Configure axios aws interceptor to retrieve credentials from node provider chain at runtime (aws#134)

andreachild · web-flow · commit 4c097da22824 · 2025-09-08T13:14:26.000-07:00
Configure axios aws interceptor to retrieve credentials from node provider chain at runtime as opposed to on module load. This allows for fresh credentials to be obtained as needed during query runtime. Each environment can have unique credential configuration so I added a link to the aws documentation for configuring credential providers.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -75,6 +75,9 @@ permissions and limitations under the License.
   properties ([#130](https://github.com/aws/amazon-neptune-for-graphql/pull/130))
 * Improved error messaging if query field or selection field types cannot be
   determined ([#132](https://github.com/aws/amazon-neptune-for-graphql/pull/132))
+* Allow credentials to be refreshed at Apollo runtime by passing the credential
+  provider to the
+  interceptor  ([#134](https://github.com/aws/amazon-neptune-for-graphql/pull/134))
 
 ### Bug Fixes
 
diff --git a/templates/ApolloServer/neptune.mjs b/templates/ApolloServer/neptune.mjs
@@ -10,14 +10,29 @@ import { decompressGzipToString } from './util.mjs';
 dotenv.config();
 
 const loggingEnabled = process.env.LOGGING_ENABLED === 'true';
-const credentialProvider = fromNodeProviderChain();
-const credentials = await credentialProvider();
+
+// wrapper that aws4Interceptor can use to obtain credentials
+const credentialsProviderWrapper = {
+    getCredentials: async () => {
+        // uses the default node provider chain
+        // see aws documentation for configuration options
+        // https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-credential-providers/#fromnodeproviderchain
+        try {
+            const credentialProvider = fromNodeProviderChain();
+            return await credentialProvider();
+        } catch (error) {
+            console.error('Failed to obtain AWS credentials:', error);
+            throw error;
+        }
+    }
+};
+
 const interceptor = aws4Interceptor({
     options: {
         region: process.env.AWS_REGION,
         service: process.env.NEPTUNE_TYPE,
     },
-    credentials: credentials
+    credentials: credentialsProviderWrapper
 });
 axios.interceptors.request.use(interceptor);
 rax.attach();
