fix(credential-providers): supply backup credentials to fromTemporaryCredentials

Author: kuhe

packages/credential-providers/src/fromTemporaryCredentials.ts

@@ -1,5 +1,9 @@
 import type { AssumeRoleCommandInput, STSClient, STSClientConfig } from "@aws-sdk/nested-clients/sts";
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import type {
+  AwsIdentityProperties,
+  CredentialProviderOptions,
+  RuntimeConfigAwsCredentialIdentityProvider,
+} from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, AwsCredentialIdentityProvider, Pluggable } from "@smithy/types";
 
@@ -53,9 +57,11 @@ export interface FromTemporaryCredentialsOptions extends CredentialProviderOptio
  *
  * @public
  */
-export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOptions): AwsCredentialIdentityProvider => {
+export const fromTemporaryCredentials = (
+  options: FromTemporaryCredentialsOptions
+): RuntimeConfigAwsCredentialIdentityProvider => {
   let stsClient: STSClient;
-  return async (): Promise<AwsCredentialIdentity> => {
+  return async (awsIdentityProperties: AwsIdentityProperties = {}): Promise<AwsCredentialIdentity> => {
     options.logger?.debug("@aws-sdk/credential-providers - fromTemporaryCredentials (STS)");
     const params = { ...options.params, RoleSessionName: options.params.RoleSessionName ?? "aws-sdk-js-" + Date.now() };
     if (params?.SerialNumber) {
@@ -73,7 +79,26 @@ export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOption
 
     const { AssumeRoleCommand, STSClient } = await import("./loadSts");
 
-    if (!stsClient) stsClient = new STSClient({ ...options.clientConfig, credentials: options.masterCredentials });
+    if (!stsClient) {
+      const defaultCredentialsOrError = async () => {
+        if (stsClient.config.runtime === "node") {
+          const { fromNodeProviderChain } = await import("./fromNodeProviderChain");
+          return fromNodeProviderChain({})();
+        }
+        throw new CredentialsProviderError(
+          "@aws-sdk/credential-providers::fromTemporaryCredentials - no default credentials found, masterCredentials needed to call fromTemporaryCredentials().",
+          {
+            logger: options.logger,
+          }
+        );
+      };
+      const { callerClientConfig } = awsIdentityProperties;
+      stsClient = new STSClient({
+        ...options.clientConfig,
+        credentials:
+          options.masterCredentials ?? callerClientConfig?.credentialDefaultProvider?.() ?? defaultCredentialsOrError,
+      });
+    }
     if (options.clientPlugins) {
       for (const plugin of options.clientPlugins) {
         stsClient.middlewareStack.use(plugin);

packages/types/src/identity/AwsCredentialIdentity.ts

@@ -1,4 +1,4 @@
-import type { AwsCredentialIdentity } from "@smithy/types";
+import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types";
 
 import type { AwsSdkCredentialsFeatures } from "../feature-ids";
 
@@ -11,6 +11,11 @@ export interface AwsIdentityProperties {
   callerClientConfig?: {
     region(): Promise<string>;
     profile?: string;
+    /**
+     * @internal
+     * @deprecated
+     */
+    credentialDefaultProvider?: (input?: any) => AwsCredentialIdentityProvider;
   };
 }