chore(nested-clients): break cycle

Author: kuhe

eslint.config.js

@@ -0,0 +1,5 @@
+module.exports = [
+  {
+    ignores: ["./packages/nested-clients/**/protocols/**"],
+  },
+];

packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts

@@ -111,7 +111,6 @@ export const resolveAssumeRoleCredentials = async (
   const { source_profile, region } = profileData;
 
   if (!options.roleAssumer) {
-    // @ts-ignore Cannot find module '@aws-sdk/client-sts'
     const { getDefaultRoleAssumer } = await import("@aws-sdk/nested-clients");
     options.roleAssumer = getDefaultRoleAssumer(
       {

packages/credential-provider-web-identity/src/fromWebToken.ts

@@ -163,7 +163,6 @@ export const fromWebToken =
     let { roleAssumerWithWebIdentity } = init;
 
     if (!roleAssumerWithWebIdentity) {
-      // @ts-ignore Cannot find module '@aws-sdk/client-sts'
       const { getDefaultRoleAssumerWithWebIdentity } = await import("@aws-sdk/nested-clients");
       roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity(
         {

packages/nested-clients/package.json

@@ -28,9 +28,7 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "5.2.0",
     "@aws-crypto/sha256-js": "5.2.0",
-    "@aws-sdk/client-sso-oidc": "*",
     "@aws-sdk/core": "*",
-    "@aws-sdk/credential-provider-node": "*",
     "@aws-sdk/middleware-host-header": "*",
     "@aws-sdk/middleware-logger": "*",
     "@aws-sdk/middleware-recursion-detection": "*",

packages/nested-clients/src/nested-sts/models/models_0.ts

@@ -303,7 +303,7 @@ export interface AssumeRoleRequest {
    *          <i>IAM User Guide</i>.</p>
    *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
    *          and lower-case alphanumeric characters with no spaces. You can also include underscores or
-   *          any of the following characters: =,.@-. You cannot use a value that begins with the text
+   *          any of the following characters: +=,.@-. You cannot use a value that begins with the text
    *             <code>aws:</code>. This prefix is reserved for Amazon Web Services internal use.</p>
    * @public
    */
@@ -605,8 +605,8 @@ export interface AssumeRoleWithWebIdentityRequest {
    *          provider. Your application must get this token by authenticating the user who is using your
    *          application with a web identity provider before the application makes an
    *             <code>AssumeRoleWithWebIdentity</code> call. Timestamps in the token must be formatted
-   *          as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are
-   *          supported.</p>
+   *          as either an integer or a long integer. Tokens must be signed using either RSA keys (RS256,
+   *          RS384, or RS512) or ECDSA keys (ES256, ES384, or ES512).</p>
    * @public
    */
   WebIdentityToken: string | undefined;

packages/nested-clients/src/nested-sts/runtimeConfig.ts

@@ -3,7 +3,7 @@
 import packageInfo from "../../package.json"; // eslint-disable-line
 
 import { AwsSdkSigV4Signer, emitWarningIfUnsupportedVersion as awsCheckVersion } from "@aws-sdk/core";
-import { defaultProvider as credentialDefaultProvider } from "@aws-sdk/credential-provider-node";
+
 import { NODE_APP_ID_CONFIG_OPTIONS, createDefaultUserAgentProvider } from "@aws-sdk/util-user-agent-node";
 import {
   NODE_REGION_CONFIG_FILE_OPTIONS,
@@ -41,7 +41,7 @@ export const getRuntimeConfig = (config: STSClientConfig) => {
     runtime: "node",
     defaultsMode,
     bodyLengthChecker: config?.bodyLengthChecker ?? calculateBodyLength,
-    credentialDefaultProvider: config?.credentialDefaultProvider ?? credentialDefaultProvider,
+
     defaultUserAgentProvider:
       config?.defaultUserAgentProvider ??
       createDefaultUserAgentProvider({ serviceId: clientSharedValues.serviceId, clientVersion: packageInfo.version }),
@@ -50,7 +50,7 @@ export const getRuntimeConfig = (config: STSClientConfig) => {
         schemeId: "aws.auth#sigv4",
         identityProvider: (ipc: IdentityProviderConfig) =>
           ipc.getIdentityProvider("aws.auth#sigv4") ||
-          (async (idProps) => await credentialDefaultProvider(idProps?.__config || {})()),
+          (async (idProps) => await config!.credentialDefaultProvider!(idProps?.__config || {})()),
         signer: new AwsSdkSigV4Signer(),
       },
       {

packages/token-providers/src/getNewSsoOidcToken.ts

@@ -8,7 +8,6 @@ import { getSsoOidcClient } from "./getSsoOidcClient";
  * @internal
  */
 export const getNewSsoOidcToken = async (ssoToken: SSOToken, ssoRegion: string, init: FromSsoInit = {}) => {
-  // @ts-ignore Cannot find module '@aws-sdk/client-sso-oidc'
   const { CreateTokenCommand } = await import("@aws-sdk/nested-clients");
 
   const ssoOidcClient = await getSsoOidcClient(ssoRegion, init);

packages/token-providers/src/getSsoOidcClient.ts

@@ -5,7 +5,6 @@ import { FromSsoInit } from "./fromSso";
  * @internal
  */
 export const getSsoOidcClient = async (ssoRegion: string, init: FromSsoInit = {}) => {
-  // @ts-ignore Cannot find module '@aws-sdk/client-sso-oidc'
   const { SSOOIDCClient } = await import("@aws-sdk/nested-clients");
 
   const ssoOidcClient = new SSOOIDCClient(

scripts/generate-clients/index.js

@@ -5,6 +5,7 @@ const { emptyDirSync, rmdirSync } = require("fs-extra");
 const { generateClients, generateGenericClient, generateProtocolTests } = require("./code-gen");
 const { codeOrdering } = require("./code-ordering");
 const { copyToClients, copyServerTests } = require("./copy-to-clients");
+const generateNestedClients = require("./nested-clients/generate-nested-clients");
 const {
   CODE_GEN_SDK_OUTPUT_DIR,
   CODE_GEN_GENERIC_CLIENT_OUTPUT_DIR,
@@ -99,6 +100,7 @@ const {
 
     if (!protocolTestsOnly) {
       await generateClients(models || globs || DEFAULT_CODE_GEN_INPUT_DIR, batchSize);
+      await generateNestedClients();
     }
 
     if (!noPrivateClients) {
@@ -142,7 +144,11 @@ const {
     }
 
     require("./customizations/workspaces-thin-client")();
-    await spawnProcess("yarn", ["install", "--no-immutable"], { cwd: REPO_ROOT, stdio: "inherit", env: { ...process.env, CI: "" } });
+    await spawnProcess("yarn", ["install", "--no-immutable"], {
+      cwd: REPO_ROOT,
+      stdio: "inherit",
+      env: { ...process.env, CI: "" },
+    });
     require("../runtime-dependency-version-check/runtime-dep-version-check");
   } catch (e) {
     console.log(e);

scripts/generate-clients/nested-clients/generate-nested-clients.js

@@ -68,6 +68,9 @@ async function generateNestedClients() {
 
     replacePackageJsonImport(join(destinationFolder, "runtimeConfig.browser.ts"));
     replacePackageJsonImport(join(destinationFolder, "runtimeConfig.ts"));
+
+    replaceCredentialDefaultProvider(join(destinationFolder, "runtimeConfig.browser.ts"));
+    replaceCredentialDefaultProvider(join(destinationFolder, "runtimeConfig.ts"));
   }
 }
 
@@ -113,6 +116,9 @@ async function generateNestedClient(clientName, operations) {
   rmSync(join(__dirname, "..", "..", "..", "codegen", "sdk-codegen", `smithy-build-${clientName}.json`));
 }
 
+/**
+ * Fix package json import filesystem level.
+ */
 function replacePackageJsonImport(file) {
   writeFileSync(
     file,
@@ -123,6 +129,21 @@ function replacePackageJsonImport(file) {
   );
 }
 
+/**
+ * Breaks the circular dependency of STS and the default credential chain.
+ * STS has an auth operation but the portion of it used for credential resolution does
+ * not need the default chain.
+ */
+function replaceCredentialDefaultProvider(file) {
+  writeFileSync(
+    file,
+    readFileSync(file, "utf-8")
+      .replace(`import { defaultProvider as credentialDefaultProvider } from "@aws-sdk/credential-provider-node";`, ``)
+      .replace(`credentialDefaultProvider: config?.credentialDefaultProvider ?? credentialDefaultProvider,`, ``)
+      .replace(`await credentialDefaultProvider(`, `await config!.credentialDefaultProvider!(`)
+  );
+}
+
 if (process.argv.includes("--exec")) {
   generateNestedClients().catch(console.error);
 }