fix(core/httpAuthSchemes): allow extensions to set signer credentials

kuhe · kuhe · commit 04f73d0c4918 · 2025-03-24T21:30:38.000-04:00
diff --git a/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts b/packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts
@@ -172,7 +172,7 @@ export const resolveAwsSdkSigV4Config = <T>(
 
           const params: SignatureV4Init & SignatureV4CryptoInit = {
             ...config,
-            credentials: boundCredentialsProvider,
+            credentials: config.credentials as typeof boundCredentialsProvider,
             region: config.signingRegion,
             service: config.signingName,
             sha256,
@@ -208,7 +208,7 @@ export const resolveAwsSdkSigV4Config = <T>(
 
       const params: SignatureV4Init & SignatureV4CryptoInit = {
         ...config,
-        credentials: boundCredentialsProvider,
+        credentials: config.credentials as typeof boundCredentialsProvider,
         region: config.signingRegion,
         service: config.signingName,
         sha256,
diff --git a/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts b/packages/credential-provider-node/src/credential-provider-node.integ.spec.ts
@@ -1,4 +1,4 @@
-import { STS } from "@aws-sdk/client-sts";
+import { STS, STSExtensionConfiguration } from "@aws-sdk/client-sts";
 import * as credentialProviderHttp from "@aws-sdk/credential-provider-http";
 import { fromCognitoIdentity, fromCognitoIdentityPool, fromIni, fromWebToken } from "@aws-sdk/credential-providers";
 import { HttpResponse } from "@smithy/protocol-http";
@@ -1267,6 +1267,34 @@ describe("credential-provider-node integration test", () => {
     });
   });
 
+  describe("extension provided credentials", () => {
+    it("allows an extension to modify client config credentials", async () => {
+      class OverrideCredentialsExtension {
+        static create(): OverrideCredentialsExtension {
+          return new OverrideCredentialsExtension();
+        }
+
+        configure(extensionConfiguration: STSExtensionConfiguration): void {
+          extensionConfiguration.setCredentials(async () => ({
+            accessKeyId: "STS_AK",
+            secretAccessKey: "STS_SAK",
+          }));
+        }
+      }
+
+      const client = new STS({
+        extensions: [OverrideCredentialsExtension.create()],
+      });
+
+      const credentials = await client.config.credentials({});
+
+      expect(credentials).toEqual({
+        accessKeyId: "STS_AK",
+        secretAccessKey: "STS_SAK",
+      });
+    });
+  });
+
   describe("No credentials available", () => {
     it("should throw CredentialsProviderError", async () => {
       process.env.AWS_EC2_METADATA_DISABLED = "true";
