Skip to content

Commit 1dc88bc

Browse files
kuhekuhe
authored
fix(credential-provider-web-identity): make fromTokenFile aware of runtime caller client (#7453)
1 parent 952e349 commit 1dc88bc

File tree

2 files changed

+57
-6
lines changed

2 files changed

+57
-6
lines changed

packages/credential-provider-node/tests/credential-provider-node.integ.spec.ts

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,13 @@ import { externalDataInterceptor } from "@smithy/shared-ini-file-loader";
33
import { NodeHttpHandler } from "@smithy/node-http-handler";
44
import { STS, STSExtensionConfiguration } from "@aws-sdk/client-sts";
55
import * as credentialProviderHttp from "@aws-sdk/credential-provider-http";
6-
import { fromCognitoIdentity, fromCognitoIdentityPool, fromIni, fromWebToken } from "@aws-sdk/credential-providers";
6+
import {
7+
fromCognitoIdentity,
8+
fromCognitoIdentityPool,
9+
fromIni,
10+
fromWebToken,
11+
fromTokenFile,
12+
} from "@aws-sdk/credential-providers";
713
import { HttpResponse } from "@smithy/protocol-http";
814
import type { HttpRequest, MiddlewareStack, NodeHttpHandlerOptions, ParsedIniData } from "@smithy/types";
915
import { AdaptiveRetryStrategy, StandardRetryStrategy } from "@smithy/util-retry";
@@ -777,6 +783,51 @@ describe("credential-provider-node integration test", () => {
777783
});
778784

779785
describe("fromTokenFile", () => {
786+
it("should use the caller client region when combined with one", async () => {
787+
sts = new STS({
788+
region: "ap-northeast-1",
789+
credentials: fromTokenFile({
790+
roleArn: "ROLE_ARN",
791+
webIdentityTokenFile: "token-filepath",
792+
}),
793+
});
794+
await sts.getCallerIdentity({});
795+
const credentials = await sts.config.credentials();
796+
expect(credentials).toEqual({
797+
accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
798+
secretAccessKey: "STS_ARWI_SECRET_ACCESS_KEY",
799+
sessionToken: "STS_ARWI_SESSION_TOKEN_ap-northeast-1",
800+
expiration: new Date("3000-01-01T00:00:00.000Z"),
801+
$source: {
802+
CREDENTIALS_CODE: "e",
803+
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
804+
},
805+
});
806+
});
807+
808+
it("should use the caller client region if derived from AWS_REGION", async () => {
809+
process.env.AWS_REGION = "eu-west-2";
810+
const provider = fromTokenFile({
811+
roleArn: "ROLE_ARN",
812+
webIdentityTokenFile: "token-filepath",
813+
});
814+
sts = new STS({
815+
credentials: provider,
816+
});
817+
await sts.getCallerIdentity({});
818+
const credentials = await sts.config.credentials();
819+
expect(credentials).toEqual({
820+
accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
821+
secretAccessKey: "STS_ARWI_SECRET_ACCESS_KEY",
822+
sessionToken: "STS_ARWI_SESSION_TOKEN_eu-west-2",
823+
expiration: new Date("3000-01-01T00:00:00.000Z"),
824+
$source: {
825+
CREDENTIALS_CODE: "e",
826+
CREDENTIALS_STS_ASSUME_ROLE_WEB_ID: "k",
827+
},
828+
});
829+
});
830+
780831
it("should resolve credentials with STS assumeRoleWithWebIdentity using a token", async () => {
781832
process.env.AWS_WEB_IDENTITY_TOKEN_FILE = "token-filepath";
782833
process.env.AWS_ROLE_ARN = "ROLE_ARN";

packages/credential-provider-web-identity/src/fromTokenFile.ts

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
import { setCredentialFeature } from "@aws-sdk/core/client";
2-
import { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
2+
import type { AttributedAwsCredentialIdentity, CredentialProviderOptions } from "@aws-sdk/types";
3+
import { AwsIdentityProperties, RuntimeConfigAwsCredentialIdentityProvider } from "@aws-sdk/types/src";
34
import { CredentialsProviderError } from "@smithy/property-provider";
45
import { externalDataInterceptor } from "@smithy/shared-ini-file-loader";
5-
import type { AwsCredentialIdentityProvider } from "@smithy/types";
66
import { readFileSync } from "fs";
77

88
import { fromWebToken, FromWebTokenInit } from "./fromWebToken";
@@ -29,8 +29,8 @@ export interface FromTokenFileInit
2929
* Represents OIDC credentials from a file on disk.
3030
*/
3131
export const fromTokenFile =
32-
(init: FromTokenFileInit = {}): AwsCredentialIdentityProvider =>
33-
async () => {
32+
(init: FromTokenFileInit = {}): RuntimeConfigAwsCredentialIdentityProvider =>
33+
async (awsIdentityProperties?: AwsIdentityProperties) => {
3434
init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile");
3535
const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE];
3636
const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN];
@@ -49,7 +49,7 @@ export const fromTokenFile =
4949
readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
5050
roleArn,
5151
roleSessionName,
52-
})();
52+
})(awsIdentityProperties);
5353

5454
if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
5555
setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");

0 commit comments

Comments
 (0)