@distilled.cloud/aws 0.20.2 → 0.21.0

package/src/auth.ts

@@ -5,9 +5,14 @@ import * as FileSystem from "effect/FileSystem";
 import * as Option from "effect/Option";
 import * as Path from "effect/Path";
 import * as Redacted from "effect/Redacted";
-import * as Context from "effect/Context";
 import * as HttpClient from "effect/unstable/http/HttpClient";
 import { createHash } from "node:crypto";
+import {
+  Auth,
+  type AwsProfileConfig,
+  type SsoProfileConfig,
+  type SSOToken,
+} from "./auth.browser.ts";
 import {
   ConflictingSSORegion,
   ConflictingSSOStartUrl,
@@ -18,11 +23,12 @@ import {
   SsoPortalError,
   SsoRegion,
   SsoStartUrl,
-  type CredentialsError,
   type ResolvedCredentials,
 } from "./credentials.ts";
 import { parseIni, parseSSOSessionData } from "./util/parse-ini.ts";
 
+export * from "./auth.browser.ts";
+
 /**
  * The time window (5 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
  * This is needed because server side may have invalidated the token before the defined expiration date.
@@ -31,18 +37,6 @@ const EXPIRE_WINDOW_MS = 5 * 60 * 1000;
 
 const REFRESH_MESSAGE = `To refresh this SSO session run 'aws sso login' with the corresponding profile.`;
 
-export class Auth extends Context.Service<
-  Auth,
-  {
-    loadProfile: (
-      profileName: string,
-    ) => Effect.Effect<AwsProfileConfig, CredentialsError>;
-    loadProfileCredentials: (
-      profileName: string,
-    ) => Effect.Effect<ResolvedCredentials, CredentialsError>;
-  }
->()("distilled-aws/AWS/Auth") {}
-
 export const Default = Effect.serviceOption(Auth).pipe(
   Effect.map(Option.getOrUndefined),
   Effect.flatMap((c) => (c ? Effect.succeed(c) : makeAuthService())),
@@ -286,67 +280,3 @@ export const makeAuthService = () =>
       loadProfileCredentials,
     });
   });
-
-export interface AwsProfileConfig {
-  sso_session?: string;
-  sso_account_id?: string;
-  sso_role_name?: string;
-  region?: string;
-  output?: string;
-  sso_start_url?: string;
-  sso_region?: string;
-}
-export interface SsoProfileConfig extends AwsProfileConfig {
-  sso_start_url: string;
-  sso_region: string;
-  sso_account_id: string;
-  sso_role_name: string;
-}
-
-/**
- * Cached SSO token retrieved from SSO login flow.
- * @public
- */
-export interface SSOToken {
-  /**
-   * A base64 encoded string returned by the sso-oidc service.
-   */
-  accessToken: string;
-
-  /**
-   * The expiration time of the accessToken as an RFC 3339 formatted timestamp.
-   */
-  expiresAt: string;
-
-  /**
-   * The token used to obtain an access token in the event that the accessToken is invalid or expired.
-   */
-  refreshToken?: string;
-
-  /**
-   * The unique identifier string for each client. The client ID generated when performing the registration
-   * portion of the OIDC authorization flow. This is used to refresh the accessToken.
-   */
-  clientId?: string;
-
-  /**
-   * A secret string generated when performing the registration portion of the OIDC authorization flow.
-   * This is used to refresh the accessToken.
-   */
-  clientSecret?: string;
-
-  /**
-   * The expiration time of the client registration (clientId and clientSecret) as an RFC 3339 formatted timestamp.
-   */
-  registrationExpiresAt?: string;
-
-  /**
-   * The configured sso_region for the profile that credentials are being resolved for.
-   */
-  region?: string;
-
-  /**
-   * The configured sso_start_url for the profile that credentials are being resolved for.
-   */
-  startUrl?: string;
-}

package/src/client/api.ts

@@ -22,7 +22,9 @@ import {
   type ResponseParserOptions,
 } from "./response-parser.ts";
 
-import { Credentials, Endpoint, Region } from "../index.ts";
+import * as Credentials from "../credentials.browser.ts";
+import * as Endpoint from "../endpoint.ts";
+import * as Region from "../region.ts";
 
 export interface MakeOptions extends ResponseParserOptions {}
 

package/src/credentials.browser.ts

@@ -0,0 +1,267 @@
+import { fromHttp as _fromHttp } from "@aws-sdk/credential-providers";
+
+import {
+  type AwsCredentialIdentity,
+  type AwsCredentialIdentityProvider,
+} from "@smithy/types";
+import * as Context from "effect/Context";
+import * as Data from "effect/Data";
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import type { PlatformError } from "effect/PlatformError";
+import * as Redacted from "effect/Redacted";
+import type { HttpClientError } from "effect/unstable/http/HttpClientError";
+export * as AWSTypes from "@aws-sdk/types";
+
+export interface AwsCredentials {
+  readonly accessKeyId: string;
+  readonly secretAccessKey: string;
+  readonly sessionToken?: string;
+}
+
+/**
+ * Resolved credential values ready for request signing.
+ */
+export interface ResolvedCredentials {
+  readonly accessKeyId: Redacted.Redacted<string>;
+  readonly secretAccessKey: Redacted.Redacted<string>;
+  readonly sessionToken: Redacted.Redacted<string> | undefined;
+  readonly expiration?: number;
+}
+
+/**
+ * The requirements for resolving credentials (HttpClient for SSO, FileSystem for cache).
+ */
+
+/**
+ * Error types that can occur during credential resolution.
+ */
+export type CredentialsError =
+  | AwsCredentialProviderError
+  | ProfileNotFound
+  | InvalidSSOProfile
+  | InvalidSSOToken
+  | ExpiredSSOToken
+  | ConflictingSSORegion
+  | ConflictingSSOStartUrl
+  | SsoPortalError
+  | HttpClientError
+  | PlatformError;
+
+export class Credentials extends Context.Service<
+  Credentials,
+  Effect.Effect<ResolvedCredentials, CredentialsError>
+>()("AWS::Credentials") {}
+
+export const mock = Layer.succeed(
+  Credentials,
+  Effect.succeed({
+    accessKeyId: Redacted.make("test"),
+    secretAccessKey: Redacted.make("test"),
+    sessionToken: Redacted.make("test"),
+  }),
+);
+
+/**
+ * Create resolved credentials from an AWS credential identity.
+ */
+export const fromAwsCredentialIdentity = (
+  identity: AwsCredentialIdentity,
+): ResolvedCredentials => ({
+  accessKeyId: Redacted.make(identity.accessKeyId),
+  secretAccessKey: Redacted.make(identity.secretAccessKey),
+  sessionToken: identity.sessionToken
+    ? Redacted.make(identity.sessionToken)
+    : undefined,
+  expiration: identity.expiration?.getTime(),
+});
+
+type ProviderName =
+  | "env"
+  | "ini"
+  | "chain"
+  | "container"
+  | "http"
+  | "process"
+  | "token-file";
+
+export const providerHints = (
+  provider: ProviderName,
+): ReadonlyArray<string> | undefined => {
+  switch (provider) {
+    case "env":
+      return [
+        "Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and AWS_SESSION_TOKEN if needed).",
+      ];
+    case "ini":
+      return ["Check ~/.aws/credentials and ~/.aws/config for the profile."];
+    case "chain":
+      return [
+        "Configure at least one credential source for the default chain.",
+        "If using SSO, run `aws sso login` for the profile.",
+      ];
+    case "container":
+      return ["Ensure a container credential endpoint is available."];
+    case "http":
+      return ["Ensure the configured credential endpoint is reachable."];
+    case "process":
+      return [
+        "Set AWS_CREDENTIAL_PROCESS to a valid command and ensure it exits successfully.",
+      ];
+    case "token-file":
+      return [
+        "Set AWS_WEB_IDENTITY_TOKEN_FILE and ensure the file is readable.",
+      ];
+    default:
+      return;
+  }
+};
+
+/**
+ * Time window (5 mins) to refresh credentials before they actually expire.
+ * This prevents using credentials that are about to expire.
+ */
+const CREDENTIAL_REFRESH_WINDOW_MS = 5 * 60 * 1000;
+
+/**
+ * Create a credentials effect with lazy resolution and expiration-aware caching.
+ * Uses Effect.cachedWithTTL where the TTL is computed from the credentials' expiration.
+ */
+export const createCachedCredentialsEffect = <E, R>(
+  resolve: Effect.Effect<ResolvedCredentials, E, R>,
+): Effect.Effect<ResolvedCredentials, E, R> => {
+  let cachedCreds: ResolvedCredentials | undefined;
+  let expiresAt: number | undefined;
+
+  return Effect.suspend(() => {
+    const now = Date.now();
+    if (cachedCreds && expiresAt && now < expiresAt) {
+      return Effect.succeed(cachedCreds);
+    }
+    return Effect.map(resolve, (creds) => {
+      cachedCreds = creds;
+      expiresAt = creds.expiration
+        ? creds.expiration - CREDENTIAL_REFRESH_WINDOW_MS
+        : undefined;
+      return creds;
+    });
+  });
+};
+
+/**
+ * Create a lazy, cached credentials provider from an AWS SDK credential provider.
+ * Credentials are resolved on first access and cached based on their expiration time.
+ */
+export const createLazyProvider = (
+  provider: (config: {}) => AwsCredentialIdentityProvider,
+  providerName: ProviderName,
+): Layer.Layer<Credentials> => {
+  const resolve = Effect.gen(function* () {
+    const hints = providerHints(providerName);
+    const identity = yield* Effect.tryPromise({
+      try: () => provider({})(),
+      catch: (cause) =>
+        new AwsCredentialProviderError({
+          message: `Failed to resolve credentials from ${providerName}.`,
+          provider: providerName,
+          cause,
+          hints,
+        }),
+    });
+    return fromAwsCredentialIdentity(identity);
+  });
+
+  return Layer.succeed(Credentials, createCachedCredentialsEffect(resolve));
+};
+
+/**
+ * Create a credentials provider from static credentials.
+ * No lazy loading or caching needed since credentials are already available.
+ */
+export const fromCredentials = (
+  credentials: AwsCredentialIdentity,
+): Layer.Layer<Credentials> =>
+  Layer.succeed(
+    Credentials,
+    Effect.succeed(fromAwsCredentialIdentity(credentials)),
+  );
+
+export const fromHttp = () => createLazyProvider(_fromHttp, "http");
+
+export const ssoRegion = (region: string) => Layer.succeed(SsoRegion, region);
+
+export class SsoRegion extends Context.Service<SsoRegion, string>()(
+  "AWS::SsoRegion",
+) {}
+export class SsoStartUrl extends Context.Service<SsoStartUrl, string>()(
+  "AWS::SsoStartUrl",
+) {}
+
+export class ProfileNotFound extends Data.TaggedError(
+  "Alchemy::AWS::ProfileNotFound",
+)<{
+  message: string;
+  profile: string;
+}> {}
+
+export class ConflictingSSORegion extends Data.TaggedError(
+  "Alchemy::AWS::ConflictingSSORegion",
+)<{
+  message: string;
+  ssoRegion: string;
+  profile: string;
+}> {}
+
+export class ConflictingSSOStartUrl extends Data.TaggedError(
+  "Alchemy::AWS::ConflictingSSOStartUrl",
+)<{
+  message: string;
+  ssoStartUrl: string;
+  profile: string;
+}> {}
+
+export class InvalidSSOProfile extends Data.TaggedError(
+  "Alchemy::AWS::InvalidSSOProfile",
+)<{
+  message: string;
+  profile: string;
+  missingFields: string[];
+}> {}
+
+export class InvalidSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::InvalidSSOToken",
+)<{
+  message: string;
+  sso_session: string;
+}> {}
+
+export class ExpiredSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::ExpiredSSOToken",
+)<{
+  message: string;
+  profile: string;
+}> {}
+
+export class AwsCredentialProviderError extends Data.TaggedError(
+  "AWS::CredentialProviderError",
+)<{
+  message: string;
+  provider: string;
+  cause?: unknown;
+  hints?: ReadonlyArray<string>;
+}> {}
+
+/**
+ * The AWS SSO portal returned a response with no `roleCredentials`, e.g. a
+ * `ForbiddenException` when an IAM Identity Center role assignment is in a
+ * stale state.
+ */
+export class SsoPortalError extends Data.TaggedError(
+  "Alchemy::AWS::SsoPortalError",
+)<{
+  message: string;
+  profile: string;
+  account_id?: string;
+  role_name?: string;
+  status?: number;
+}> {}