@smithy/credential-provider-imds 2.0.18 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist-cjs/error/InstanceMetadataV1FallbackError.js +13 -0
- package/dist-cjs/fromInstanceMetadata.js +45 -3
- package/dist-es/error/InstanceMetadataV1FallbackError.js +9 -0
- package/dist-es/fromInstanceMetadata.js +44 -3
- package/dist-types/error/InstanceMetadataV1FallbackError.d.ts +12 -0
- package/dist-types/remoteProvider/RemoteProviderInit.d.ts +10 -2
- package/dist-types/ts3.4/error/InstanceMetadataV1FallbackError.d.ts +12 -0
- package/dist-types/ts3.4/remoteProvider/RemoteProviderInit.d.ts +10 -2
- package/package.json +2 -2
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.InstanceMetadataV1FallbackError = void 0;
|
|
4
|
+
const property_provider_1 = require("@smithy/property-provider");
|
|
5
|
+
class InstanceMetadataV1FallbackError extends property_provider_1.CredentialsProviderError {
|
|
6
|
+
constructor(message, tryNextLink = true) {
|
|
7
|
+
super(message, tryNextLink);
|
|
8
|
+
this.tryNextLink = tryNextLink;
|
|
9
|
+
this.name = "InstanceMetadataV1FallbackError";
|
|
10
|
+
Object.setPrototypeOf(this, InstanceMetadataV1FallbackError.prototype);
|
|
11
|
+
}
|
|
12
|
+
}
|
|
13
|
+
exports.InstanceMetadataV1FallbackError = InstanceMetadataV1FallbackError;
|
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.fromInstanceMetadata = void 0;
|
|
4
|
+
const node_config_provider_1 = require("@smithy/node-config-provider");
|
|
4
5
|
const property_provider_1 = require("@smithy/property-provider");
|
|
6
|
+
const InstanceMetadataV1FallbackError_1 = require("./error/InstanceMetadataV1FallbackError");
|
|
5
7
|
const httpRequest_1 = require("./remoteProvider/httpRequest");
|
|
6
8
|
const ImdsCredentials_1 = require("./remoteProvider/ImdsCredentials");
|
|
7
9
|
const RemoteProviderInit_1 = require("./remoteProvider/RemoteProviderInit");
|
|
@@ -10,13 +12,51 @@ const getInstanceMetadataEndpoint_1 = require("./utils/getInstanceMetadataEndpoi
|
|
|
10
12
|
const staticStabilityProvider_1 = require("./utils/staticStabilityProvider");
|
|
11
13
|
const IMDS_PATH = "/latest/meta-data/iam/security-credentials/";
|
|
12
14
|
const IMDS_TOKEN_PATH = "/latest/api/token";
|
|
15
|
+
const AWS_EC2_METADATA_V1_DISABLED = "AWS_EC2_METADATA_V1_DISABLED";
|
|
16
|
+
const PROFILE_AWS_EC2_METADATA_V1_DISABLED = "ec2_metadata_v1_disabled";
|
|
17
|
+
const X_AWS_EC2_METADATA_TOKEN = "x-aws-ec2-metadata-token";
|
|
13
18
|
const fromInstanceMetadata = (init = {}) => (0, staticStabilityProvider_1.staticStabilityProvider)(getInstanceImdsProvider(init), { logger: init.logger });
|
|
14
19
|
exports.fromInstanceMetadata = fromInstanceMetadata;
|
|
15
20
|
const getInstanceImdsProvider = (init) => {
|
|
16
21
|
let disableFetchToken = false;
|
|
22
|
+
const { logger, profile } = init;
|
|
17
23
|
const { timeout, maxRetries } = (0, RemoteProviderInit_1.providerConfigFromInit)(init);
|
|
18
24
|
const getCredentials = async (maxRetries, options) => {
|
|
19
|
-
|
|
25
|
+
var _a;
|
|
26
|
+
const isImdsV1Fallback = disableFetchToken || ((_a = options.headers) === null || _a === void 0 ? void 0 : _a[X_AWS_EC2_METADATA_TOKEN]) == null;
|
|
27
|
+
if (isImdsV1Fallback) {
|
|
28
|
+
let fallbackBlockedFromProfile = false;
|
|
29
|
+
let fallbackBlockedFromProcessEnv = false;
|
|
30
|
+
const configValue = await (0, node_config_provider_1.loadConfig)({
|
|
31
|
+
environmentVariableSelector: (env) => {
|
|
32
|
+
const envValue = env[AWS_EC2_METADATA_V1_DISABLED];
|
|
33
|
+
fallbackBlockedFromProcessEnv = !!envValue && envValue !== "false";
|
|
34
|
+
if (envValue === undefined) {
|
|
35
|
+
throw new property_provider_1.CredentialsProviderError(`${AWS_EC2_METADATA_V1_DISABLED} not set in env, checking config file next.`);
|
|
36
|
+
}
|
|
37
|
+
return fallbackBlockedFromProcessEnv;
|
|
38
|
+
},
|
|
39
|
+
configFileSelector: (profile) => {
|
|
40
|
+
const profileValue = profile[PROFILE_AWS_EC2_METADATA_V1_DISABLED];
|
|
41
|
+
fallbackBlockedFromProfile = !!profileValue && profileValue !== "false";
|
|
42
|
+
return fallbackBlockedFromProfile;
|
|
43
|
+
},
|
|
44
|
+
default: false,
|
|
45
|
+
}, {
|
|
46
|
+
profile,
|
|
47
|
+
})();
|
|
48
|
+
if (init.ec2MetadataV1Disabled || configValue) {
|
|
49
|
+
const causes = [];
|
|
50
|
+
if (init.ec2MetadataV1Disabled)
|
|
51
|
+
causes.push("credential provider initialization (runtime option ec2MetadataV1Disabled)");
|
|
52
|
+
if (fallbackBlockedFromProfile)
|
|
53
|
+
causes.push(`config file profile (${PROFILE_AWS_EC2_METADATA_V1_DISABLED})`);
|
|
54
|
+
if (fallbackBlockedFromProcessEnv)
|
|
55
|
+
causes.push(`process environment variable (${AWS_EC2_METADATA_V1_DISABLED})`);
|
|
56
|
+
throw new InstanceMetadataV1FallbackError_1.InstanceMetadataV1FallbackError(`AWS EC2 Metadata v1 fallback has been blocked by AWS SDK configuration in the following: [${causes.join(", ")}].`);
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
const imdsProfile = (await (0, retry_1.retry)(async () => {
|
|
20
60
|
let profile;
|
|
21
61
|
try {
|
|
22
62
|
profile = await getProfile(options);
|
|
@@ -32,7 +72,7 @@ const getInstanceImdsProvider = (init) => {
|
|
|
32
72
|
return (0, retry_1.retry)(async () => {
|
|
33
73
|
let creds;
|
|
34
74
|
try {
|
|
35
|
-
creds = await getCredentialsFromProfile(
|
|
75
|
+
creds = await getCredentialsFromProfile(imdsProfile, options);
|
|
36
76
|
}
|
|
37
77
|
catch (err) {
|
|
38
78
|
if (err.statusCode === 401) {
|
|
@@ -46,6 +86,7 @@ const getInstanceImdsProvider = (init) => {
|
|
|
46
86
|
return async () => {
|
|
47
87
|
const endpoint = await (0, getInstanceMetadataEndpoint_1.getInstanceMetadataEndpoint)();
|
|
48
88
|
if (disableFetchToken) {
|
|
89
|
+
logger === null || logger === void 0 ? void 0 : logger.debug("AWS SDK Instance Metadata", "using v1 fallback (no token fetch)");
|
|
49
90
|
return getCredentials(maxRetries, { ...endpoint, timeout });
|
|
50
91
|
}
|
|
51
92
|
else {
|
|
@@ -62,12 +103,13 @@ const getInstanceImdsProvider = (init) => {
|
|
|
62
103
|
else if (error.message === "TimeoutError" || [403, 404, 405].includes(error.statusCode)) {
|
|
63
104
|
disableFetchToken = true;
|
|
64
105
|
}
|
|
106
|
+
logger === null || logger === void 0 ? void 0 : logger.debug("AWS SDK Instance Metadata", "using v1 fallback (initial)");
|
|
65
107
|
return getCredentials(maxRetries, { ...endpoint, timeout });
|
|
66
108
|
}
|
|
67
109
|
return getCredentials(maxRetries, {
|
|
68
110
|
...endpoint,
|
|
69
111
|
headers: {
|
|
70
|
-
|
|
112
|
+
[X_AWS_EC2_METADATA_TOKEN]: token,
|
|
71
113
|
},
|
|
72
114
|
timeout,
|
|
73
115
|
});
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { CredentialsProviderError } from "@smithy/property-provider";
|
|
2
|
+
export class InstanceMetadataV1FallbackError extends CredentialsProviderError {
|
|
3
|
+
constructor(message, tryNextLink = true) {
|
|
4
|
+
super(message, tryNextLink);
|
|
5
|
+
this.tryNextLink = tryNextLink;
|
|
6
|
+
this.name = "InstanceMetadataV1FallbackError";
|
|
7
|
+
Object.setPrototypeOf(this, InstanceMetadataV1FallbackError.prototype);
|
|
8
|
+
}
|
|
9
|
+
}
|
|
@@ -1,4 +1,6 @@
|
|
|
1
|
+
import { loadConfig } from "@smithy/node-config-provider";
|
|
1
2
|
import { CredentialsProviderError } from "@smithy/property-provider";
|
|
3
|
+
import { InstanceMetadataV1FallbackError } from "./error/InstanceMetadataV1FallbackError";
|
|
2
4
|
import { httpRequest } from "./remoteProvider/httpRequest";
|
|
3
5
|
import { fromImdsCredentials, isImdsCredentials } from "./remoteProvider/ImdsCredentials";
|
|
4
6
|
import { providerConfigFromInit } from "./remoteProvider/RemoteProviderInit";
|
|
@@ -7,12 +9,49 @@ import { getInstanceMetadataEndpoint } from "./utils/getInstanceMetadataEndpoint
|
|
|
7
9
|
import { staticStabilityProvider } from "./utils/staticStabilityProvider";
|
|
8
10
|
const IMDS_PATH = "/latest/meta-data/iam/security-credentials/";
|
|
9
11
|
const IMDS_TOKEN_PATH = "/latest/api/token";
|
|
12
|
+
const AWS_EC2_METADATA_V1_DISABLED = "AWS_EC2_METADATA_V1_DISABLED";
|
|
13
|
+
const PROFILE_AWS_EC2_METADATA_V1_DISABLED = "ec2_metadata_v1_disabled";
|
|
14
|
+
const X_AWS_EC2_METADATA_TOKEN = "x-aws-ec2-metadata-token";
|
|
10
15
|
export const fromInstanceMetadata = (init = {}) => staticStabilityProvider(getInstanceImdsProvider(init), { logger: init.logger });
|
|
11
16
|
const getInstanceImdsProvider = (init) => {
|
|
12
17
|
let disableFetchToken = false;
|
|
18
|
+
const { logger, profile } = init;
|
|
13
19
|
const { timeout, maxRetries } = providerConfigFromInit(init);
|
|
14
20
|
const getCredentials = async (maxRetries, options) => {
|
|
15
|
-
const
|
|
21
|
+
const isImdsV1Fallback = disableFetchToken || options.headers?.[X_AWS_EC2_METADATA_TOKEN] == null;
|
|
22
|
+
if (isImdsV1Fallback) {
|
|
23
|
+
let fallbackBlockedFromProfile = false;
|
|
24
|
+
let fallbackBlockedFromProcessEnv = false;
|
|
25
|
+
const configValue = await loadConfig({
|
|
26
|
+
environmentVariableSelector: (env) => {
|
|
27
|
+
const envValue = env[AWS_EC2_METADATA_V1_DISABLED];
|
|
28
|
+
fallbackBlockedFromProcessEnv = !!envValue && envValue !== "false";
|
|
29
|
+
if (envValue === undefined) {
|
|
30
|
+
throw new CredentialsProviderError(`${AWS_EC2_METADATA_V1_DISABLED} not set in env, checking config file next.`);
|
|
31
|
+
}
|
|
32
|
+
return fallbackBlockedFromProcessEnv;
|
|
33
|
+
},
|
|
34
|
+
configFileSelector: (profile) => {
|
|
35
|
+
const profileValue = profile[PROFILE_AWS_EC2_METADATA_V1_DISABLED];
|
|
36
|
+
fallbackBlockedFromProfile = !!profileValue && profileValue !== "false";
|
|
37
|
+
return fallbackBlockedFromProfile;
|
|
38
|
+
},
|
|
39
|
+
default: false,
|
|
40
|
+
}, {
|
|
41
|
+
profile,
|
|
42
|
+
})();
|
|
43
|
+
if (init.ec2MetadataV1Disabled || configValue) {
|
|
44
|
+
const causes = [];
|
|
45
|
+
if (init.ec2MetadataV1Disabled)
|
|
46
|
+
causes.push("credential provider initialization (runtime option ec2MetadataV1Disabled)");
|
|
47
|
+
if (fallbackBlockedFromProfile)
|
|
48
|
+
causes.push(`config file profile (${PROFILE_AWS_EC2_METADATA_V1_DISABLED})`);
|
|
49
|
+
if (fallbackBlockedFromProcessEnv)
|
|
50
|
+
causes.push(`process environment variable (${AWS_EC2_METADATA_V1_DISABLED})`);
|
|
51
|
+
throw new InstanceMetadataV1FallbackError(`AWS EC2 Metadata v1 fallback has been blocked by AWS SDK configuration in the following: [${causes.join(", ")}].`);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
const imdsProfile = (await retry(async () => {
|
|
16
55
|
let profile;
|
|
17
56
|
try {
|
|
18
57
|
profile = await getProfile(options);
|
|
@@ -28,7 +67,7 @@ const getInstanceImdsProvider = (init) => {
|
|
|
28
67
|
return retry(async () => {
|
|
29
68
|
let creds;
|
|
30
69
|
try {
|
|
31
|
-
creds = await getCredentialsFromProfile(
|
|
70
|
+
creds = await getCredentialsFromProfile(imdsProfile, options);
|
|
32
71
|
}
|
|
33
72
|
catch (err) {
|
|
34
73
|
if (err.statusCode === 401) {
|
|
@@ -42,6 +81,7 @@ const getInstanceImdsProvider = (init) => {
|
|
|
42
81
|
return async () => {
|
|
43
82
|
const endpoint = await getInstanceMetadataEndpoint();
|
|
44
83
|
if (disableFetchToken) {
|
|
84
|
+
logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (no token fetch)");
|
|
45
85
|
return getCredentials(maxRetries, { ...endpoint, timeout });
|
|
46
86
|
}
|
|
47
87
|
else {
|
|
@@ -58,12 +98,13 @@ const getInstanceImdsProvider = (init) => {
|
|
|
58
98
|
else if (error.message === "TimeoutError" || [403, 404, 405].includes(error.statusCode)) {
|
|
59
99
|
disableFetchToken = true;
|
|
60
100
|
}
|
|
101
|
+
logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (initial)");
|
|
61
102
|
return getCredentials(maxRetries, { ...endpoint, timeout });
|
|
62
103
|
}
|
|
63
104
|
return getCredentials(maxRetries, {
|
|
64
105
|
...endpoint,
|
|
65
106
|
headers: {
|
|
66
|
-
|
|
107
|
+
[X_AWS_EC2_METADATA_TOKEN]: token,
|
|
67
108
|
},
|
|
68
109
|
timeout,
|
|
69
110
|
});
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CredentialsProviderError } from "@smithy/property-provider";
|
|
2
|
+
/**
|
|
3
|
+
* @public
|
|
4
|
+
*
|
|
5
|
+
* A specific sub-case of CredentialsProviderError, when the IMDSv1 fallback
|
|
6
|
+
* has been attempted but shut off by SDK configuration.
|
|
7
|
+
*/
|
|
8
|
+
export declare class InstanceMetadataV1FallbackError extends CredentialsProviderError {
|
|
9
|
+
readonly tryNextLink: boolean;
|
|
10
|
+
name: string;
|
|
11
|
+
constructor(message: string, tryNextLink?: boolean);
|
|
12
|
+
}
|
|
@@ -8,7 +8,7 @@ export declare const DEFAULT_TIMEOUT = 1000;
|
|
|
8
8
|
*/
|
|
9
9
|
export declare const DEFAULT_MAX_RETRIES = 0;
|
|
10
10
|
/**
|
|
11
|
-
* @
|
|
11
|
+
* @public
|
|
12
12
|
*/
|
|
13
13
|
export interface RemoteProviderConfig {
|
|
14
14
|
/**
|
|
@@ -21,10 +21,18 @@ export interface RemoteProviderConfig {
|
|
|
21
21
|
maxRetries: number;
|
|
22
22
|
}
|
|
23
23
|
/**
|
|
24
|
-
* @
|
|
24
|
+
* @public
|
|
25
25
|
*/
|
|
26
26
|
export interface RemoteProviderInit extends Partial<RemoteProviderConfig> {
|
|
27
27
|
logger?: Logger;
|
|
28
|
+
/**
|
|
29
|
+
* Only used in the IMDS credential provider.
|
|
30
|
+
*/
|
|
31
|
+
ec2MetadataV1Disabled?: boolean;
|
|
32
|
+
/**
|
|
33
|
+
* AWS_PROFILE.
|
|
34
|
+
*/
|
|
35
|
+
profile?: string;
|
|
28
36
|
}
|
|
29
37
|
/**
|
|
30
38
|
* @internal
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CredentialsProviderError } from "@smithy/property-provider";
|
|
2
|
+
/**
|
|
3
|
+
* @public
|
|
4
|
+
*
|
|
5
|
+
* A specific sub-case of CredentialsProviderError, when the IMDSv1 fallback
|
|
6
|
+
* has been attempted but shut off by SDK configuration.
|
|
7
|
+
*/
|
|
8
|
+
export declare class InstanceMetadataV1FallbackError extends CredentialsProviderError {
|
|
9
|
+
readonly tryNextLink: boolean;
|
|
10
|
+
name: string;
|
|
11
|
+
constructor(message: string, tryNextLink?: boolean);
|
|
12
|
+
}
|
|
@@ -8,7 +8,7 @@ export declare const DEFAULT_TIMEOUT = 1000;
|
|
|
8
8
|
*/
|
|
9
9
|
export declare const DEFAULT_MAX_RETRIES = 0;
|
|
10
10
|
/**
|
|
11
|
-
* @
|
|
11
|
+
* @public
|
|
12
12
|
*/
|
|
13
13
|
export interface RemoteProviderConfig {
|
|
14
14
|
/**
|
|
@@ -21,10 +21,18 @@ export interface RemoteProviderConfig {
|
|
|
21
21
|
maxRetries: number;
|
|
22
22
|
}
|
|
23
23
|
/**
|
|
24
|
-
* @
|
|
24
|
+
* @public
|
|
25
25
|
*/
|
|
26
26
|
export interface RemoteProviderInit extends Partial<RemoteProviderConfig> {
|
|
27
27
|
logger?: Logger;
|
|
28
|
+
/**
|
|
29
|
+
* Only used in the IMDS credential provider.
|
|
30
|
+
*/
|
|
31
|
+
ec2MetadataV1Disabled?: boolean;
|
|
32
|
+
/**
|
|
33
|
+
* AWS_PROFILE.
|
|
34
|
+
*/
|
|
35
|
+
profile?: string;
|
|
28
36
|
}
|
|
29
37
|
/**
|
|
30
38
|
* @internal
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@smithy/credential-provider-imds",
|
|
3
|
-
"version": "2.0
|
|
3
|
+
"version": "2.1.0",
|
|
4
4
|
"description": "AWS credential provider that sources credentials from the EC2 instance metadata service and ECS container metadata service",
|
|
5
5
|
"main": "./dist-cjs/index.js",
|
|
6
6
|
"module": "./dist-es/index.js",
|
|
@@ -26,7 +26,7 @@
|
|
|
26
26
|
},
|
|
27
27
|
"license": "Apache-2.0",
|
|
28
28
|
"dependencies": {
|
|
29
|
-
"@smithy/node-config-provider": "^2.1.
|
|
29
|
+
"@smithy/node-config-provider": "^2.1.4",
|
|
30
30
|
"@smithy/property-provider": "^2.0.13",
|
|
31
31
|
"@smithy/types": "^2.4.0",
|
|
32
32
|
"@smithy/url-parser": "^2.0.12",
|