assume the entra role for membership check

devksingh4 · devksingh4 · commit fc847e68d80d · 2025-03-10T15:05:16.000-05:00
diff --git a/src/api/routes/membership.ts b/src/api/routes/membership.ts
@@ -7,8 +7,42 @@ import { validateNetId } from "api/functions/validation.js";
 import { FastifyPluginAsync } from "fastify";
 import { ValidationError } from "common/errors/index.js";
 import { getEntraIdToken } from "api/functions/entraId.js";
+import { genericConfig, roleArns } from "common/config.js";
+import { getRoleCredentials } from "api/functions/sts.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 
 const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  const getAuthorizedClients = async () => {
+    if (roleArns.Entra) {
+      fastify.log.info(
+        `Attempting to assume Entra role ${roleArns.Entra} to get the Entra token...`,
+      );
+      const credentials = await getRoleCredentials(roleArns.Entra);
+      const clients = {
+        smClient: new SecretsManagerClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        dynamoClient: new DynamoDBClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+      };
+      fastify.log.info(
+        `Assumed Entra role ${roleArns.Entra} to get the Entra token.`,
+      );
+      return clients;
+    } else {
+      fastify.log.debug(
+        "Did not assume Entra role as no env variable was present",
+      );
+      return {
+        smClient: fastify.secretsManagerClient,
+        dynamoClient: fastify.dynamoClient,
+      };
+    }
+  };
   fastify.get<{
     Body: undefined;
     Querystring: { netId: string };
@@ -45,10 +79,7 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
       }
       // check AAD
       const entraIdToken = await getEntraIdToken(
-        {
-          smClient: fastify.secretsManagerClient,
-          dynamoClient: fastify.dynamoClient,
-        },
+        await getAuthorizedClients(),
         fastify.environmentConfig.AadValidClientId,
       );
       const paidMemberGroup = fastify.environmentConfig.PaidMemberGroupId;
