+  };
+  if (accountConfig.accessKeyId && !accountConfig.secretAccessKey) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has an access key ID configured, but no secret access key.`
+    );
+  }
+  if (!accountConfig.accessKeyId && accountConfig.secretAccessKey) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has a secret access key configured, but no access key ID`
+    );
+  }
+  if (accountConfig.profile && accountConfig.accessKeyId) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has both an access key ID and a profile configured, but only one must be specified`
+    );
+  }
+  if (accountConfig.profile && accountConfig.roleName) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has both an access key ID and a role name configured, but only one must be specified`
+    );
+  }
+  if (!accountConfig.roleName && accountConfig.externalId) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has an external ID configured, but no role name.`
+    );
+  }
+  if (!accountConfig.roleName && accountConfig.region) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has an STS region configured, but no role name.`
+    );
+  }
+  if (!accountConfig.roleName && accountConfig.partition) {
+    throw new Error(
+      `AWS integration account ${accountConfig.accountId} has an IAM partition configured, but no role name.`
+    );
+  }
+  return accountConfig;
+}
+function readMainAwsIntegrationAccountConfig(config) {
+  const mainAccountConfig = {
+    accessKeyId: config.getOptionalString("accessKeyId"),
+    secretAccessKey: config.getOptionalString("secretAccessKey"),
+    profile: config.getOptionalString("profile"),
+    region: config.getOptionalString("region")
+  };
+  if (mainAccountConfig.accessKeyId && !mainAccountConfig.secretAccessKey) {
+    throw new Error(
+      `The main AWS integration account has an access key ID configured, but no secret access key.`
+    );
+  }
+  if (!mainAccountConfig.accessKeyId && mainAccountConfig.secretAccessKey) {
+    throw new Error(
+      `The main AWS integration account has a secret access key configured, but no access key ID`
+    );
+  }
+  if (mainAccountConfig.profile && mainAccountConfig.accessKeyId) {
+    throw new Error(
+      `The main AWS integration account has both an access key ID and a profile configured, but only one must be specified`
+    );
+  }
+  return mainAccountConfig;
+}
+function readAwsIntegrationAccountDefaultsConfig(config) {
+  const defaultAccountConfig = {
+    roleName: config.getOptionalString("roleName"),
+    partition: config.getOptionalString("partition"),
+    region: config.getOptionalString("region"),
+    externalId: config.getOptionalString("externalId")
+  };
+  if (!defaultAccountConfig.roleName && defaultAccountConfig.externalId) {
+    throw new Error(
+      `AWS integration account default configuration has an external ID configured, but no role name.`
+    );
+  }
+  if (!defaultAccountConfig.roleName && defaultAccountConfig.region) {
+    throw new Error(
+      `AWS integration account default configuration has an STS region configured, but no role name.`
+    );
+  }
+  if (!defaultAccountConfig.roleName && defaultAccountConfig.partition) {
+    throw new Error(
+      `AWS integration account default configuration has an IAM partition configured, but no role name.`
+    );
+  }
+  return defaultAccountConfig;
+}
+function readAwsIntegrationConfig(config) {
+  var _a;
+  const accounts = (_a = config.getOptionalConfigArray("accounts")) == null ? void 0 : _a.map(readAwsIntegrationAccountConfig);
+  const mainAccount = config.has("mainAccount") ? readMainAwsIntegrationAccountConfig(config.getConfig("mainAccount")) : {};
+  const accountDefaults = config.has("accountDefaults") ? readAwsIntegrationAccountDefaultsConfig(
+    config.getConfig("accountDefaults")
+  ) : {};
+  return {
+    accounts: accounts != null ? accounts : [],
+    mainAccount,
+    accountDefaults
+  };
+}
+async function fillInAccountId(credProvider) {
+  if (credProvider.accountId) {
+    return;
+  }
+  const client = new clientSts.STSClient({
+    region: credProvider.stsRegion,
+    customUserAgent: "backstage-aws-credentials-manager",
+    credentialDefaultProvider: () => credProvider.sdkCredentialProvider
+  });
+  const resp = await client.send(new clientSts.GetCallerIdentityCommand({}));
+  credProvider.accountId = resp.Account;
+}
+function getStaticCredentials(accessKeyId, secretAccessKey) {
+  return async () => {
+    return Promise.resolve({
+      accessKeyId,
+      secretAccessKey
+    });
+  };
+}
+function getProfileCredentials(profile, region) {
+  return credentialProviders.fromIni({
+    profile,
+    clientConfig: {
+      region,
+      customUserAgent: "backstage-aws-credentials-manager"
+    }
+  });
+}
+function getDefaultCredentialsChain() {
+  return credentialProviders.fromNodeProviderChain();
+}
+function getSdkCredentialProvider(config, mainAccountCredProvider) {
+  var _a, _b;
+  if (config.roleName) {
+    const region = (_a = config.region) != null ? _a : "us-east-1";
+    const partition = (_b = config.partition) != null ? _b : "aws";
+    return credentialProviders.fromTemporaryCredentials({
+      masterCredentials: config.accessKeyId ? getStaticCredentials(config.accessKeyId, config.secretAccessKey) : mainAccountCredProvider,
+      params: {
+        RoleArn: `arn:${partition}:iam::${config.accountId}:role/${config.roleName}`,
+        RoleSessionName: "backstage",
+        ExternalId: config.externalId
+      },
+      clientConfig: {
+        region,
+        customUserAgent: "backstage-aws-credentials-manager"
+      }
+    });
+  }
+  if (config.accessKeyId) {
+    return getStaticCredentials(config.accessKeyId, config.secretAccessKey);
+  }
+  if (config.profile) {
+    return getProfileCredentials(config.profile, config.region);
+  }
+  return getDefaultCredentialsChain();
+}
+function getMainAccountSdkCredentialProvider(config) {
+  if (config.accessKeyId) {
+    return getStaticCredentials(config.accessKeyId, config.secretAccessKey);
+  }
+  if (config.profile) {
+    return getProfileCredentials(config.profile, config.region);
+  }
+  return getDefaultCredentialsChain();
+}
+class DefaultAwsCredentialsManager {
+  constructor(accountCredentialProviders, accountDefaults, mainAccountCredentialProvider) {
+    this.accountCredentialProviders = accountCredentialProviders;
+    this.accountDefaults = accountDefaults;
+    this.mainAccountCredentialProvider = mainAccountCredentialProvider;
+  }
+  static fromConfig(config) {
+    const awsConfig = config.has("aws") ? readAwsIntegrationConfig(config.getConfig("aws")) : {
+      accounts: [],
+      mainAccount: {},
+      accountDefaults: {}
+    };
+    const mainAccountSdkCredProvider = getMainAccountSdkCredentialProvider(
+      awsConfig.mainAccount
+    );
+    const mainAccountCredProvider = {
+      sdkCredentialProvider: mainAccountSdkCredProvider
+    };
+    const accountCredProviders = /* @__PURE__ */ new Map();
+    for (const accountConfig of awsConfig.accounts) {
+      const sdkCredentialProvider = getSdkCredentialProvider(
+        accountConfig,
+        mainAccountSdkCredProvider
+      );
+      accountCredProviders.set(accountConfig.accountId, {
+        accountId: accountConfig.accountId,
+        stsRegion: accountConfig.region,
+        sdkCredentialProvider
+      });
+    }
+    return new DefaultAwsCredentialsManager(
+      accountCredProviders,
+      awsConfig.accountDefaults,
+      mainAccountCredProvider
+    );
+  }
+  async getCredentialProvider(opts) {
+    if (!opts) {
+      await fillInAccountId(this.mainAccountCredentialProvider);
+      return this.mainAccountCredentialProvider;
+    }
+    let accountId = opts.accountId;
+    if (opts.arn && !accountId) {
+      const arnComponents = utilArnParser.parse(opts.arn);
+      accountId = arnComponents.accountId;
+    }
+    if (!accountId) {
+      await fillInAccountId(this.mainAccountCredentialProvider);
+      return this.mainAccountCredentialProvider;
+    }
+    if (this.accountCredentialProviders.has(accountId)) {
+      return this.accountCredentialProviders.get(accountId);
+    }
+    if (this.accountDefaults.roleName) {
+      const config = {
+        accountId,
+        roleName: this.accountDefaults.roleName,
+        partition: this.accountDefaults.partition,
+        region: this.accountDefaults.region,
+        externalId: this.accountDefaults.externalId
+      };
+      const sdkCredentialProvider = getSdkCredentialProvider(
+        config,
+        this.mainAccountCredentialProvider.sdkCredentialProvider
+      );
+      const credProvider = {
+        accountId,
+        sdkCredentialProvider
+      };
+      this.accountCredentialProviders.set(accountId, credProvider);
+      return credProvider;
+    }
+    await fillInAccountId(this.mainAccountCredentialProvider);
+    if (accountId === this.mainAccountCredentialProvider.accountId) {
+      return this.mainAccountCredentialProvider;
+    }
+    throw new Error(
+      `There is no AWS integration that matches ${accountId}. Please add a configuration for this AWS account.`
+    );
+  }
+}
+exports.DefaultAwsCredentialsManager = DefaultAwsCredentialsManager;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.cjs.js","sources":["../src/config.ts","../src/DefaultAwsCredentialsManager.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\n\n/**\n * The configuration parameters for a single AWS account for the AWS integration.\n *\n * @public\n */\nexport type AwsIntegrationAccountConfig = {\n /**\n * The account ID of the target account that this matches on, e.g. \"123456789012\"\n */\n accountId: string;\n\n /**\n * The access key ID for a set of static AWS credentials\n */\n accessKeyId?: string;\n\n /**\n * The secret access key for a set of static AWS credentials\n */\n secretAccessKey?: string;\n\n /**\n * The configuration profile from a credentials file at ~/.aws/credentials and\n * a configuration file at ~/.aws/config.\n */\n profile?: string;\n\n /**\n * The IAM role to assume to retrieve temporary AWS credentials\n */\n roleName?: string;\n\n /**\n * The AWS partition of the IAM role, e.g. \"aws\", \"aws-cn\"\n */\n partition?: string;\n\n /**\n * The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. \"ap-northeast-1\"\n */\n region?: string;\n\n /**\n * The unique identifier needed to assume the role to retrieve temporary AWS credentials\n */\n externalId?: string;\n};\n\n/**\n * The configuration parameters for the main AWS account for the AWS integration.\n *\n * @public\n */\nexport type AwsIntegrationMainAccountConfig = {\n /**\n * The access key ID for a set of static AWS credentials\n */\n accessKeyId?: string;\n\n /**\n * The secret access key for a set of static AWS credentials\n */\n secretAccessKey?: string;\n\n /**\n * The configuration profile from a credentials file at ~/.aws/credentials and\n * a configuration file at ~/.aws/config.\n */\n profile?: string;\n\n /**\n * The STS regional endpoint to use for the main account, e.g. \"ap-northeast-1\"\n */\n region?: string;\n};\n\n/**\n * The default configuration parameters to use for accounts for the AWS integration.\n *\n * @public\n */\nexport type AwsIntegrationDefaultAccountConfig = {\n /**\n * The IAM role to assume to retrieve temporary AWS credentials\n */\n roleName?: string;\n\n /**\n * The AWS partition of the IAM role, e.g. \"aws\", \"aws-cn\"\n */\n partition?: string;\n\n /**\n * The STS regional endpoint to use when retrieving temporary AWS credentials, e.g. \"ap-northeast-1\"\n */\n region?: string;\n\n /**\n * The unique identifier needed to assume the role to retrieve temporary AWS credentials\n */\n externalId?: string;\n};\n\n/**\n * The configuration parameters for AWS account integration.\n *\n * @public\n */\nexport type AwsIntegrationConfig = {\n /**\n * Configuration for retrieving AWS accounts credentials\n */\n accounts: AwsIntegrationAccountConfig[];\n\n /**\n * Defaults for retrieving AWS account credentials\n */\n accountDefaults: AwsIntegrationDefaultAccountConfig;\n\n /**\n * Main account to use for retrieving AWS account credentials\n */\n mainAccount: AwsIntegrationMainAccountConfig;\n};\n\n/**\n * Reads an AWS integration account config.\n *\n * @param config - The config object of a single account\n */\nfunction readAwsIntegrationAccountConfig(\n config: Config,\n): AwsIntegrationAccountConfig {\n const accountConfig = {\n accountId: config.getString('accountId'),\n accessKeyId: config.getOptionalString('accessKeyId'),\n secretAccessKey: config.getOptionalString('secretAccessKey'),\n profile: config.getOptionalString('profile'),\n roleName: config.getOptionalString('roleName'),\n region: config.getOptionalString('region'),\n partition: config.getOptionalString('partition'),\n externalId: config.getOptionalString('externalId'),\n };\n\n // Validate that the account config has the right combination of attributes\n if (accountConfig.accessKeyId && !accountConfig.secretAccessKey) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has an access key ID configured, but no secret access key.`,\n );\n }\n\n if (!accountConfig.accessKeyId && accountConfig.secretAccessKey) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has a secret access key configured, but no access key ID`,\n );\n }\n\n if (accountConfig.profile && accountConfig.accessKeyId) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has both an access key ID and a profile configured, but only one must be specified`,\n );\n }\n\n if (accountConfig.profile && accountConfig.roleName) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has both an access key ID and a role name configured, but only one must be specified`,\n );\n }\n\n if (!accountConfig.roleName && accountConfig.externalId) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has an external ID configured, but no role name.`,\n );\n }\n\n if (!accountConfig.roleName && accountConfig.region) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has an STS region configured, but no role name.`,\n );\n }\n\n if (!accountConfig.roleName && accountConfig.partition) {\n throw new Error(\n `AWS integration account ${accountConfig.accountId} has an IAM partition configured, but no role name.`,\n );\n }\n\n return accountConfig;\n}\n\n/**\n * Reads the main AWS integration account config.\n *\n * @param config - The config object of the main account\n */\nfunction readMainAwsIntegrationAccountConfig(\n config: Config,\n): AwsIntegrationMainAccountConfig {\n const mainAccountConfig = {\n accessKeyId: config.getOptionalString('accessKeyId'),\n secretAccessKey: config.getOptionalString('secretAccessKey'),\n profile: config.getOptionalString('profile'),\n region: config.getOptionalString('region'),\n };\n\n // Validate that the account config has the right combination of attributes\n if (mainAccountConfig.accessKeyId && !mainAccountConfig.secretAccessKey) {\n throw new Error(\n `The main AWS integration account has an access key ID configured, but no secret access key.`,\n );\n }\n\n if (!mainAccountConfig.accessKeyId && mainAccountConfig.secretAccessKey) {\n throw new Error(\n `The main AWS integration account has a secret access key configured, but no access key ID`,\n );\n }\n\n if (mainAccountConfig.profile && mainAccountConfig.accessKeyId) {\n throw new Error(\n `The main AWS integration account has both an access key ID and a profile configured, but only one must be specified`,\n );\n }\n\n return mainAccountConfig;\n}\n\n/**\n * Reads the default settings for retrieving credentials from AWS integration accounts.\n *\n * @param config - The config object of the default account settings\n */\nfunction readAwsIntegrationAccountDefaultsConfig(\n config: Config,\n): AwsIntegrationDefaultAccountConfig {\n const defaultAccountConfig = {\n roleName: config.getOptionalString('roleName'),\n partition: config.getOptionalString('partition'),\n region: config.getOptionalString('region'),\n externalId: config.getOptionalString('externalId'),\n };\n\n // Validate that the account config has the right combination of attributes\n if (!defaultAccountConfig.roleName && defaultAccountConfig.externalId) {\n throw new Error(\n `AWS integration account default configuration has an external ID configured, but no role name.`,\n );\n }\n\n if (!defaultAccountConfig.roleName && defaultAccountConfig.region) {\n throw new Error(\n `AWS integration account default configuration has an STS region configured, but no role name.`,\n );\n }\n\n if (!defaultAccountConfig.roleName && defaultAccountConfig.partition) {\n throw new Error(\n `AWS integration account default configuration has an IAM partition configured, but no role name.`,\n );\n }\n\n return defaultAccountConfig;\n}\n\n/**\n * Reads an AWS integration configuration\n *\n * @param config - the integration config object\n * @public\n */\nexport function readAwsIntegrationConfig(config: Config): AwsIntegrationConfig {\n const accounts = config\n .getOptionalConfigArray('accounts')\n ?.map(readAwsIntegrationAccountConfig);\n const mainAccount = config.has('mainAccount')\n ? readMainAwsIntegrationAccountConfig(config.getConfig('mainAccount'))\n : {};\n const accountDefaults = config.has('accountDefaults')\n ? readAwsIntegrationAccountDefaultsConfig(\n config.getConfig('accountDefaults'),\n )\n : {};\n\n return {\n accounts: accounts ?? [],\n mainAccount,\n accountDefaults,\n };\n}\n","/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n readAwsIntegrationConfig,\n AwsIntegrationAccountConfig,\n AwsIntegrationDefaultAccountConfig,\n AwsIntegrationMainAccountConfig,\n} from './config';\nimport {\n AwsCredentialsManager,\n AwsCredentialProvider,\n AwsCredentialProviderOptions,\n} from './types';\nimport { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';\nimport {\n fromIni,\n fromNodeProviderChain,\n fromTemporaryCredentials,\n} from '@aws-sdk/credential-providers';\nimport { AwsCredentialIdentityProvider } from '@aws-sdk/types';\nimport { parse } from '@aws-sdk/util-arn-parser';\nimport { Config } from '@backstage/config';\n\n/**\n * Retrieves the account ID for the given credential provider from STS.\n */\nasync function fillInAccountId(credProvider: AwsCredentialProvider) {\n if (credProvider.accountId) {\n return;\n }\n\n const client = new STSClient({\n region: credProvider.stsRegion,\n customUserAgent: 'backstage-aws-credentials-manager',\n credentialDefaultProvider: () => credProvider.sdkCredentialProvider,\n });\n const resp = await client.send(new GetCallerIdentityCommand({}));\n credProvider.accountId = resp.Account!;\n}\n\nfunction getStaticCredentials(\n accessKeyId: string,\n secretAccessKey: string,\n): AwsCredentialIdentityProvider {\n return async () => {\n return Promise.resolve({\n accessKeyId: accessKeyId,\n secretAccessKey: secretAccessKey,\n });\n };\n}\n\nfunction getProfileCredentials(\n profile: string,\n region?: string,\n): AwsCredentialIdentityProvider {\n return fromIni({\n profile,\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n}\n\nfunction getDefaultCredentialsChain(): AwsCredentialIdentityProvider {\n return fromNodeProviderChain();\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK from the given account config\n *\n * Order of precedence:\n * 1. Assume role with static creds\n * 2. Assume role with main account creds\n * 3. Static creds\n * 4. Profile creds\n * 5. Default AWS SDK creds chain\n */\nfunction getSdkCredentialProvider(\n config: AwsIntegrationAccountConfig,\n mainAccountCredProvider: AwsCredentialIdentityProvider,\n): AwsCredentialIdentityProvider {\n if (config.roleName) {\n const region = config.region ?? 'us-east-1';\n const partition = config.partition ?? 'aws';\n\n return fromTemporaryCredentials({\n masterCredentials: config.accessKeyId\n ? getStaticCredentials(config.accessKeyId!, config.secretAccessKey!)\n : mainAccountCredProvider,\n params: {\n RoleArn: `arn:${partition}:iam::${config.accountId}:role/${config.roleName}`,\n RoleSessionName: 'backstage',\n ExternalId: config.externalId,\n },\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n }\n\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain();\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK for the main account\n *\n * Order of precedence:\n * 1. Static creds\n * 2. Profile creds\n * 3. Default AWS SDK creds chain\n */\nfunction getMainAccountSdkCredentialProvider(\n config: AwsIntegrationMainAccountConfig,\n): AwsCredentialIdentityProvider {\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain();\n}\n\n/**\n * Handles the creation and caching of credential providers for AWS accounts.\n *\n * @public\n */\nexport class DefaultAwsCredentialsManager implements AwsCredentialsManager {\n static fromConfig(config: Config): DefaultAwsCredentialsManager {\n const awsConfig = config.has('aws')\n ? readAwsIntegrationConfig(config.getConfig('aws'))\n : {\n accounts: [],\n mainAccount: {},\n accountDefaults: {},\n };\n\n const mainAccountSdkCredProvider = getMainAccountSdkCredentialProvider(\n awsConfig.mainAccount,\n );\n const mainAccountCredProvider: AwsCredentialProvider = {\n sdkCredentialProvider: mainAccountSdkCredProvider,\n };\n\n const accountCredProviders = new Map<string, AwsCredentialProvider>();\n for (const accountConfig of awsConfig.accounts) {\n const sdkCredentialProvider = getSdkCredentialProvider(\n accountConfig,\n mainAccountSdkCredProvider,\n );\n accountCredProviders.set(accountConfig.accountId, {\n accountId: accountConfig.accountId,\n stsRegion: accountConfig.region,\n sdkCredentialProvider,\n });\n }\n\n return new DefaultAwsCredentialsManager(\n accountCredProviders,\n awsConfig.accountDefaults,\n mainAccountCredProvider,\n );\n }\n\n private constructor(\n private readonly accountCredentialProviders: Map<\n string,\n AwsCredentialProvider\n >,\n private readonly accountDefaults: AwsIntegrationDefaultAccountConfig,\n private readonly mainAccountCredentialProvider: AwsCredentialProvider,\n ) {}\n\n /**\n * Returns an {@link AwsCredentialProvider} for a given AWS account.\n *\n * @example\n * ```ts\n * const { provider } = await getCredentialProvider({\n * accountId: '0123456789012',\n * })\n *\n * const { provider } = await getCredentialProvider({\n * arn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service'\n * })\n * ```\n *\n * @param opts - the AWS account ID or AWS resource ARN\n * @returns A promise of {@link AwsCredentialProvider}.\n */\n async getCredentialProvider(\n opts?: AwsCredentialProviderOptions,\n ): Promise<AwsCredentialProvider> {\n // If no options provided, fall back to the main account\n if (!opts) {\n await fillInAccountId(this.mainAccountCredentialProvider);\n return this.mainAccountCredentialProvider;\n }\n\n // Determine the account ID: either explicitly provided or extracted from the provided ARN\n let accountId = opts.accountId;\n if (opts.arn && !accountId) {\n const arnComponents = parse(opts.arn);\n accountId = arnComponents.accountId;\n }\n\n // If the account ID was not provided (explicitly or in the ARN),\n // fall back to the main account\n if (!accountId) {\n await fillInAccountId(this.mainAccountCredentialProvider);\n return this.mainAccountCredentialProvider;\n }\n\n // Return a cached provider if available\n if (this.accountCredentialProviders.has(accountId)) {\n return this.accountCredentialProviders.get(accountId)!;\n }\n\n // First, fall back to using the account defaults\n if (this.accountDefaults.roleName) {\n const config: AwsIntegrationAccountConfig = {\n accountId,\n roleName: this.accountDefaults.roleName,\n partition: this.accountDefaults.partition,\n region: this.accountDefaults.region,\n externalId: this.accountDefaults.externalId,\n };\n const sdkCredentialProvider = getSdkCredentialProvider(\n config,\n this.mainAccountCredentialProvider.sdkCredentialProvider,\n );\n const credProvider: AwsCredentialProvider = {\n accountId,\n sdkCredentialProvider,\n };\n this.accountCredentialProviders.set(accountId, credProvider);\n return credProvider;\n }\n\n // Then, fall back to using the main account, but only\n // if the account requested matches the main account ID\n await fillInAccountId(this.mainAccountCredentialProvider);\n if (accountId === this.mainAccountCredentialProvider.accountId) {\n return this.mainAccountCredentialProvider;\n }\n\n // Otherwise, the account needs to be explicitly configured in Backstage\n throw new Error(\n `There is no AWS integration that matches ${accountId}. Please add a configuration for this AWS account.`,\n );\n }\n}\n"],"names":["STSClient","GetCallerIdentityCommand","fromIni","fromNodeProviderChain","fromTemporaryCredentials","parse"],"mappings":";;;;;;;;AAoJA,SAAS,gCACP,MAC6B,EAAA;AAC7B,EAAA,MAAM,aAAgB,GAAA;AAAA,IACpB,SAAA,EAAW,MAAO,CAAA,SAAA,CAAU,WAAW,CAAA;AAAA,IACvC,WAAA,EAAa,MAAO,CAAA,iBAAA,CAAkB,aAAa,CAAA;AAAA,IACnD,eAAA,EAAiB,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAAA,IAC3D,OAAA,EAAS,MAAO,CAAA,iBAAA,CAAkB,SAAS,CAAA;AAAA,IAC3C,QAAA,EAAU,MAAO,CAAA,iBAAA,CAAkB,UAAU,CAAA;AAAA,IAC7C,MAAA,EAAQ,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA;AAAA,IACzC,SAAA,EAAW,MAAO,CAAA,iBAAA,CAAkB,WAAW,CAAA;AAAA,IAC/C,UAAA,EAAY,MAAO,CAAA,iBAAA,CAAkB,YAAY,CAAA;AAAA,GACnD,CAAA;AAGA,EAAA,IAAI,aAAc,CAAA,WAAA,IAAe,CAAC,aAAA,CAAc,eAAiB,EAAA;AAC/D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,2DAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,aAAA,CAAc,WAAe,IAAA,aAAA,CAAc,eAAiB,EAAA;AAC/D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,yDAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAI,IAAA,aAAA,CAAc,OAAW,IAAA,aAAA,CAAc,WAAa,EAAA;AACtD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,mFAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAI,IAAA,aAAA,CAAc,OAAW,IAAA,aAAA,CAAc,QAAU,EAAA;AACnD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,qFAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,aAAA,CAAc,QAAY,IAAA,aAAA,CAAc,UAAY,EAAA;AACvD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,iDAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,aAAA,CAAc,QAAY,IAAA,aAAA,CAAc,MAAQ,EAAA;AACnD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,gDAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,aAAA,CAAc,QAAY,IAAA,aAAA,CAAc,SAAW,EAAA;AACtD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,2BAA2B,aAAc,CAAA,SAAA,CAAA,mDAAA,CAAA;AAAA,KAC3C,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,aAAA,CAAA;AACT,CAAA;AAOA,SAAS,oCACP,MACiC,EAAA;AACjC,EAAA,MAAM,iBAAoB,GAAA;AAAA,IACxB,WAAA,EAAa,MAAO,CAAA,iBAAA,CAAkB,aAAa,CAAA;AAAA,IACnD,eAAA,EAAiB,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAAA,IAC3D,OAAA,EAAS,MAAO,CAAA,iBAAA,CAAkB,SAAS,CAAA;AAAA,IAC3C,MAAA,EAAQ,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA;AAAA,GAC3C,CAAA;AAGA,EAAA,IAAI,iBAAkB,CAAA,WAAA,IAAe,CAAC,iBAAA,CAAkB,eAAiB,EAAA;AACvE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,2FAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,iBAAA,CAAkB,WAAe,IAAA,iBAAA,CAAkB,eAAiB,EAAA;AACvE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,yFAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAI,IAAA,iBAAA,CAAkB,OAAW,IAAA,iBAAA,CAAkB,WAAa,EAAA;AAC9D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,mHAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,iBAAA,CAAA;AACT,CAAA;AAOA,SAAS,wCACP,MACoC,EAAA;AACpC,EAAA,MAAM,oBAAuB,GAAA;AAAA,IAC3B,QAAA,EAAU,MAAO,CAAA,iBAAA,CAAkB,UAAU,CAAA;AAAA,IAC7C,SAAA,EAAW,MAAO,CAAA,iBAAA,CAAkB,WAAW,CAAA;AAAA,IAC/C,MAAA,EAAQ,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA;AAAA,IACzC,UAAA,EAAY,MAAO,CAAA,iBAAA,CAAkB,YAAY,CAAA;AAAA,GACnD,CAAA;AAGA,EAAA,IAAI,CAAC,oBAAA,CAAqB,QAAY,IAAA,oBAAA,CAAqB,UAAY,EAAA;AACrE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,8FAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,oBAAA,CAAqB,QAAY,IAAA,oBAAA,CAAqB,MAAQ,EAAA;AACjE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,6FAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,oBAAA,CAAqB,QAAY,IAAA,oBAAA,CAAqB,SAAW,EAAA;AACpE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,gGAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAO,OAAA,oBAAA,CAAA;AACT,CAAA;AAQO,SAAS,yBAAyB,MAAsC,EAAA;AAhS/E,EAAA,IAAA,EAAA,CAAA;AAiSE,EAAA,MAAM,YAAW,EACd,GAAA,MAAA,CAAA,sBAAA,CAAuB,UAAU,CAAA,KADnB,mBAEb,GAAI,CAAA,+BAAA,CAAA,CAAA;AACR,EAAM,MAAA,WAAA,GAAc,MAAO,CAAA,GAAA,CAAI,aAAa,CAAA,GACxC,mCAAoC,CAAA,MAAA,CAAO,SAAU,CAAA,aAAa,CAAC,CAAA,GACnE,EAAC,CAAA;AACL,EAAA,MAAM,eAAkB,GAAA,MAAA,CAAO,GAAI,CAAA,iBAAiB,CAChD,GAAA,uCAAA;AAAA,IACE,MAAA,CAAO,UAAU,iBAAiB,CAAA;AAAA,MAEpC,EAAC,CAAA;AAEL,EAAO,OAAA;AAAA,IACL,QAAA,EAAU,8BAAY,EAAC;AAAA,IACvB,WAAA;AAAA,IACA,eAAA;AAAA,GACF,CAAA;AACF;;AC1QA,eAAe,gBAAgB,YAAqC,EAAA;AAClE,EAAA,IAAI,aAAa,SAAW,EAAA;AAC1B,IAAA,OAAA;AAAA,GACF;AAEA,EAAM,MAAA,MAAA,GAAS,IAAIA,mBAAU,CAAA;AAAA,IAC3B,QAAQ,YAAa,CAAA,SAAA;AAAA,IACrB,eAAiB,EAAA,mCAAA;AAAA,IACjB,yBAAA,EAA2B,MAAM,YAAa,CAAA,qBAAA;AAAA,GAC/C,CAAA,CAAA;AACD,EAAM,MAAA,IAAA,GAAO,MAAM,MAAO,CAAA,IAAA,CAAK,IAAIC,kCAAyB,CAAA,EAAE,CAAC,CAAA,CAAA;AAC/D,EAAA,YAAA,CAAa,YAAY,IAAK,CAAA,OAAA,CAAA;AAChC,CAAA;AAEA,SAAS,oBAAA,CACP,aACA,eAC+B,EAAA;AAC/B,EAAA,OAAO,YAAY;AACjB,IAAA,OAAO,QAAQ,OAAQ,CAAA;AAAA,MACrB,WAAA;AAAA,MACA,eAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH,CAAA;AACF,CAAA;AAEA,SAAS,qBAAA,CACP,SACA,MAC+B,EAAA;AAC/B,EAAA,OAAOC,2BAAQ,CAAA;AAAA,IACb,OAAA;AAAA,IACA,YAAc,EAAA;AAAA,MACZ,MAAA;AAAA,MACA,eAAiB,EAAA,mCAAA;AAAA,KACnB;AAAA,GACD,CAAA,CAAA;AACH,CAAA;AAEA,SAAS,0BAA4D,GAAA;AACnE,EAAA,OAAOC,yCAAsB,EAAA,CAAA;AAC/B,CAAA;AAYA,SAAS,wBAAA,CACP,QACA,uBAC+B,EAAA;AAhGjC,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAiGE,EAAA,IAAI,OAAO,QAAU,EAAA;AACnB,IAAM,MAAA,MAAA,GAAA,CAAS,EAAO,GAAA,MAAA,CAAA,MAAA,KAAP,IAAiB,GAAA,EAAA,GAAA,WAAA,CAAA;AAChC,IAAM,MAAA,SAAA,GAAA,CAAY,EAAO,GAAA,MAAA,CAAA,SAAA,KAAP,IAAoB,GAAA,EAAA,GAAA,KAAA,CAAA;AAEtC,IAAA,OAAOC,4CAAyB,CAAA;AAAA,MAC9B,iBAAA,EAAmB,OAAO,WACtB,GAAA,oBAAA,CAAqB,OAAO,WAAc,EAAA,MAAA,CAAO,eAAgB,CACjE,GAAA,uBAAA;AAAA,MACJ,MAAQ,EAAA;AAAA,QACN,OAAS,EAAA,CAAA,IAAA,EAAO,SAAkB,CAAA,MAAA,EAAA,MAAA,CAAO,kBAAkB,MAAO,CAAA,QAAA,CAAA,CAAA;AAAA,QAClE,eAAiB,EAAA,WAAA;AAAA,QACjB,YAAY,MAAO,CAAA,UAAA;AAAA,OACrB;AAAA,MACA,YAAc,EAAA;AAAA,QACZ,MAAA;AAAA,QACA,eAAiB,EAAA,mCAAA;AAAA,OACnB;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAEA,EAAA,IAAI,OAAO,WAAa,EAAA;AACtB,IAAA,OAAO,oBAAqB,CAAA,MAAA,CAAO,WAAc,EAAA,MAAA,CAAO,eAAgB,CAAA,CAAA;AAAA,GAC1E;AAEA,EAAA,IAAI,OAAO,OAAS,EAAA;AAClB,IAAA,OAAO,qBAAsB,CAAA,MAAA,CAAO,OAAU,EAAA,MAAA,CAAO,MAAM,CAAA,CAAA;AAAA,GAC7D;AAEA,EAAA,OAAO,0BAA2B,EAAA,CAAA;AACpC,CAAA;AAUA,SAAS,oCACP,MAC+B,EAAA;AAC/B,EAAA,IAAI,OAAO,WAAa,EAAA;AACtB,IAAA,OAAO,oBAAqB,CAAA,MAAA,CAAO,WAAc,EAAA,MAAA,CAAO,eAAgB,CAAA,CAAA;AAAA,GAC1E;AAEA,EAAA,IAAI,OAAO,OAAS,EAAA;AAClB,IAAA,OAAO,qBAAsB,CAAA,MAAA,CAAO,OAAU,EAAA,MAAA,CAAO,MAAM,CAAA,CAAA;AAAA,GAC7D;AAEA,EAAA,OAAO,0BAA2B,EAAA,CAAA;AACpC,CAAA;AAOO,MAAM,4BAA8D,CAAA;AAAA,EAqCjE,WAAA,CACW,0BAIA,EAAA,eAAA,EACA,6BACjB,EAAA;AANiB,IAAA,IAAA,CAAA,0BAAA,GAAA,0BAAA,CAAA;AAIA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA,CAAA;AACA,IAAA,IAAA,CAAA,6BAAA,GAAA,6BAAA,CAAA;AAAA,GAChB;AAAA,EA3CH,OAAO,WAAW,MAA8C,EAAA;AAC9D,IAAM,MAAA,SAAA,GAAY,MAAO,CAAA,GAAA,CAAI,KAAK,CAAA,GAC9B,yBAAyB,MAAO,CAAA,SAAA,CAAU,KAAK,CAAC,CAChD,GAAA;AAAA,MACE,UAAU,EAAC;AAAA,MACX,aAAa,EAAC;AAAA,MACd,iBAAiB,EAAC;AAAA,KACpB,CAAA;AAEJ,IAAA,MAAM,0BAA6B,GAAA,mCAAA;AAAA,MACjC,SAAU,CAAA,WAAA;AAAA,KACZ,CAAA;AACA,IAAA,MAAM,uBAAiD,GAAA;AAAA,MACrD,qBAAuB,EAAA,0BAAA;AAAA,KACzB,CAAA;AAEA,IAAM,MAAA,oBAAA,uBAA2B,GAAmC,EAAA,CAAA;AACpE,IAAW,KAAA,MAAA,aAAA,IAAiB,UAAU,QAAU,EAAA;AAC9C,MAAA,MAAM,qBAAwB,GAAA,wBAAA;AAAA,QAC5B,aAAA;AAAA,QACA,0BAAA;AAAA,OACF,CAAA;AACA,MAAqB,oBAAA,CAAA,GAAA,CAAI,cAAc,SAAW,EAAA;AAAA,QAChD,WAAW,aAAc,CAAA,SAAA;AAAA,QACzB,WAAW,aAAc,CAAA,MAAA;AAAA,QACzB,qBAAA;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAEA,IAAA,OAAO,IAAI,4BAAA;AAAA,MACT,oBAAA;AAAA,MACA,SAAU,CAAA,eAAA;AAAA,MACV,uBAAA;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EA4BA,MAAM,sBACJ,IACgC,EAAA;AAEhC,IAAA,IAAI,CAAC,IAAM,EAAA;AACT,MAAM,MAAA,eAAA,CAAgB,KAAK,6BAA6B,CAAA,CAAA;AACxD,MAAA,OAAO,IAAK,CAAA,6BAAA,CAAA;AAAA,KACd;AAGA,IAAA,IAAI,YAAY,IAAK,CAAA,SAAA,CAAA;AACrB,IAAI,IAAA,IAAA,CAAK,GAAO,IAAA,CAAC,SAAW,EAAA;AAC1B,MAAM,MAAA,aAAA,GAAgBC,mBAAM,CAAA,IAAA,CAAK,GAAG,CAAA,CAAA;AACpC,MAAA,SAAA,GAAY,aAAc,CAAA,SAAA,CAAA;AAAA,KAC5B;AAIA,IAAA,IAAI,CAAC,SAAW,EAAA;AACd,MAAM,MAAA,eAAA,CAAgB,KAAK,6BAA6B,CAAA,CAAA;AACxD,MAAA,OAAO,IAAK,CAAA,6BAAA,CAAA;AAAA,KACd;AAGA,IAAA,IAAI,IAAK,CAAA,0BAAA,CAA2B,GAAI,CAAA,SAAS,CAAG,EAAA;AAClD,MAAO,OAAA,IAAA,CAAK,0BAA2B,CAAA,GAAA,CAAI,SAAS,CAAA,CAAA;AAAA,KACtD;AAGA,IAAI,IAAA,IAAA,CAAK,gBAAgB,QAAU,EAAA;AACjC,MAAA,MAAM,MAAsC,GAAA;AAAA,QAC1C,SAAA;AAAA,QACA,QAAA,EAAU,KAAK,eAAgB,CAAA,QAAA;AAAA,QAC/B,SAAA,EAAW,KAAK,eAAgB,CAAA,SAAA;AAAA,QAChC,MAAA,EAAQ,KAAK,eAAgB,CAAA,MAAA;AAAA,QAC7B,UAAA,EAAY,KAAK,eAAgB,CAAA,UAAA;AAAA,OACnC,CAAA;AACA,MAAA,MAAM,qBAAwB,GAAA,wBAAA;AAAA,QAC5B,MAAA;AAAA,QACA,KAAK,6BAA8B,CAAA,qBAAA;AAAA,OACrC,CAAA;AACA,MAAA,MAAM,YAAsC,GAAA;AAAA,QAC1C,SAAA;AAAA,QACA,qBAAA;AAAA,OACF,CAAA;AACA,MAAK,IAAA,CAAA,0BAAA,CAA2B,GAAI,CAAA,SAAA,EAAW,YAAY,CAAA,CAAA;AAC3D,MAAO,OAAA,YAAA,CAAA;AAAA,KACT;AAIA,IAAM,MAAA,eAAA,CAAgB,KAAK,6BAA6B,CAAA,CAAA;AACxD,IAAI,IAAA,SAAA,KAAc,IAAK,CAAA,6BAAA,CAA8B,SAAW,EAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,6BAAA,CAAA;AAAA,KACd;AAGA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAA4C,yCAAA,EAAA,SAAA,CAAA,kDAAA,CAAA;AAAA,KAC9C,CAAA;AAAA,GACF;AACF;;;;"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import { AwsCredentialIdentityProvider } from '@aws-sdk/types';
+import { Config } from '@backstage/config';
+/**
+ * A set of credentials information for an AWS account.
+ *
+ * @public
+ */
+declare type AwsCredentialProvider = {
+    /**
+     * The AWS account ID of these credentials
+     */
+    accountId?: string;
+    /**
+     * The STS region used with these credentials
+     */
+    stsRegion?: string;
+    /**
+     * The credential identity provider to use when creating AWS SDK for Javascript V3 clients
+     */
+    sdkCredentialProvider: AwsCredentialIdentityProvider;
+};
+/**
+ * The options for specifying the AWS credentials to retrieve.
+ *
+ * @public
+ */
+declare type AwsCredentialProviderOptions = {
+    /**
+     * The AWS account ID, e.g. '0123456789012'
+     */
+    accountId?: string;
+    /**
+     * The resource ARN that will be accessed with the returned credentials.
+     * If account ID or region are not specified, they will be inferred from the ARN.
+     */
+    arn?: string;
+};
+/**
+ * This allows implementations to be provided to retrieve AWS credentials.
+ *
+ * @public
+ */
+interface AwsCredentialsManager {
+    /**
+     * Get credentials for an AWS account.
+     */
+    getCredentialProvider(opts?: AwsCredentialProviderOptions): Promise<AwsCredentialProvider>;
+}
+/**
+ * Handles the creation and caching of credential providers for AWS accounts.
+ *
+ * @public
+ */
+declare class DefaultAwsCredentialsManager implements AwsCredentialsManager {
+    private readonly accountCredentialProviders;
+    private readonly accountDefaults;
+    private readonly mainAccountCredentialProvider;
+    static fromConfig(config: Config): DefaultAwsCredentialsManager;
+    private constructor();
+    /**
+     * Returns an {@link AwsCredentialProvider} for a given AWS account.
+     *
+     * @example
+     * ```ts
+     * const { provider } = await getCredentialProvider({
+     *   accountId: '0123456789012',
+     * })
+     *
+     * const { provider } = await getCredentialProvider({
+     *   arn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service'
+     * })
+     * ```
+     *
+     * @param opts - the AWS account ID or AWS resource ARN
+     * @returns A promise of {@link AwsCredentialProvider}.
+     */
+    getCredentialProvider(opts?: AwsCredentialProviderOptions): Promise<AwsCredentialProvider>;
+}
+export { AwsCredentialProvider, AwsCredentialProviderOptions, AwsCredentialsManager, DefaultAwsCredentialsManager };

package/package.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "name": "@backstage/integration-aws-node",
+  "description": "Helpers for fetching AWS account credentials",
+  "version": "0.0.0-nightly-20221213023404",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "module": "dist/index.esm.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "node-library"
+  },
+  "homepage": "https://backstage.io",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/backstage/backstage",
+    "directory": "packages/integration-aws-node"
+  },
+  "keywords": [
+    "backstage"
+  ],
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack",
+    "clean": "backstage-cli package clean"
+  },
+  "dependencies": {
+    "@aws-sdk/client-sts": "^3.208.0",
+    "@aws-sdk/credential-provider-node": "^3.208.0",
+    "@aws-sdk/credential-providers": "^3.208.0",
+    "@aws-sdk/types": "^3.208.0",
+    "@aws-sdk/util-arn-parser": "^3.208.0",
+    "@backstage/config": "^0.0.0-nightly-20221213023404",
+    "@backstage/errors": "^0.0.0-nightly-20221213023404"
+  },
+  "devDependencies": {
+    "@backstage/cli": "^0.0.0-nightly-20221213023404",
+    "@backstage/config-loader": "^0.0.0-nightly-20221213023404",
+    "@backstage/test-utils": "^0.0.0-nightly-20221213023404",
+    "aws-sdk-client-mock": "^2.0.0",
+    "aws-sdk-client-mock-jest": "^2.0.0"
+  },
+  "files": [
+    "dist",
+    "config.d.ts"
+  ],
+  "configSchema": "config.d.ts",
+  "module": "dist/index.esm.js"
+}