@datacules/agent-identity-store-dynamic 0.11.0 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +109 -0
- package/dist/cjs/index.js +155 -0
- package/dist/cjs/index.js.map +1 -0
- package/dist/esm/index.js +148 -0
- package/dist/esm/index.js.map +1 -0
- package/dist/types/index.d.ts +138 -0
- package/dist/types/index.d.ts.map +1 -0
- package/package.json +18 -6
package/LICENSE
ADDED
|
@@ -0,0 +1,109 @@
|
|
|
1
|
+
Datacules Agent Identity License — Version 1.0
|
|
2
|
+
Copyright (c) 2026 Datacules LLC. All rights reserved.
|
|
3
|
+
|
|
4
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
5
|
+
PREAMBLE
|
|
6
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
7
|
+
|
|
8
|
+
This software — Agent Identity & Auth Patterns — is developed and owned by
|
|
9
|
+
Datacules LLC. It is made available to the public as open-source software
|
|
10
|
+
under the permissive terms below.
|
|
11
|
+
|
|
12
|
+
Datacules LLC retains ownership and authorship of this software while
|
|
13
|
+
granting broad, royalty-free rights for anyone to use, copy, modify, and
|
|
14
|
+
distribute it — in commercial or non-commercial contexts — without requiring
|
|
15
|
+
that derivative works also become open source.
|
|
16
|
+
|
|
17
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
18
|
+
TERMS AND CONDITIONS
|
|
19
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
20
|
+
|
|
21
|
+
1. PERMISSION TO USE
|
|
22
|
+
|
|
23
|
+
Permission is hereby granted, free of charge, to any person or
|
|
24
|
+
organization obtaining a copy of this software and associated
|
|
25
|
+
documentation files (the "Software"), to use, copy, modify, merge,
|
|
26
|
+
publish, distribute, sublicense, and/or sell copies of the Software,
|
|
27
|
+
and to permit persons to whom the Software is furnished to do so,
|
|
28
|
+
subject to the conditions below.
|
|
29
|
+
|
|
30
|
+
2. ATTRIBUTION
|
|
31
|
+
|
|
32
|
+
a. Redistributions of source code must retain this copyright notice,
|
|
33
|
+
this list of conditions, and the disclaimer below.
|
|
34
|
+
|
|
35
|
+
b. Redistributions in binary form or as a product must reproduce this
|
|
36
|
+
copyright notice, this list of conditions, and the disclaimer in the
|
|
37
|
+
documentation and/or other materials provided with the distribution.
|
|
38
|
+
|
|
39
|
+
c. Neither the name "Datacules LLC" nor the names of its contributors
|
|
40
|
+
may be used to endorse or promote products derived from this Software
|
|
41
|
+
without prior written permission from Datacules LLC.
|
|
42
|
+
|
|
43
|
+
3. COMMERCIAL USE
|
|
44
|
+
|
|
45
|
+
Use of this Software in commercial products, SaaS platforms, internal
|
|
46
|
+
enterprise tools, or any revenue-generating context is explicitly
|
|
47
|
+
permitted without royalty, fee, or additional licensing agreement,
|
|
48
|
+
provided that the conditions in Section 2 (Attribution) are met.
|
|
49
|
+
|
|
50
|
+
4. NO COPYLEFT / NO VIRAL REQUIREMENT
|
|
51
|
+
|
|
52
|
+
This license does NOT require that derivative works, modifications,
|
|
53
|
+
or software that uses or embeds this Software be made open source.
|
|
54
|
+
You may incorporate this Software into proprietary or closed-source
|
|
55
|
+
products under your own license terms.
|
|
56
|
+
|
|
57
|
+
5. MODIFICATIONS
|
|
58
|
+
|
|
59
|
+
Modified versions of the Software may be distributed under the same
|
|
60
|
+
terms as this license or under any other permissive open-source
|
|
61
|
+
license (e.g. MIT, Apache 2.0, BSD), provided that:
|
|
62
|
+
|
|
63
|
+
a. The original copyright notice of Datacules LLC is preserved.
|
|
64
|
+
b. Modifications are clearly documented and distinguished from the
|
|
65
|
+
original work.
|
|
66
|
+
|
|
67
|
+
6. COMPATIBILITY
|
|
68
|
+
|
|
69
|
+
This license is compatible with other permissive open-source licenses
|
|
70
|
+
such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
|
|
71
|
+
is also GPL-compatible — this Software may coexist with GPL-licensed
|
|
72
|
+
code, though this Software itself is not distributed under the GPL.
|
|
73
|
+
|
|
74
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
75
|
+
DISCLAIMER
|
|
76
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
77
|
+
|
|
78
|
+
THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
|
|
79
|
+
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
80
|
+
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
|
|
81
|
+
AND NON-INFRINGEMENT ARE DISCLAIMED.
|
|
82
|
+
|
|
83
|
+
IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
84
|
+
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
85
|
+
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
86
|
+
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
87
|
+
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
88
|
+
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
89
|
+
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
90
|
+
|
|
91
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
92
|
+
SUMMARY (non-binding)
|
|
93
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
94
|
+
|
|
95
|
+
✔ Use freely — commercial, proprietary, or open-source projects
|
|
96
|
+
✔ Modify and distribute with or without changes
|
|
97
|
+
✔ Sell products built on this Software
|
|
98
|
+
✔ No royalties or fees
|
|
99
|
+
✔ No requirement to open-source your own code
|
|
100
|
+
✔ Attribution to Datacules LLC required in source and binary distributions
|
|
101
|
+
✗ Do not use "Datacules LLC" to endorse derived products without permission
|
|
102
|
+
|
|
103
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
104
|
+
CONTACT
|
|
105
|
+
─────────────────────────────────────────────────────────────────────────────
|
|
106
|
+
|
|
107
|
+
Datacules LLC
|
|
108
|
+
For licensing enquiries: legal@datacules.com
|
|
109
|
+
Product: https://github.com/hvrcharon1/agent-identity
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.DynamicCredentialStore = exports.AzureManagedIdentityProvisioner = exports.AwsRolesAnywhereProvisioner = exports.VaultDynamicProvisioner = void 0;
|
|
4
|
+
class VaultDynamicProvisioner {
|
|
5
|
+
constructor(opts) {
|
|
6
|
+
this.opts = opts;
|
|
7
|
+
this.id = 'vault-dynamic';
|
|
8
|
+
}
|
|
9
|
+
async provision(_ref) {
|
|
10
|
+
const { vaultAddr, token, mount, role, ttl } = this.opts;
|
|
11
|
+
const url = `${vaultAddr}/v1/${mount}/creds/${role}`;
|
|
12
|
+
const res = await fetch(url, {
|
|
13
|
+
headers: { 'X-Vault-Token': token, ...(ttl ? { 'X-Vault-Wrap-TTL': ttl } : {}) },
|
|
14
|
+
});
|
|
15
|
+
if (!res.ok)
|
|
16
|
+
throw new Error(`Vault provision failed: ${res.status} ${await res.text()}`);
|
|
17
|
+
const body = await res.json();
|
|
18
|
+
const expiresAt = new Date(Date.now() + body.lease_duration * 1000).toISOString();
|
|
19
|
+
return { leaseId: body.lease_id, expiresAt, secret: JSON.stringify(body.data) };
|
|
20
|
+
}
|
|
21
|
+
async revoke(leaseId) {
|
|
22
|
+
const { vaultAddr, token } = this.opts;
|
|
23
|
+
await fetch(`${vaultAddr}/v1/sys/leases/revoke`, {
|
|
24
|
+
method: 'PUT',
|
|
25
|
+
headers: { 'X-Vault-Token': token, 'Content-Type': 'application/json' },
|
|
26
|
+
body: JSON.stringify({ lease_id: leaseId }),
|
|
27
|
+
}).catch(console.error);
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
exports.VaultDynamicProvisioner = VaultDynamicProvisioner;
|
|
31
|
+
/**
|
|
32
|
+
* Provisions temporary AWS credentials via IAM Roles Anywhere.
|
|
33
|
+
* Requires `aws_signing_helper` or equivalent OIDC-based credential exchange.
|
|
34
|
+
*/
|
|
35
|
+
class AwsRolesAnywhereProvisioner {
|
|
36
|
+
constructor(opts) {
|
|
37
|
+
this.opts = opts;
|
|
38
|
+
this.id = 'aws-roles-anywhere';
|
|
39
|
+
}
|
|
40
|
+
async provision(_ref) {
|
|
41
|
+
const { durationSeconds = 3600, region, profileArn, roleArn, trustAnchorArn } = this.opts;
|
|
42
|
+
const endpoint = `https://rolesanywhere.${region}.amazonaws.com/sessions`;
|
|
43
|
+
const res = await fetch(endpoint, {
|
|
44
|
+
method: 'POST',
|
|
45
|
+
headers: { 'Content-Type': 'application/json' },
|
|
46
|
+
body: JSON.stringify({ durationSeconds, profileArn, roleArn, trustAnchorArn }),
|
|
47
|
+
});
|
|
48
|
+
if (!res.ok)
|
|
49
|
+
throw new Error(`AWS Roles Anywhere provision failed: ${res.status}`);
|
|
50
|
+
const body = await res.json();
|
|
51
|
+
const creds = body.credentialSet[0].credentials;
|
|
52
|
+
return {
|
|
53
|
+
leaseId: `aws-session-${Date.now()}`,
|
|
54
|
+
expiresAt: creds.expiration,
|
|
55
|
+
secret: JSON.stringify({
|
|
56
|
+
accessKeyId: creds.accessKeyId,
|
|
57
|
+
secretAccessKey: creds.secretAccessKey,
|
|
58
|
+
sessionToken: creds.sessionToken,
|
|
59
|
+
}),
|
|
60
|
+
};
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
exports.AwsRolesAnywhereProvisioner = AwsRolesAnywhereProvisioner;
|
|
64
|
+
/**
|
|
65
|
+
* Provisions a short-lived Azure AD access token via the Azure Instance
|
|
66
|
+
* Metadata Service (IMDS). Works on Azure VMs, AKS pods with workload identity,
|
|
67
|
+
* App Service, Container Apps, and Azure Arc-enabled servers.
|
|
68
|
+
*
|
|
69
|
+
* The IMDS endpoint is a link-local address (169.254.169.254) only reachable
|
|
70
|
+
* from within an Azure-hosted workload — calls will fail outside Azure.
|
|
71
|
+
*
|
|
72
|
+
* @example
|
|
73
|
+
* ```typescript
|
|
74
|
+
* const store = new DynamicCredentialStore({
|
|
75
|
+
* provisioner: new AzureManagedIdentityProvisioner({
|
|
76
|
+
* resource: 'https://vault.azure.net',
|
|
77
|
+
* }),
|
|
78
|
+
* });
|
|
79
|
+
* ```
|
|
80
|
+
*/
|
|
81
|
+
class AzureManagedIdentityProvisioner {
|
|
82
|
+
constructor(opts) {
|
|
83
|
+
this.opts = opts;
|
|
84
|
+
this.id = 'azure-managed-identity';
|
|
85
|
+
}
|
|
86
|
+
async provision(_ref) {
|
|
87
|
+
const { resource, clientId, apiVersion = '2018-02-01' } = this.opts;
|
|
88
|
+
const imdsUrl = new URL('http://169.254.169.254/metadata/identity/oauth2/token');
|
|
89
|
+
imdsUrl.searchParams.set('api-version', apiVersion);
|
|
90
|
+
imdsUrl.searchParams.set('resource', resource);
|
|
91
|
+
if (clientId)
|
|
92
|
+
imdsUrl.searchParams.set('client_id', clientId);
|
|
93
|
+
const res = await fetch(imdsUrl.toString(), {
|
|
94
|
+
headers: { Metadata: 'true' },
|
|
95
|
+
});
|
|
96
|
+
if (!res.ok) {
|
|
97
|
+
throw new Error(`Azure IMDS token request failed: ${res.status} ${await res.text()}`);
|
|
98
|
+
}
|
|
99
|
+
const body = await res.json();
|
|
100
|
+
const expiresAt = new Date(Date.now() + parseInt(body.expires_in, 10) * 1000).toISOString();
|
|
101
|
+
const identityKind = clientId ? `user-assigned:${clientId}` : 'system-assigned';
|
|
102
|
+
return {
|
|
103
|
+
leaseId: `azure-mi-${identityKind}-${Date.now()}`,
|
|
104
|
+
expiresAt,
|
|
105
|
+
secret: body.access_token,
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
exports.AzureManagedIdentityProvisioner = AzureManagedIdentityProvisioner;
|
|
110
|
+
class DynamicCredentialStore {
|
|
111
|
+
constructor(opts) {
|
|
112
|
+
this.opts = opts;
|
|
113
|
+
this.leaseCache = new Map();
|
|
114
|
+
}
|
|
115
|
+
async findByRef(ref) {
|
|
116
|
+
const cache = this.opts.cache !== false;
|
|
117
|
+
const renew = this.opts.renewBeforeExpireSeconds ?? 60;
|
|
118
|
+
if (cache) {
|
|
119
|
+
const cached = this.leaseCache.get(ref);
|
|
120
|
+
if (cached && cached.expiresAt > Date.now() + renew * 1000) {
|
|
121
|
+
return cached.credential;
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
const provisioned = await this.opts.provisioner.provision(ref);
|
|
125
|
+
const credential = {
|
|
126
|
+
id: `dyn-${provisioned.leaseId}`,
|
|
127
|
+
kind: 'fixed',
|
|
128
|
+
name: `Dynamic credential for ${ref}`,
|
|
129
|
+
scope: 'dynamic',
|
|
130
|
+
status: 'active',
|
|
131
|
+
ref: provisioned.leaseId,
|
|
132
|
+
expiresAt: provisioned.expiresAt,
|
|
133
|
+
lastRotated: new Date().toISOString(),
|
|
134
|
+
};
|
|
135
|
+
if (cache) {
|
|
136
|
+
this.leaseCache.set(ref, {
|
|
137
|
+
credential,
|
|
138
|
+
expiresAt: new Date(provisioned.expiresAt).getTime(),
|
|
139
|
+
});
|
|
140
|
+
}
|
|
141
|
+
return credential;
|
|
142
|
+
}
|
|
143
|
+
async listActive() {
|
|
144
|
+
const now = Date.now();
|
|
145
|
+
return Array.from(this.leaseCache.values())
|
|
146
|
+
.filter((e) => e.expiresAt > now)
|
|
147
|
+
.map((e) => e.credential);
|
|
148
|
+
}
|
|
149
|
+
async listByKind(kind) {
|
|
150
|
+
const active = await this.listActive();
|
|
151
|
+
return active.filter((c) => c.kind === kind);
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
exports.DynamicCredentialStore = DynamicCredentialStore;
|
|
155
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AA6DA,MAAa,uBAAuB;IAGlC,YAA6B,IAAoC;QAApC,SAAI,GAAJ,IAAI,CAAgC;QAFjE,OAAE,GAAG,eAAe,CAAC;IAE+C,CAAC;IAErE,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QACzD,MAAM,GAAG,GAAG,GAAG,SAAS,OAAO,KAAK,UAAU,IAAI,EAAE,CAAC;QACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE;SACjF,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC1F,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAgF,CAAC;QAC5G,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAClF,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe;QAC1B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QACvC,MAAM,KAAK,CAAC,GAAG,SAAS,uBAAuB,EAAE;YAC/C,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACvE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;SAC5C,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACF;AAzBD,0DAyBC;AAeD;;;GAGG;AACH,MAAa,2BAA2B;IAGtC,YAA6B,IAAwC;QAAxC,SAAI,GAAJ,IAAI,CAAoC;QAFrE,OAAE,GAAG,oBAAoB,CAAC;IAE8C,CAAC;IAEzE,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,eAAe,GAAG,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1F,MAAM,QAAQ,GAAG,yBAAyB,MAAM,yBAAyB,CAAC;QAC1E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;SAC/E,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACnF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAE1B,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAChD,OAAO;YACL,OAAO,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE;YACpC,SAAS,EAAE,KAAK,CAAC,UAAU;YAC3B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;gBACrB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,eAAe,EAAE,KAAK,CAAC,eAAe;gBACtC,YAAY,EAAE,KAAK,CAAC,YAAY;aACjC,CAAC;SACH,CAAC;IACJ,CAAC;CACF;AA5BD,kEA4BC;AAwBD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,+BAA+B;IAG1C,YAA6B,IAA4C;QAA5C,SAAI,GAAJ,IAAI,CAAwC;QAFzE,OAAE,GAAG,wBAAwB,CAAC;IAE8C,CAAC;IAE7E,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,GAAG,YAAY,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAEpE,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,uDAAuD,CACxD,CAAC;QACF,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACpD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ;YAAE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAE9D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,oCAAoC,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CACrE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAK1B,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,IAAI,CACxB,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAClD,CAAC,WAAW,EAAE,CAAC;QAEhB,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC,CAAC,iBAAiB,CAAC;QAEhF,OAAO;YACL,OAAO,EAAE,YAAY,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE;YACjD,SAAS;YACT,MAAM,EAAE,IAAI,CAAC,YAAY;SAC1B,CAAC;IACJ,CAAC;CACF;AA3CD,0EA2CC;AAYD,MAAa,sBAAsB;IAGjC,YAA6B,IAAmC;QAAnC,SAAI,GAAJ,IAAI,CAA+B;QAF/C,eAAU,GAAG,IAAI,GAAG,EAAyD,CAAC;IAE5B,CAAC;IAEpE,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,wBAAwB,IAAI,EAAE,CAAC;QAEvD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,IAAI,EAAE,CAAC;gBAC3D,OAAO,MAAM,CAAC,UAAU,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,OAAO,WAAW,CAAC,OAAO,EAAE;YAChC,IAAI,EAAE,OAAyB;YAC/B,IAAI,EAAE,0BAA0B,GAAG,EAAE;YACrC,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,QAAQ;YAChB,GAAG,EAAE,WAAW,CAAC,OAAO;YACxB,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE;gBACvB,UAAU;gBACV,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC/C,CAAC;CACF;AAjDD,wDAiDC"}
|
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
export class VaultDynamicProvisioner {
|
|
2
|
+
constructor(opts) {
|
|
3
|
+
this.opts = opts;
|
|
4
|
+
this.id = 'vault-dynamic';
|
|
5
|
+
}
|
|
6
|
+
async provision(_ref) {
|
|
7
|
+
const { vaultAddr, token, mount, role, ttl } = this.opts;
|
|
8
|
+
const url = `${vaultAddr}/v1/${mount}/creds/${role}`;
|
|
9
|
+
const res = await fetch(url, {
|
|
10
|
+
headers: { 'X-Vault-Token': token, ...(ttl ? { 'X-Vault-Wrap-TTL': ttl } : {}) },
|
|
11
|
+
});
|
|
12
|
+
if (!res.ok)
|
|
13
|
+
throw new Error(`Vault provision failed: ${res.status} ${await res.text()}`);
|
|
14
|
+
const body = await res.json();
|
|
15
|
+
const expiresAt = new Date(Date.now() + body.lease_duration * 1000).toISOString();
|
|
16
|
+
return { leaseId: body.lease_id, expiresAt, secret: JSON.stringify(body.data) };
|
|
17
|
+
}
|
|
18
|
+
async revoke(leaseId) {
|
|
19
|
+
const { vaultAddr, token } = this.opts;
|
|
20
|
+
await fetch(`${vaultAddr}/v1/sys/leases/revoke`, {
|
|
21
|
+
method: 'PUT',
|
|
22
|
+
headers: { 'X-Vault-Token': token, 'Content-Type': 'application/json' },
|
|
23
|
+
body: JSON.stringify({ lease_id: leaseId }),
|
|
24
|
+
}).catch(console.error);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Provisions temporary AWS credentials via IAM Roles Anywhere.
|
|
29
|
+
* Requires `aws_signing_helper` or equivalent OIDC-based credential exchange.
|
|
30
|
+
*/
|
|
31
|
+
export class AwsRolesAnywhereProvisioner {
|
|
32
|
+
constructor(opts) {
|
|
33
|
+
this.opts = opts;
|
|
34
|
+
this.id = 'aws-roles-anywhere';
|
|
35
|
+
}
|
|
36
|
+
async provision(_ref) {
|
|
37
|
+
const { durationSeconds = 3600, region, profileArn, roleArn, trustAnchorArn } = this.opts;
|
|
38
|
+
const endpoint = `https://rolesanywhere.${region}.amazonaws.com/sessions`;
|
|
39
|
+
const res = await fetch(endpoint, {
|
|
40
|
+
method: 'POST',
|
|
41
|
+
headers: { 'Content-Type': 'application/json' },
|
|
42
|
+
body: JSON.stringify({ durationSeconds, profileArn, roleArn, trustAnchorArn }),
|
|
43
|
+
});
|
|
44
|
+
if (!res.ok)
|
|
45
|
+
throw new Error(`AWS Roles Anywhere provision failed: ${res.status}`);
|
|
46
|
+
const body = await res.json();
|
|
47
|
+
const creds = body.credentialSet[0].credentials;
|
|
48
|
+
return {
|
|
49
|
+
leaseId: `aws-session-${Date.now()}`,
|
|
50
|
+
expiresAt: creds.expiration,
|
|
51
|
+
secret: JSON.stringify({
|
|
52
|
+
accessKeyId: creds.accessKeyId,
|
|
53
|
+
secretAccessKey: creds.secretAccessKey,
|
|
54
|
+
sessionToken: creds.sessionToken,
|
|
55
|
+
}),
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
/**
|
|
60
|
+
* Provisions a short-lived Azure AD access token via the Azure Instance
|
|
61
|
+
* Metadata Service (IMDS). Works on Azure VMs, AKS pods with workload identity,
|
|
62
|
+
* App Service, Container Apps, and Azure Arc-enabled servers.
|
|
63
|
+
*
|
|
64
|
+
* The IMDS endpoint is a link-local address (169.254.169.254) only reachable
|
|
65
|
+
* from within an Azure-hosted workload — calls will fail outside Azure.
|
|
66
|
+
*
|
|
67
|
+
* @example
|
|
68
|
+
* ```typescript
|
|
69
|
+
* const store = new DynamicCredentialStore({
|
|
70
|
+
* provisioner: new AzureManagedIdentityProvisioner({
|
|
71
|
+
* resource: 'https://vault.azure.net',
|
|
72
|
+
* }),
|
|
73
|
+
* });
|
|
74
|
+
* ```
|
|
75
|
+
*/
|
|
76
|
+
export class AzureManagedIdentityProvisioner {
|
|
77
|
+
constructor(opts) {
|
|
78
|
+
this.opts = opts;
|
|
79
|
+
this.id = 'azure-managed-identity';
|
|
80
|
+
}
|
|
81
|
+
async provision(_ref) {
|
|
82
|
+
const { resource, clientId, apiVersion = '2018-02-01' } = this.opts;
|
|
83
|
+
const imdsUrl = new URL('http://169.254.169.254/metadata/identity/oauth2/token');
|
|
84
|
+
imdsUrl.searchParams.set('api-version', apiVersion);
|
|
85
|
+
imdsUrl.searchParams.set('resource', resource);
|
|
86
|
+
if (clientId)
|
|
87
|
+
imdsUrl.searchParams.set('client_id', clientId);
|
|
88
|
+
const res = await fetch(imdsUrl.toString(), {
|
|
89
|
+
headers: { Metadata: 'true' },
|
|
90
|
+
});
|
|
91
|
+
if (!res.ok) {
|
|
92
|
+
throw new Error(`Azure IMDS token request failed: ${res.status} ${await res.text()}`);
|
|
93
|
+
}
|
|
94
|
+
const body = await res.json();
|
|
95
|
+
const expiresAt = new Date(Date.now() + parseInt(body.expires_in, 10) * 1000).toISOString();
|
|
96
|
+
const identityKind = clientId ? `user-assigned:${clientId}` : 'system-assigned';
|
|
97
|
+
return {
|
|
98
|
+
leaseId: `azure-mi-${identityKind}-${Date.now()}`,
|
|
99
|
+
expiresAt,
|
|
100
|
+
secret: body.access_token,
|
|
101
|
+
};
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
export class DynamicCredentialStore {
|
|
105
|
+
constructor(opts) {
|
|
106
|
+
this.opts = opts;
|
|
107
|
+
this.leaseCache = new Map();
|
|
108
|
+
}
|
|
109
|
+
async findByRef(ref) {
|
|
110
|
+
const cache = this.opts.cache !== false;
|
|
111
|
+
const renew = this.opts.renewBeforeExpireSeconds ?? 60;
|
|
112
|
+
if (cache) {
|
|
113
|
+
const cached = this.leaseCache.get(ref);
|
|
114
|
+
if (cached && cached.expiresAt > Date.now() + renew * 1000) {
|
|
115
|
+
return cached.credential;
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
const provisioned = await this.opts.provisioner.provision(ref);
|
|
119
|
+
const credential = {
|
|
120
|
+
id: `dyn-${provisioned.leaseId}`,
|
|
121
|
+
kind: 'fixed',
|
|
122
|
+
name: `Dynamic credential for ${ref}`,
|
|
123
|
+
scope: 'dynamic',
|
|
124
|
+
status: 'active',
|
|
125
|
+
ref: provisioned.leaseId,
|
|
126
|
+
expiresAt: provisioned.expiresAt,
|
|
127
|
+
lastRotated: new Date().toISOString(),
|
|
128
|
+
};
|
|
129
|
+
if (cache) {
|
|
130
|
+
this.leaseCache.set(ref, {
|
|
131
|
+
credential,
|
|
132
|
+
expiresAt: new Date(provisioned.expiresAt).getTime(),
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
return credential;
|
|
136
|
+
}
|
|
137
|
+
async listActive() {
|
|
138
|
+
const now = Date.now();
|
|
139
|
+
return Array.from(this.leaseCache.values())
|
|
140
|
+
.filter((e) => e.expiresAt > now)
|
|
141
|
+
.map((e) => e.credential);
|
|
142
|
+
}
|
|
143
|
+
async listByKind(kind) {
|
|
144
|
+
const active = await this.listActive();
|
|
145
|
+
return active.filter((c) => c.kind === kind);
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AA6DA,MAAM,OAAO,uBAAuB;IAGlC,YAA6B,IAAoC;QAApC,SAAI,GAAJ,IAAI,CAAgC;QAFjE,OAAE,GAAG,eAAe,CAAC;IAE+C,CAAC;IAErE,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QACzD,MAAM,GAAG,GAAG,GAAG,SAAS,OAAO,KAAK,UAAU,IAAI,EAAE,CAAC;QACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE;SACjF,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC1F,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAgF,CAAC;QAC5G,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAClF,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe;QAC1B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QACvC,MAAM,KAAK,CAAC,GAAG,SAAS,uBAAuB,EAAE;YAC/C,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACvE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;SAC5C,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACF;AAeD;;;GAGG;AACH,MAAM,OAAO,2BAA2B;IAGtC,YAA6B,IAAwC;QAAxC,SAAI,GAAJ,IAAI,CAAoC;QAFrE,OAAE,GAAG,oBAAoB,CAAC;IAE8C,CAAC;IAEzE,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,eAAe,GAAG,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1F,MAAM,QAAQ,GAAG,yBAAyB,MAAM,yBAAyB,CAAC;QAC1E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;SAC/E,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACnF,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAE1B,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAChD,OAAO;YACL,OAAO,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE;YACpC,SAAS,EAAE,KAAK,CAAC,UAAU;YAC3B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;gBACrB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,eAAe,EAAE,KAAK,CAAC,eAAe;gBACtC,YAAY,EAAE,KAAK,CAAC,YAAY;aACjC,CAAC;SACH,CAAC;IACJ,CAAC;CACF;AAwBD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,+BAA+B;IAG1C,YAA6B,IAA4C;QAA5C,SAAI,GAAJ,IAAI,CAAwC;QAFzE,OAAE,GAAG,wBAAwB,CAAC;IAE8C,CAAC;IAE7E,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,GAAG,YAAY,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;QAEpE,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,uDAAuD,CACxD,CAAC;QACF,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACpD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ;YAAE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAE9D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,oCAAoC,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CACrE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAK1B,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,IAAI,CACxB,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAClD,CAAC,WAAW,EAAE,CAAC;QAEhB,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC,CAAC,iBAAiB,CAAC;QAEhF,OAAO;YACL,OAAO,EAAE,YAAY,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE;YACjD,SAAS;YACT,MAAM,EAAE,IAAI,CAAC,YAAY;SAC1B,CAAC;IACJ,CAAC;CACF;AAYD,MAAM,OAAO,sBAAsB;IAGjC,YAA6B,IAAmC;QAAnC,SAAI,GAAJ,IAAI,CAA+B;QAF/C,eAAU,GAAG,IAAI,GAAG,EAAyD,CAAC;IAE5B,CAAC;IAEpE,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,wBAAwB,IAAI,EAAE,CAAC;QAEvD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,IAAI,EAAE,CAAC;gBAC3D,OAAO,MAAM,CAAC,UAAU,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,OAAO,WAAW,CAAC,OAAO,EAAE;YAChC,IAAI,EAAE,OAAyB;YAC/B,IAAI,EAAE,0BAA0B,GAAG,EAAE;YACrC,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,QAAQ;YAChB,GAAG,EAAE,WAAW,CAAC,OAAO;YACxB,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtC,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE;gBACvB,UAAU;gBACV,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC/C,CAAC;CACF"}
|
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @datacules/agent-identity-store-dynamic
|
|
3
|
+
*
|
|
4
|
+
* Just-in-time credential provisioning. Credentials don't exist until the
|
|
5
|
+
* agent requests them. Mints a short-lived secret on demand and returns its
|
|
6
|
+
* ref. The upstream system (Vault, AWS, Azure) revokes the secret when the
|
|
7
|
+
* TTL expires — no long-lived static credentials sit in the store at all.
|
|
8
|
+
*
|
|
9
|
+
* Usage:
|
|
10
|
+
* import { DynamicCredentialStore, VaultDynamicProvisioner } from '@datacules/agent-identity-store-dynamic';
|
|
11
|
+
*
|
|
12
|
+
* const store = new DynamicCredentialStore({
|
|
13
|
+
* provisioner: new VaultDynamicProvisioner({
|
|
14
|
+
* vaultAddr: 'http://vault:8200',
|
|
15
|
+
* token: process.env.VAULT_TOKEN!,
|
|
16
|
+
* mount: 'database',
|
|
17
|
+
* role: 'crm-readonly',
|
|
18
|
+
* ttl: '30m',
|
|
19
|
+
* }),
|
|
20
|
+
* });
|
|
21
|
+
*
|
|
22
|
+
* const router = createRouterFromStore(store, rules, logger);
|
|
23
|
+
*/
|
|
24
|
+
import type { Credential, CredentialStore, CredentialKind } from '@datacules/agent-identity';
|
|
25
|
+
export interface DynamicProvisioner {
|
|
26
|
+
/** ID that matches the ref prefix used in routing rules, e.g. 'vault-db' */
|
|
27
|
+
id: string;
|
|
28
|
+
/**
|
|
29
|
+
* Mint a new short-lived secret and return a ref (lease ID or ARN) that
|
|
30
|
+
* the router can use to retrieve the actual secret later.
|
|
31
|
+
*/
|
|
32
|
+
provision(ref: string): Promise<ProvisionedSecret>;
|
|
33
|
+
/** Revoke a lease/secret early (called on router shutdown) */
|
|
34
|
+
revoke?(leaseId: string): Promise<void>;
|
|
35
|
+
}
|
|
36
|
+
export interface ProvisionedSecret {
|
|
37
|
+
/** Opaque ref / lease ID — passed to your vault fetch function, never to the model */
|
|
38
|
+
leaseId: string;
|
|
39
|
+
/** ISO 8601 lease expiry */
|
|
40
|
+
expiresAt: string;
|
|
41
|
+
/** The raw secret — kept server-side only, never passed to the model layer */
|
|
42
|
+
secret?: string;
|
|
43
|
+
}
|
|
44
|
+
export interface VaultDynamicProvisionerOptions {
|
|
45
|
+
vaultAddr: string;
|
|
46
|
+
token: string;
|
|
47
|
+
/** KV or secrets engine mount path */
|
|
48
|
+
mount: string;
|
|
49
|
+
/** Vault role that defines the secret scope */
|
|
50
|
+
role: string;
|
|
51
|
+
/** Lease duration e.g. '30m', '1h' */
|
|
52
|
+
ttl?: string;
|
|
53
|
+
}
|
|
54
|
+
export declare class VaultDynamicProvisioner implements DynamicProvisioner {
|
|
55
|
+
private readonly opts;
|
|
56
|
+
id: string;
|
|
57
|
+
constructor(opts: VaultDynamicProvisionerOptions);
|
|
58
|
+
provision(_ref: string): Promise<ProvisionedSecret>;
|
|
59
|
+
revoke(leaseId: string): Promise<void>;
|
|
60
|
+
}
|
|
61
|
+
export interface AwsRolesAnywhereProvisionerOptions {
|
|
62
|
+
profileArn: string;
|
|
63
|
+
roleArn: string;
|
|
64
|
+
trustAnchorArn: string;
|
|
65
|
+
region: string;
|
|
66
|
+
/** Duration in seconds (900–3600) */
|
|
67
|
+
durationSeconds?: number;
|
|
68
|
+
/** Path to certificate PEM for signing */
|
|
69
|
+
certPath?: string;
|
|
70
|
+
}
|
|
71
|
+
/**
|
|
72
|
+
* Provisions temporary AWS credentials via IAM Roles Anywhere.
|
|
73
|
+
* Requires `aws_signing_helper` or equivalent OIDC-based credential exchange.
|
|
74
|
+
*/
|
|
75
|
+
export declare class AwsRolesAnywhereProvisioner implements DynamicProvisioner {
|
|
76
|
+
private readonly opts;
|
|
77
|
+
id: string;
|
|
78
|
+
constructor(opts: AwsRolesAnywhereProvisionerOptions);
|
|
79
|
+
provision(_ref: string): Promise<ProvisionedSecret>;
|
|
80
|
+
}
|
|
81
|
+
export interface AzureManagedIdentityProvisionerOptions {
|
|
82
|
+
/**
|
|
83
|
+
* The resource URI (audience) for the token.
|
|
84
|
+
* e.g. 'https://vault.azure.net' for Azure Key Vault,
|
|
85
|
+
* 'https://management.azure.com/' for ARM,
|
|
86
|
+
* 'https://storage.azure.com/' for Blob Storage.
|
|
87
|
+
*/
|
|
88
|
+
resource: string;
|
|
89
|
+
/**
|
|
90
|
+
* Client ID for a user-assigned managed identity.
|
|
91
|
+
* Omit to use the system-assigned managed identity of the host VM/container.
|
|
92
|
+
*/
|
|
93
|
+
clientId?: string;
|
|
94
|
+
/**
|
|
95
|
+
* IMDS API version (default: '2018-02-01').
|
|
96
|
+
* Use '2019-08-01' for Arc-enabled servers.
|
|
97
|
+
*/
|
|
98
|
+
apiVersion?: string;
|
|
99
|
+
}
|
|
100
|
+
/**
|
|
101
|
+
* Provisions a short-lived Azure AD access token via the Azure Instance
|
|
102
|
+
* Metadata Service (IMDS). Works on Azure VMs, AKS pods with workload identity,
|
|
103
|
+
* App Service, Container Apps, and Azure Arc-enabled servers.
|
|
104
|
+
*
|
|
105
|
+
* The IMDS endpoint is a link-local address (169.254.169.254) only reachable
|
|
106
|
+
* from within an Azure-hosted workload — calls will fail outside Azure.
|
|
107
|
+
*
|
|
108
|
+
* @example
|
|
109
|
+
* ```typescript
|
|
110
|
+
* const store = new DynamicCredentialStore({
|
|
111
|
+
* provisioner: new AzureManagedIdentityProvisioner({
|
|
112
|
+
* resource: 'https://vault.azure.net',
|
|
113
|
+
* }),
|
|
114
|
+
* });
|
|
115
|
+
* ```
|
|
116
|
+
*/
|
|
117
|
+
export declare class AzureManagedIdentityProvisioner implements DynamicProvisioner {
|
|
118
|
+
private readonly opts;
|
|
119
|
+
id: string;
|
|
120
|
+
constructor(opts: AzureManagedIdentityProvisionerOptions);
|
|
121
|
+
provision(_ref: string): Promise<ProvisionedSecret>;
|
|
122
|
+
}
|
|
123
|
+
export interface DynamicCredentialStoreOptions {
|
|
124
|
+
provisioner: DynamicProvisioner;
|
|
125
|
+
/** Cache unexpired leases (default: true) */
|
|
126
|
+
cache?: boolean;
|
|
127
|
+
/** Renew cache entry N seconds before expiry (default: 60) */
|
|
128
|
+
renewBeforeExpireSeconds?: number;
|
|
129
|
+
}
|
|
130
|
+
export declare class DynamicCredentialStore implements CredentialStore {
|
|
131
|
+
private readonly opts;
|
|
132
|
+
private readonly leaseCache;
|
|
133
|
+
constructor(opts: DynamicCredentialStoreOptions);
|
|
134
|
+
findByRef(ref: string): Promise<Credential | null>;
|
|
135
|
+
listActive(): Promise<Credential[]>;
|
|
136
|
+
listByKind(kind: CredentialKind): Promise<Credential[]>;
|
|
137
|
+
}
|
|
138
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAI7F,MAAM,WAAW,kBAAkB;IACjC,4EAA4E;IAC5E,EAAE,EAAE,MAAM,CAAC;IACX;;;OAGG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACnD,8DAA8D;IAC9D,MAAM,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,iBAAiB;IAChC,sFAAsF;IACtF,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,MAAM,WAAW,8BAA8B;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,qBAAa,uBAAwB,YAAW,kBAAkB;IAGpD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,EAAE,SAAmB;gBAEQ,IAAI,EAAE,8BAA8B;IAE3D,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAYnD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAQ7C;AAID,MAAM,WAAW,kCAAkC;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,qBAAa,2BAA4B,YAAW,kBAAkB;IAGxD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,EAAE,SAAwB;gBAEG,IAAI,EAAE,kCAAkC;IAE/D,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAuB1D;AAID,MAAM,WAAW,sCAAsC;IACrD;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,+BAAgC,YAAW,kBAAkB;IAG5D,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,EAAE,SAA4B;gBAED,IAAI,EAAE,sCAAsC;IAEnE,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAsC1D;AAID,MAAM,WAAW,6BAA6B;IAC5C,WAAW,EAAE,kBAAkB,CAAC;IAChC,6CAA6C;IAC7C,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,8DAA8D;IAC9D,wBAAwB,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,qBAAa,sBAAuB,YAAW,eAAe;IAGhD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAoE;gBAElE,IAAI,EAAE,6BAA6B;IAE1D,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiClD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAOnC,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;CAI9D"}
|
package/package.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@datacules/agent-identity-store-dynamic",
|
|
3
|
-
"version": "0.11.
|
|
3
|
+
"version": "0.11.1",
|
|
4
4
|
"private": false,
|
|
5
5
|
"description": "Just-in-time credential provisioning store for @datacules/agent-identity — mints short-lived secrets on demand via Vault dynamic secrets or AWS IAM Roles Anywhere",
|
|
6
6
|
"author": "Datacules LLC",
|
|
7
|
-
"license": "
|
|
7
|
+
"license": "SEE LICENSE IN LICENSE",
|
|
8
8
|
"repository": {
|
|
9
9
|
"type": "git",
|
|
10
10
|
"url": "https://github.com/hvrcharon1/agent-identity.git",
|
|
@@ -22,10 +22,11 @@
|
|
|
22
22
|
},
|
|
23
23
|
"files": [
|
|
24
24
|
"dist",
|
|
25
|
-
"README.md"
|
|
25
|
+
"README.md",
|
|
26
|
+
"LICENSE"
|
|
26
27
|
],
|
|
27
28
|
"scripts": {
|
|
28
|
-
"build": "tsc -p tsconfig.build.json",
|
|
29
|
+
"build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
|
|
29
30
|
"type-check": "tsc --noEmit",
|
|
30
31
|
"lint": "eslint src --ext .ts"
|
|
31
32
|
},
|
|
@@ -34,6 +35,17 @@
|
|
|
34
35
|
"typescript": "^5"
|
|
35
36
|
},
|
|
36
37
|
"peerDependencies": {
|
|
37
|
-
"@datacules/agent-identity": "^0.
|
|
38
|
-
}
|
|
38
|
+
"@datacules/agent-identity": "^0.11.1"
|
|
39
|
+
},
|
|
40
|
+
"keywords": [
|
|
41
|
+
"agent-identity",
|
|
42
|
+
"jit",
|
|
43
|
+
"dynamic-credentials",
|
|
44
|
+
"vault",
|
|
45
|
+
"aws",
|
|
46
|
+
"azure",
|
|
47
|
+
"managed-identity",
|
|
48
|
+
"ai-agents",
|
|
49
|
+
"datacules"
|
|
50
|
+
]
|
|
39
51
|
}
|