@backstage/integration-aws-node 0.1.18 → 0.1.19-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/dist/DefaultAwsCredentialsManager.cjs.js +8 -5
  3. package/dist/DefaultAwsCredentialsManager.cjs.js.map +1 -1
  4. package/dist/index.d.ts +1 -1
  5. package/package.json +6 -6
package/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # @backstage/integration-aws-node
2
2
 
3
+ ## 0.1.19-next.0
4
+
5
+ ### Patch Changes
6
+
7
+ - 05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript's `erasableSyntaxOnly` setting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.
8
+ - Updated dependencies
9
+ - @backstage/config@1.3.6-next.0
10
+ - @backstage/errors@1.2.7
11
+
3
12
  ## 0.1.18
4
13
 
5
14
  ### Patch Changes
package/dist/DefaultAwsCredentialsManager.cjs.js CHANGED
@@ -72,11 +72,6 @@ function getMainAccountSdkCredentialProvider(config) {
72
72
  return getDefaultCredentialsChain(config.region);
73
73
  }
74
74
  class DefaultAwsCredentialsManager {
75
- constructor(accountCredentialProviders, accountDefaults, mainAccountCredentialProvider) {
76
- this.accountCredentialProviders = accountCredentialProviders;
77
- this.accountDefaults = accountDefaults;
78
- this.mainAccountCredentialProvider = mainAccountCredentialProvider;
79
- }
80
75
  static fromConfig(config$1) {
81
76
  const awsConfig = config$1.has("aws") ? config.readAwsIntegrationConfig(config$1.getConfig("aws")) : {
82
77
  accounts: [],
@@ -108,6 +103,14 @@ class DefaultAwsCredentialsManager {
108
103
  mainAccountCredProvider
109
104
  );
110
105
  }
106
+ accountCredentialProviders;
107
+ accountDefaults;
108
+ mainAccountCredentialProvider;
109
+ constructor(accountCredentialProviders, accountDefaults, mainAccountCredentialProvider) {
110
+ this.accountCredentialProviders = accountCredentialProviders;
111
+ this.accountDefaults = accountDefaults;
112
+ this.mainAccountCredentialProvider = mainAccountCredentialProvider;
113
+ }
111
114
  /**
112
115
  * Returns an {@link AwsCredentialProvider} for a given AWS account.
113
116
  *
package/dist/DefaultAwsCredentialsManager.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"DefaultAwsCredentialsManager.cjs.js","sources":["../src/DefaultAwsCredentialsManager.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n readAwsIntegrationConfig,\n AwsIntegrationAccountConfig,\n AwsIntegrationDefaultAccountConfig,\n AwsIntegrationMainAccountConfig,\n} from './config';\nimport {\n AwsCredentialsManager,\n AwsCredentialProvider,\n AwsCredentialProviderOptions,\n} from './types';\nimport { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';\nimport {\n fromIni,\n fromNodeProviderChain,\n fromTemporaryCredentials,\n} from '@aws-sdk/credential-providers';\nimport { AwsCredentialIdentityProvider } from '@aws-sdk/types';\nimport { parse } from '@aws-sdk/util-arn-parser';\nimport { Config } from '@backstage/config';\n\n/**\n * Retrieves the account ID for the given credential provider from STS.\n * Include the region if present, otherwise use the default region.\n */\nasync function fillInAccountId(credProvider: AwsCredentialProvider) {\n if (credProvider.accountId) {\n return;\n }\n\n const client = new STSClient({\n region: credProvider.stsRegion ?? 'us-east-1',\n customUserAgent: 'backstage-aws-credentials-manager',\n credentialDefaultProvider: () => credProvider.sdkCredentialProvider,\n });\n const resp = await client.send(new GetCallerIdentityCommand({}));\n credProvider.accountId = resp.Account!;\n}\n\nfunction getStaticCredentials(\n accessKeyId: string,\n secretAccessKey: string,\n): AwsCredentialIdentityProvider {\n return async () => {\n return Promise.resolve({\n accessKeyId: accessKeyId,\n secretAccessKey: secretAccessKey,\n });\n };\n}\n\nfunction getProfileCredentials(\n profile: string,\n region?: string,\n): AwsCredentialIdentityProvider {\n return fromIni({\n profile,\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n}\n\n/**\n * Include the region if present, otherwise use the default region.\n *\n * @see https://www.npmjs.com/package/@aws-sdk/credential-provider-node\n */\nfunction getDefaultCredentialsChain(\n region = 'us-east-1',\n): AwsCredentialIdentityProvider {\n return fromNodeProviderChain({ clientConfig: { region } });\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK from the given account config\n *\n * Order of precedence:\n * 1. Assume role with static creds\n * 2. Assume role with main account creds\n * 3. Static creds\n * 4. Profile creds\n * 5. Default AWS SDK creds chain\n */\nfunction getSdkCredentialProvider(\n config: AwsIntegrationAccountConfig,\n mainAccountCredProvider: AwsCredentialIdentityProvider,\n): AwsCredentialIdentityProvider {\n if (config.roleName) {\n const region = config.region ?? 'us-east-1';\n const partition = config.partition ?? 'aws';\n\n return fromTemporaryCredentials({\n masterCredentials: config.accessKeyId\n ? getStaticCredentials(config.accessKeyId!, config.secretAccessKey!)\n : mainAccountCredProvider,\n params: {\n RoleArn: `arn:${partition}:iam::${config.accountId}:role/${config.roleName}`,\n RoleSessionName: 'backstage',\n ExternalId: config.externalId,\n },\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n }\n\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain(config.region);\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK for the main account\n *\n * Order of precedence:\n * 1. Static creds\n * 2. Profile creds\n * 3. Default AWS SDK creds chain\n */\nfunction getMainAccountSdkCredentialProvider(\n config: AwsIntegrationMainAccountConfig,\n): AwsCredentialIdentityProvider {\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain(config.region);\n}\n\n/**\n * Handles the creation and caching of credential providers for AWS accounts.\n *\n * @public\n */\nexport class DefaultAwsCredentialsManager implements AwsCredentialsManager {\n static fromConfig(config: Config): DefaultAwsCredentialsManager {\n const awsConfig = config.has('aws')\n ? readAwsIntegrationConfig(config.getConfig('aws'))\n : {\n accounts: [],\n mainAccount: {},\n accountDefaults: {},\n };\n\n const mainAccountSdkCredProvider = getMainAccountSdkCredentialProvider(\n awsConfig.mainAccount,\n );\n const mainAccountCredProvider: AwsCredentialProvider = {\n stsRegion: awsConfig.mainAccount.region,\n sdkCredentialProvider: mainAccountSdkCredProvider,\n };\n\n const accountCredProviders = new Map<string, AwsCredentialProvider>();\n for (const accountConfig of awsConfig.accounts) {\n const sdkCredentialProvider = getSdkCredentialProvider(\n accountConfig,\n mainAccountSdkCredProvider,\n );\n accountCredProviders.set(accountConfig.accountId, {\n accountId: accountConfig.accountId,\n stsRegion: accountConfig.region,\n sdkCredentialProvider,\n });\n }\n\n return new DefaultAwsCredentialsManager(\n accountCredProviders,\n awsConfig.accountDefaults,\n mainAccountCredProvider,\n );\n }\n\n private constructor(\n private readonly accountCredentialProviders: Map<\n string,\n AwsCredentialProvider\n >,\n private readonly accountDefaults: AwsIntegrationDefaultAccountConfig,\n private readonly mainAccountCredentialProvider: AwsCredentialProvider,\n ) {}\n\n /**\n * Returns an {@link AwsCredentialProvider} for a given AWS account.\n *\n * @example\n * ```ts\n * const { provider } = await getCredentialProvider({\n * accountId: '0123456789012',\n * })\n *\n * const { provider } = await getCredentialProvider({\n * arn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service'\n * })\n * ```\n *\n * @param opts - the AWS account ID or AWS resource ARN\n * @returns A promise of {@link AwsCredentialProvider}.\n */\n async getCredentialProvider(\n opts?: AwsCredentialProviderOptions,\n ): Promise<AwsCredentialProvider> {\n // If no options provided, fall back to the main account\n if (!opts) {\n return this.mainAccountCredentialProvider;\n }\n\n // Determine the account ID: either explicitly provided or extracted from the provided ARN\n let accountId = opts.accountId;\n if (opts.arn && !accountId) {\n const arnComponents = parse(opts.arn);\n accountId = arnComponents.accountId;\n }\n\n // If the account ID was not provided (explicitly or in the ARN),\n // fall back to the main account\n if (!accountId) {\n return this.mainAccountCredentialProvider;\n }\n\n // Return a cached provider if available\n if (this.accountCredentialProviders.has(accountId)) {\n return this.accountCredentialProviders.get(accountId)!;\n }\n\n // First, fall back to using the account defaults\n if (this.accountDefaults.roleName) {\n const config: AwsIntegrationAccountConfig = {\n accountId,\n roleName: this.accountDefaults.roleName,\n partition: this.accountDefaults.partition,\n region: this.accountDefaults.region,\n externalId: this.accountDefaults.externalId,\n };\n const sdkCredentialProvider = getSdkCredentialProvider(\n config,\n this.mainAccountCredentialProvider.sdkCredentialProvider,\n );\n const credProvider: AwsCredentialProvider = {\n accountId,\n sdkCredentialProvider,\n };\n this.accountCredentialProviders.set(accountId, credProvider);\n return credProvider;\n }\n\n // Then, fall back to using the main account, but only\n // if the account requested matches the main account ID\n await fillInAccountId(this.mainAccountCredentialProvider);\n if (accountId === this.mainAccountCredentialProvider.accountId) {\n return this.mainAccountCredentialProvider;\n }\n\n // Otherwise, the account needs to be explicitly configured in Backstage\n throw new Error(\n `There is no AWS integration that matches ${accountId}. Please add a configuration for this AWS account.`,\n );\n }\n}\n"],"names":["STSClient","GetCallerIdentityCommand","fromIni","fromNodeProviderChain","fromTemporaryCredentials","config","readAwsIntegrationConfig","parse"],"mappings":";;;;;;;AAyCA,eAAe,gBAAgB,YAAA,EAAqC;AAClE,EAAA,IAAI,aAAa,SAAA,EAAW;AAC1B,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,IAAIA,mBAAA,CAAU;AAAA,IAC3B,MAAA,EAAQ,aAAa,SAAA,IAAa,WAAA;AAAA,IAClC,eAAA,EAAiB,mCAAA;AAAA,IACjB,yBAAA,EAA2B,MAAM,YAAA,CAAa;AAAA,GAC/C,CAAA;AACD,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,IAAA,CAAK,IAAIC,kCAAA,CAAyB,EAAE,CAAC,CAAA;AAC/D,EAAA,YAAA,CAAa,YAAY,IAAA,CAAK,OAAA;AAChC;AAEA,SAAS,oBAAA,CACP,aACA,eAAA,EAC+B;AAC/B,EAAA,OAAO,YAAY;AACjB,IAAA,OAAO,QAAQ,OAAA,CAAQ;AAAA,MACrB,WAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,EACH,CAAA;AACF;AAEA,SAAS,qBAAA,CACP,SACA,MAAA,EAC+B;AAC/B,EAAA,OAAOC,2BAAA,CAAQ;AAAA,IACb,OAAA;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,MAAA;AAAA,MACA,eAAA,EAAiB;AAAA;AACnB,GACD,CAAA;AACH;AAOA,SAAS,0BAAA,CACP,SAAS,WAAA,EACsB;AAC/B,EAAA,OAAOC,0CAAsB,EAAE,YAAA,EAAc,EAAE,MAAA,IAAU,CAAA;AAC3D;AAYA,SAAS,wBAAA,CACP,QACA,uBAAA,EAC+B;AAC/B,EAAA,IAAI,OAAO,QAAA,EAAU;AACnB,IAAA,MAAM,MAAA,GAAS,OAAO,MAAA,IAAU,WAAA;AAChC,IAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,KAAA;AAEtC,IAAA,OAAOC,4CAAA,CAAyB;AAAA,MAC9B,iBAAA,EAAmB,OAAO,WAAA,GACtB,oBAAA,CAAqB,OAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA,GACjE,uBAAA;AAAA,MACJ,MAAA,EAAQ;AAAA,QACN,OAAA,EAAS,OAAO,SAAS,CAAA,MAAA,EAAS,OAAO,SAAS,CAAA,MAAA,EAAS,OAAO,QAAQ,CAAA,CAAA;AAAA,QAC1E,eAAA,EAAiB,WAAA;AAAA,QACjB,YAAY,MAAA,CAAO;AAAA,OACrB;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,MAAA;AAAA,QACA,eAAA,EAAiB;AAAA;AACnB,KACD,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,OAAO,oBAAA,CAAqB,MAAA,CAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA;AAAA,EAC1E;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAO,qBAAA,CAAsB,MAAA,CAAO,OAAA,EAAU,MAAA,CAAO,MAAM,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO,0BAAA,CAA2B,OAAO,MAAM,CAAA;AACjD;AAUA,SAAS,oCACP,MAAA,EAC+B;AAC/B,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,OAAO,oBAAA,CAAqB,MAAA,CAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA;AAAA,EAC1E;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAO,qBAAA,CAAsB,MAAA,CAAO,OAAA,EAAU,MAAA,CAAO,MAAM,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO,0BAAA,CAA2B,OAAO,MAAM,CAAA;AACjD;AAOO,MAAM,4BAAA,CAA8D;AAAA,EAsCjE,WAAA,CACW,0BAAA,EAIA,eAAA,EACA,6BAAA,EACjB;AANiB,IAAA,IAAA,CAAA,0BAAA,GAAA,0BAAA;AAIA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,6BAAA,GAAA,6BAAA;AAAA,EAChB;AAAA,EA5CH,OAAO,WAAWC,QAAA,EAA8C;AAC9D,IAAA,MAAM,SAAA,GAAYA,QAAA,CAAO,GAAA,CAAI,KAAK,CAAA,GAC9BC,gCAAyBD,QAAA,CAAO,SAAA,CAAU,KAAK,CAAC,CAAA,GAChD;AAAA,MACE,UAAU,EAAC;AAAA,MACX,aAAa,EAAC;AAAA,MACd,iBAAiB;AAAC,KACpB;AAEJ,IAAA,MAAM,0BAAA,GAA6B,mCAAA;AAAA,MACjC,SAAA,CAAU;AAAA,KACZ;AACA,IAAA,MAAM,uBAAA,GAAiD;AAAA,MACrD,SAAA,EAAW,UAAU,WAAA,CAAY,MAAA;AAAA,MACjC,qBAAA,EAAuB;AAAA,KACzB;AAEA,IAAA,MAAM,oBAAA,uBAA2B,GAAA,EAAmC;AACpE,IAAA,KAAA,MAAW,aAAA,IAAiB,UAAU,QAAA,EAAU;AAC9C,MAAA,MAAM,qBAAA,GAAwB,wBAAA;AAAA,QAC5B,aAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,oBAAA,CAAqB,GAAA,CAAI,cAAc,SAAA,EAAW;AAAA,QAChD,WAAW,aAAA,CAAc,SAAA;AAAA,QACzB,WAAW,aAAA,CAAc,MAAA;AAAA,QACzB;AAAA,OACD,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,4BAAA;AAAA,MACT,oBAAA;AAAA,MACA,SAAA,CAAU,eAAA;AAAA,MACV;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,sBACJ,IAAA,EACgC;AAEhC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,IAAI,YAAY,IAAA,CAAK,SAAA;AACrB,IAAA,IAAI,IAAA,CAAK,GAAA,IAAO,CAAC,SAAA,EAAW;AAC1B,MAAA,MAAM,aAAA,GAAgBE,mBAAA,CAAM,IAAA,CAAK,GAAG,CAAA;AACpC,MAAA,SAAA,GAAY,aAAA,CAAc,SAAA;AAAA,IAC5B;AAIA,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,IAAI,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAS,CAAA,EAAG;AAClD,MAAA,OAAO,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAS,CAAA;AAAA,IACtD;AAGA,IAAA,IAAI,IAAA,CAAK,gBAAgB,QAAA,EAAU;AACjC,MAAA,MAAM,MAAA,GAAsC;AAAA,QAC1C,SAAA;AAAA,QACA,QAAA,EAAU,KAAK,eAAA,CAAgB,QAAA;AAAA,QAC/B,SAAA,EAAW,KAAK,eAAA,CAAgB,SAAA;AAAA,QAChC,MAAA,EAAQ,KAAK,eAAA,CAAgB,MAAA;AAAA,QAC7B,UAAA,EAAY,KAAK,eAAA,CAAgB;AAAA,OACnC;AACA,MAAA,MAAM,qBAAA,GAAwB,wBAAA;AAAA,QAC5B,MAAA;AAAA,QACA,KAAK,6BAAA,CAA8B;AAAA,OACrC;AACA,MAAA,MAAM,YAAA,GAAsC;AAAA,QAC1C,SAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAA,EAAW,YAAY,CAAA;AAC3D,MAAA,OAAO,YAAA;AAAA,IACT;AAIA,IAAA,MAAM,eAAA,CAAgB,KAAK,6BAA6B,CAAA;AACxD,IAAA,IAAI,SAAA,KAAc,IAAA,CAAK,6BAAA,CAA8B,SAAA,EAAW;AAC9D,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,4CAA4C,SAAS,CAAA,kDAAA;AAAA,KACvD;AAAA,EACF;AACF;;;;"}
1
+ {"version":3,"file":"DefaultAwsCredentialsManager.cjs.js","sources":["../src/DefaultAwsCredentialsManager.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n readAwsIntegrationConfig,\n AwsIntegrationAccountConfig,\n AwsIntegrationDefaultAccountConfig,\n AwsIntegrationMainAccountConfig,\n} from './config';\nimport {\n AwsCredentialsManager,\n AwsCredentialProvider,\n AwsCredentialProviderOptions,\n} from './types';\nimport { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';\nimport {\n fromIni,\n fromNodeProviderChain,\n fromTemporaryCredentials,\n} from '@aws-sdk/credential-providers';\nimport { AwsCredentialIdentityProvider } from '@aws-sdk/types';\nimport { parse } from '@aws-sdk/util-arn-parser';\nimport { Config } from '@backstage/config';\n\n/**\n * Retrieves the account ID for the given credential provider from STS.\n * Include the region if present, otherwise use the default region.\n */\nasync function fillInAccountId(credProvider: AwsCredentialProvider) {\n if (credProvider.accountId) {\n return;\n }\n\n const client = new STSClient({\n region: credProvider.stsRegion ?? 'us-east-1',\n customUserAgent: 'backstage-aws-credentials-manager',\n credentialDefaultProvider: () => credProvider.sdkCredentialProvider,\n });\n const resp = await client.send(new GetCallerIdentityCommand({}));\n credProvider.accountId = resp.Account!;\n}\n\nfunction getStaticCredentials(\n accessKeyId: string,\n secretAccessKey: string,\n): AwsCredentialIdentityProvider {\n return async () => {\n return Promise.resolve({\n accessKeyId: accessKeyId,\n secretAccessKey: secretAccessKey,\n });\n };\n}\n\nfunction getProfileCredentials(\n profile: string,\n region?: string,\n): AwsCredentialIdentityProvider {\n return fromIni({\n profile,\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n}\n\n/**\n * Include the region if present, otherwise use the default region.\n *\n * @see https://www.npmjs.com/package/@aws-sdk/credential-provider-node\n */\nfunction getDefaultCredentialsChain(\n region = 'us-east-1',\n): AwsCredentialIdentityProvider {\n return fromNodeProviderChain({ clientConfig: { region } });\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK from the given account config\n *\n * Order of precedence:\n * 1. Assume role with static creds\n * 2. Assume role with main account creds\n * 3. Static creds\n * 4. Profile creds\n * 5. Default AWS SDK creds chain\n */\nfunction getSdkCredentialProvider(\n config: AwsIntegrationAccountConfig,\n mainAccountCredProvider: AwsCredentialIdentityProvider,\n): AwsCredentialIdentityProvider {\n if (config.roleName) {\n const region = config.region ?? 'us-east-1';\n const partition = config.partition ?? 'aws';\n\n return fromTemporaryCredentials({\n masterCredentials: config.accessKeyId\n ? getStaticCredentials(config.accessKeyId!, config.secretAccessKey!)\n : mainAccountCredProvider,\n params: {\n RoleArn: `arn:${partition}:iam::${config.accountId}:role/${config.roleName}`,\n RoleSessionName: 'backstage',\n ExternalId: config.externalId,\n },\n clientConfig: {\n region,\n customUserAgent: 'backstage-aws-credentials-manager',\n },\n });\n }\n\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain(config.region);\n}\n\n/**\n * Constructs the credential provider needed by the AWS SDK for the main account\n *\n * Order of precedence:\n * 1. Static creds\n * 2. Profile creds\n * 3. Default AWS SDK creds chain\n */\nfunction getMainAccountSdkCredentialProvider(\n config: AwsIntegrationMainAccountConfig,\n): AwsCredentialIdentityProvider {\n if (config.accessKeyId) {\n return getStaticCredentials(config.accessKeyId!, config.secretAccessKey!);\n }\n\n if (config.profile) {\n return getProfileCredentials(config.profile!, config.region);\n }\n\n return getDefaultCredentialsChain(config.region);\n}\n\n/**\n * Handles the creation and caching of credential providers for AWS accounts.\n *\n * @public\n */\nexport class DefaultAwsCredentialsManager implements AwsCredentialsManager {\n static fromConfig(config: Config): DefaultAwsCredentialsManager {\n const awsConfig = config.has('aws')\n ? readAwsIntegrationConfig(config.getConfig('aws'))\n : {\n accounts: [],\n mainAccount: {},\n accountDefaults: {},\n };\n\n const mainAccountSdkCredProvider = getMainAccountSdkCredentialProvider(\n awsConfig.mainAccount,\n );\n const mainAccountCredProvider: AwsCredentialProvider = {\n stsRegion: awsConfig.mainAccount.region,\n sdkCredentialProvider: mainAccountSdkCredProvider,\n };\n\n const accountCredProviders = new Map<string, AwsCredentialProvider>();\n for (const accountConfig of awsConfig.accounts) {\n const sdkCredentialProvider = getSdkCredentialProvider(\n accountConfig,\n mainAccountSdkCredProvider,\n );\n accountCredProviders.set(accountConfig.accountId, {\n accountId: accountConfig.accountId,\n stsRegion: accountConfig.region,\n sdkCredentialProvider,\n });\n }\n\n return new DefaultAwsCredentialsManager(\n accountCredProviders,\n awsConfig.accountDefaults,\n mainAccountCredProvider,\n );\n }\n\n private readonly accountCredentialProviders: Map<\n string,\n AwsCredentialProvider\n >;\n private readonly accountDefaults: AwsIntegrationDefaultAccountConfig;\n private readonly mainAccountCredentialProvider: AwsCredentialProvider;\n\n private constructor(\n accountCredentialProviders: Map<string, AwsCredentialProvider>,\n accountDefaults: AwsIntegrationDefaultAccountConfig,\n mainAccountCredentialProvider: AwsCredentialProvider,\n ) {\n this.accountCredentialProviders = accountCredentialProviders;\n this.accountDefaults = accountDefaults;\n this.mainAccountCredentialProvider = mainAccountCredentialProvider;\n }\n\n /**\n * Returns an {@link AwsCredentialProvider} for a given AWS account.\n *\n * @example\n * ```ts\n * const { provider } = await getCredentialProvider({\n * accountId: '0123456789012',\n * })\n *\n * const { provider } = await getCredentialProvider({\n * arn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service'\n * })\n * ```\n *\n * @param opts - the AWS account ID or AWS resource ARN\n * @returns A promise of {@link AwsCredentialProvider}.\n */\n async getCredentialProvider(\n opts?: AwsCredentialProviderOptions,\n ): Promise<AwsCredentialProvider> {\n // If no options provided, fall back to the main account\n if (!opts) {\n return this.mainAccountCredentialProvider;\n }\n\n // Determine the account ID: either explicitly provided or extracted from the provided ARN\n let accountId = opts.accountId;\n if (opts.arn && !accountId) {\n const arnComponents = parse(opts.arn);\n accountId = arnComponents.accountId;\n }\n\n // If the account ID was not provided (explicitly or in the ARN),\n // fall back to the main account\n if (!accountId) {\n return this.mainAccountCredentialProvider;\n }\n\n // Return a cached provider if available\n if (this.accountCredentialProviders.has(accountId)) {\n return this.accountCredentialProviders.get(accountId)!;\n }\n\n // First, fall back to using the account defaults\n if (this.accountDefaults.roleName) {\n const config: AwsIntegrationAccountConfig = {\n accountId,\n roleName: this.accountDefaults.roleName,\n partition: this.accountDefaults.partition,\n region: this.accountDefaults.region,\n externalId: this.accountDefaults.externalId,\n };\n const sdkCredentialProvider = getSdkCredentialProvider(\n config,\n this.mainAccountCredentialProvider.sdkCredentialProvider,\n );\n const credProvider: AwsCredentialProvider = {\n accountId,\n sdkCredentialProvider,\n };\n this.accountCredentialProviders.set(accountId, credProvider);\n return credProvider;\n }\n\n // Then, fall back to using the main account, but only\n // if the account requested matches the main account ID\n await fillInAccountId(this.mainAccountCredentialProvider);\n if (accountId === this.mainAccountCredentialProvider.accountId) {\n return this.mainAccountCredentialProvider;\n }\n\n // Otherwise, the account needs to be explicitly configured in Backstage\n throw new Error(\n `There is no AWS integration that matches ${accountId}. Please add a configuration for this AWS account.`,\n );\n }\n}\n"],"names":["STSClient","GetCallerIdentityCommand","fromIni","fromNodeProviderChain","fromTemporaryCredentials","config","readAwsIntegrationConfig","parse"],"mappings":";;;;;;;AAyCA,eAAe,gBAAgB,YAAA,EAAqC;AAClE,EAAA,IAAI,aAAa,SAAA,EAAW;AAC1B,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,IAAIA,mBAAA,CAAU;AAAA,IAC3B,MAAA,EAAQ,aAAa,SAAA,IAAa,WAAA;AAAA,IAClC,eAAA,EAAiB,mCAAA;AAAA,IACjB,yBAAA,EAA2B,MAAM,YAAA,CAAa;AAAA,GAC/C,CAAA;AACD,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,IAAA,CAAK,IAAIC,kCAAA,CAAyB,EAAE,CAAC,CAAA;AAC/D,EAAA,YAAA,CAAa,YAAY,IAAA,CAAK,OAAA;AAChC;AAEA,SAAS,oBAAA,CACP,aACA,eAAA,EAC+B;AAC/B,EAAA,OAAO,YAAY;AACjB,IAAA,OAAO,QAAQ,OAAA,CAAQ;AAAA,MACrB,WAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,EACH,CAAA;AACF;AAEA,SAAS,qBAAA,CACP,SACA,MAAA,EAC+B;AAC/B,EAAA,OAAOC,2BAAA,CAAQ;AAAA,IACb,OAAA;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,MAAA;AAAA,MACA,eAAA,EAAiB;AAAA;AACnB,GACD,CAAA;AACH;AAOA,SAAS,0BAAA,CACP,SAAS,WAAA,EACsB;AAC/B,EAAA,OAAOC,0CAAsB,EAAE,YAAA,EAAc,EAAE,MAAA,IAAU,CAAA;AAC3D;AAYA,SAAS,wBAAA,CACP,QACA,uBAAA,EAC+B;AAC/B,EAAA,IAAI,OAAO,QAAA,EAAU;AACnB,IAAA,MAAM,MAAA,GAAS,OAAO,MAAA,IAAU,WAAA;AAChC,IAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,KAAA;AAEtC,IAAA,OAAOC,4CAAA,CAAyB;AAAA,MAC9B,iBAAA,EAAmB,OAAO,WAAA,GACtB,oBAAA,CAAqB,OAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA,GACjE,uBAAA;AAAA,MACJ,MAAA,EAAQ;AAAA,QACN,OAAA,EAAS,OAAO,SAAS,CAAA,MAAA,EAAS,OAAO,SAAS,CAAA,MAAA,EAAS,OAAO,QAAQ,CAAA,CAAA;AAAA,QAC1E,eAAA,EAAiB,WAAA;AAAA,QACjB,YAAY,MAAA,CAAO;AAAA,OACrB;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,MAAA;AAAA,QACA,eAAA,EAAiB;AAAA;AACnB,KACD,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,OAAO,oBAAA,CAAqB,MAAA,CAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA;AAAA,EAC1E;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAO,qBAAA,CAAsB,MAAA,CAAO,OAAA,EAAU,MAAA,CAAO,MAAM,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO,0BAAA,CAA2B,OAAO,MAAM,CAAA;AACjD;AAUA,SAAS,oCACP,MAAA,EAC+B;AAC/B,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,OAAO,oBAAA,CAAqB,MAAA,CAAO,WAAA,EAAc,MAAA,CAAO,eAAgB,CAAA;AAAA,EAC1E;AAEA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,OAAO,qBAAA,CAAsB,MAAA,CAAO,OAAA,EAAU,MAAA,CAAO,MAAM,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO,0BAAA,CAA2B,OAAO,MAAM,CAAA;AACjD;AAOO,MAAM,4BAAA,CAA8D;AAAA,EACzE,OAAO,WAAWC,QAAA,EAA8C;AAC9D,IAAA,MAAM,SAAA,GAAYA,QAAA,CAAO,GAAA,CAAI,KAAK,CAAA,GAC9BC,gCAAyBD,QAAA,CAAO,SAAA,CAAU,KAAK,CAAC,CAAA,GAChD;AAAA,MACE,UAAU,EAAC;AAAA,MACX,aAAa,EAAC;AAAA,MACd,iBAAiB;AAAC,KACpB;AAEJ,IAAA,MAAM,0BAAA,GAA6B,mCAAA;AAAA,MACjC,SAAA,CAAU;AAAA,KACZ;AACA,IAAA,MAAM,uBAAA,GAAiD;AAAA,MACrD,SAAA,EAAW,UAAU,WAAA,CAAY,MAAA;AAAA,MACjC,qBAAA,EAAuB;AAAA,KACzB;AAEA,IAAA,MAAM,oBAAA,uBAA2B,GAAA,EAAmC;AACpE,IAAA,KAAA,MAAW,aAAA,IAAiB,UAAU,QAAA,EAAU;AAC9C,MAAA,MAAM,qBAAA,GAAwB,wBAAA;AAAA,QAC5B,aAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,oBAAA,CAAqB,GAAA,CAAI,cAAc,SAAA,EAAW;AAAA,QAChD,WAAW,aAAA,CAAc,SAAA;AAAA,QACzB,WAAW,aAAA,CAAc,MAAA;AAAA,QACzB;AAAA,OACD,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,4BAAA;AAAA,MACT,oBAAA;AAAA,MACA,SAAA,CAAU,eAAA;AAAA,MACV;AAAA,KACF;AAAA,EACF;AAAA,EAEiB,0BAAA;AAAA,EAIA,eAAA;AAAA,EACA,6BAAA;AAAA,EAET,WAAA,CACN,0BAAA,EACA,eAAA,EACA,6BAAA,EACA;AACA,IAAA,IAAA,CAAK,0BAAA,GAA6B,0BAAA;AAClC,IAAA,IAAA,CAAK,eAAA,GAAkB,eAAA;AACvB,IAAA,IAAA,CAAK,6BAAA,GAAgC,6BAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,sBACJ,IAAA,EACgC;AAEhC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,IAAI,YAAY,IAAA,CAAK,SAAA;AACrB,IAAA,IAAI,IAAA,CAAK,GAAA,IAAO,CAAC,SAAA,EAAW;AAC1B,MAAA,MAAM,aAAA,GAAgBE,mBAAA,CAAM,IAAA,CAAK,GAAG,CAAA;AACpC,MAAA,SAAA,GAAY,aAAA,CAAc,SAAA;AAAA,IAC5B;AAIA,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,IAAI,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAS,CAAA,EAAG;AAClD,MAAA,OAAO,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAS,CAAA;AAAA,IACtD;AAGA,IAAA,IAAI,IAAA,CAAK,gBAAgB,QAAA,EAAU;AACjC,MAAA,MAAM,MAAA,GAAsC;AAAA,QAC1C,SAAA;AAAA,QACA,QAAA,EAAU,KAAK,eAAA,CAAgB,QAAA;AAAA,QAC/B,SAAA,EAAW,KAAK,eAAA,CAAgB,SAAA;AAAA,QAChC,MAAA,EAAQ,KAAK,eAAA,CAAgB,MAAA;AAAA,QAC7B,UAAA,EAAY,KAAK,eAAA,CAAgB;AAAA,OACnC;AACA,MAAA,MAAM,qBAAA,GAAwB,wBAAA;AAAA,QAC5B,MAAA;AAAA,QACA,KAAK,6BAAA,CAA8B;AAAA,OACrC;AACA,MAAA,MAAM,YAAA,GAAsC;AAAA,QAC1C,SAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAAI,SAAA,EAAW,YAAY,CAAA;AAC3D,MAAA,OAAO,YAAA;AAAA,IACT;AAIA,IAAA,MAAM,eAAA,CAAgB,KAAK,6BAA6B,CAAA;AACxD,IAAA,IAAI,SAAA,KAAc,IAAA,CAAK,6BAAA,CAA8B,SAAA,EAAW;AAC9D,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,IACd;AAGA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,4CAA4C,SAAS,CAAA,kDAAA;AAAA,KACvD;AAAA,EACF;AACF;;;;"}
package/dist/index.d.ts CHANGED
@@ -54,10 +54,10 @@ interface AwsCredentialsManager {
54
54
  * @public
55
55
  */
56
56
  declare class DefaultAwsCredentialsManager implements AwsCredentialsManager {
57
+ static fromConfig(config: Config): DefaultAwsCredentialsManager;
57
58
  private readonly accountCredentialProviders;
58
59
  private readonly accountDefaults;
59
60
  private readonly mainAccountCredentialProvider;
60
- static fromConfig(config: Config): DefaultAwsCredentialsManager;
61
61
  private constructor();
62
62
  /**
63
63
  * Returns an {@link AwsCredentialProvider} for a given AWS account.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/integration-aws-node",
3
- "version": "0.1.18",
3
+ "version": "0.1.19-next.0",
4
4
  "description": "Helpers for fetching AWS account credentials",
5
5
  "backstage": {
6
6
  "role": "node-library"
@@ -41,13 +41,13 @@
41
41
  "@aws-sdk/credential-providers": "^3.350.0",
42
42
  "@aws-sdk/types": "^3.347.0",
43
43
  "@aws-sdk/util-arn-parser": "^3.310.0",
44
- "@backstage/config": "^1.3.5",
45
- "@backstage/errors": "^1.2.7"
44
+ "@backstage/config": "1.3.6-next.0",
45
+ "@backstage/errors": "1.2.7"
46
46
  },
47
47
  "devDependencies": {
48
- "@backstage/cli": "^0.34.4",
49
- "@backstage/config-loader": "^1.10.5",
50
- "@backstage/test-utils": "^1.7.12",
48
+ "@backstage/cli": "0.34.5-next.0",
49
+ "@backstage/config-loader": "1.10.6-next.0",
50
+ "@backstage/test-utils": "1.7.13-next.0",
51
51
  "aws-sdk-client-mock": "^4.0.0",
52
52
  "aws-sdk-client-mock-jest": "^4.0.0"
53
53
  },