|
| 1 | +import type { FromEnvInit } from "@aws-sdk/credential-provider-env"; |
| 2 | +import type { FromIniInit } from "@aws-sdk/credential-provider-ini"; |
1 | 3 | import { remoteProvider } from "@aws-sdk/credential-provider-node/src/remoteProvider"; |
| 4 | +import type { FromProcessInit } from "@aws-sdk/credential-provider-process"; |
| 5 | +import type { FromSSOInit } from "@aws-sdk/credential-provider-sso"; |
| 6 | +import type { FromTokenFileInit } from "@aws-sdk/credential-provider-web-identity"; |
2 | 7 | import { createCredentialChain } from "@aws-sdk/credential-providers"; |
3 | 8 | import type { RuntimeConfigAwsCredentialIdentityProvider } from "@aws-sdk/types"; |
4 | | -import type { AwsCredentialIdentity } from "@aws-sdk/types"; |
| 9 | +import type { RemoteProviderInit } from "@smithy/credential-provider-imds"; |
5 | 10 | import { CredentialsProviderError } from "@smithy/property-provider"; |
| 11 | +import type { AwsCredentialIdentity, Logger } from "@smithy/types"; |
6 | 12 |
|
7 | | -interface AwsCliV2CompatibleProviderOptions extends Partial<AwsCredentialIdentity> { |
8 | | - profile?: string; |
9 | | - logger?: Console; |
10 | | -} |
| 13 | +/** |
| 14 | + * @public |
| 15 | + */ |
| 16 | + |
| 17 | +export type AwsCliV2CompatibleProviderOptions = Partial<AwsCredentialIdentity> & |
| 18 | + FromEnvInit & |
| 19 | + FromIniInit & |
| 20 | + RemoteProviderInit & |
| 21 | + FromProcessInit & |
| 22 | + FromSSOInit & |
| 23 | + FromTokenFileInit & { |
| 24 | + /** |
| 25 | + * Setting a client profile is similar to setting a value for the |
| 26 | + * AWS_PROFILE environment variable. Setting a profile on a client |
| 27 | + * in code only affects the single client instance, unlike AWS_PROFILE. |
| 28 | + * |
| 29 | + * When set, and only for environments where an AWS configuration |
| 30 | + * file exists, fields configurable by this file will be retrieved |
| 31 | + * from the specified profile within that file. |
| 32 | + * Conflicting code configuration and environment variables will |
| 33 | + * still have higher priority. |
| 34 | + * |
| 35 | + * For client credential resolution that involves checking the AWS |
| 36 | + * configuration file, the client's profile (this value) will be |
| 37 | + * used unless a different profile is set in the credential |
| 38 | + * provider options. |
| 39 | + * |
| 40 | + */ |
| 41 | + profile?: string; |
| 42 | + |
| 43 | + /** |
| 44 | + * Optional logger for logging debug/info/warn/error. |
| 45 | + */ |
| 46 | + logger?: Logger; |
| 47 | + }; |
11 | 48 |
|
12 | 49 | /** |
13 | | - * Custom AWS CLI V2 Compatible Credential Provider Chain. |
| 50 | + * @public |
| 51 | + * |
| 52 | + * Creates a credential provider that sources credentials using the same priority |
| 53 | + * chain as the AWS CLI v2: |
| 54 | + * |
| 55 | + * 1. Static credentials from initialization |
| 56 | + * 2. Profile credentials (if profile specified) |
| 57 | + * 3. Environment variables |
| 58 | + * 4. Web Identity Token credentials |
| 59 | + * 5. SSO credentials |
| 60 | + * 6. Process credentials |
| 61 | + * 7. Remote credentials (ECS, EC2 Instance Metadata) |
| 62 | + * |
14 | 63 | * Uses dynamic imports and `createCredentialChain` to mimic AWS CLI V2 behavior. |
| 64 | + * |
| 65 | + * @param init - Configuration options for the provider chain |
| 66 | + * @returns An AWS credential provider function that returns a promise for credentials |
15 | 67 | */ |
| 68 | + |
16 | 69 | export const fromAwsCliV2CompatibleProviderChain = |
17 | 70 | (_init: AwsCliV2CompatibleProviderOptions = {}): RuntimeConfigAwsCredentialIdentityProvider => |
18 | 71 | async ({ callerClientConfig } = {}): Promise<AwsCredentialIdentity> => { |
19 | 72 | // Merge init with caller's client config (profile/region). |
20 | 73 | const init: AwsCliV2CompatibleProviderOptions = { |
21 | 74 | ..._init, |
22 | 75 | ...callerClientConfig, |
23 | | - logger: (_init.logger ?? callerClientConfig?.logger ?? console) as Console, |
| 76 | + logger: _init.logger ?? callerClientConfig?.logger, |
24 | 77 | }; |
25 | 78 |
|
26 | | - init.logger?.debug("@aws-sdk/custom-credential-chain - Initializing credential chain"); |
| 79 | + init.logger?.debug( |
| 80 | + "@aws-sdk/credential-providers - fromAwsCliV2CompatibleProviderChain - Initializing credential chain" |
| 81 | + ); |
27 | 82 |
|
28 | | - const { profile, ...awsCredentials } = init; |
| 83 | + const { profile, logger, ...awsCredentials } = init; |
29 | 84 |
|
30 | 85 | // 1. If credentials are explicitly provided, return them. |
31 | 86 | if (awsCredentials.accessKeyId && awsCredentials.secretAccessKey) { |
32 | | - init.logger?.debug("@aws-sdk/custom-credential-chain - Using credentials from constructor"); |
| 87 | + logger?.debug( |
| 88 | + "@aws-sdk/credential-providers - fromAwsCliV2CompatibleProviderChain - using static credentials from initialization" |
| 89 | + ); |
33 | 90 | return awsCredentials as AwsCredentialIdentity; |
34 | 91 | } |
35 | 92 |
|
36 | 93 | // 2. If a profile is explicitly passed, use `fromIni`. |
37 | 94 | if (profile) { |
38 | | - init.logger?.debug("@aws-sdk/custom-credential-chain - Using fromIni with profile:", profile); |
| 95 | + logger?.debug( |
| 96 | + "@aws-sdk/credential-providers - fromAwsCliV2CompatibleProviderChain - Using fromIni with profile:", |
| 97 | + profile |
| 98 | + ); |
39 | 99 | const { fromIni } = await import("@aws-sdk/credential-provider-ini"); |
40 | | - return createCredentialChain(fromIni({ profile }))(); |
| 100 | + return fromIni({ profile, logger })(); |
41 | 101 | } |
42 | 102 |
|
43 | | - init.logger?.debug("@aws-sdk/cli-compatible-chain - Using from custom credential chain."); |
| 103 | + logger?.debug( |
| 104 | + "@aws-sdk/credential-providers - fromAwsCliV2CompatibleProviderChain - Using from custom credential chain." |
| 105 | + ); |
44 | 106 | return createCredentialChain( |
45 | 107 | async () => { |
46 | | - init.logger?.debug("@aws-sdk/cli-compatible-chain - Trying fromEnv"); |
47 | 108 | const { fromEnv } = await import("@aws-sdk/credential-provider-env"); |
48 | | - return fromEnv()(); |
| 109 | + return fromEnv(init)(); |
49 | 110 | }, |
50 | 111 | async () => { |
51 | | - init.logger?.debug("@aws-sdk/cli-compatible-chain - Trying fromTokenFile"); |
52 | 112 | const { fromTokenFile } = await import("@aws-sdk/credential-provider-web-identity"); |
53 | | - return fromTokenFile()(); |
| 113 | + return fromTokenFile(init)(); |
54 | 114 | }, |
55 | 115 | async () => { |
56 | | - init.logger?.debug("@aws-sdk/cli-compatible-chain - Trying fromSSO"); |
57 | 116 | const { fromSSO } = await import("@aws-sdk/credential-provider-sso"); |
58 | | - return fromSSO()(); |
| 117 | + return fromSSO(init)(); |
59 | 118 | }, |
60 | 119 | async () => { |
61 | | - init.logger?.debug("@aws-sdk/cli-compatible-chain- Trying fromProcess"); |
62 | 120 | const { fromProcess } = await import("@aws-sdk/credential-provider-process"); |
63 | | - return fromProcess()(); |
| 121 | + return fromProcess(init)(); |
64 | 122 | }, |
65 | 123 | async () => { |
66 | | - init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider"); |
| 124 | + logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider"); |
67 | 125 | return (await remoteProvider(init))(); |
68 | 126 | }, |
69 | 127 | async () => { |
70 | | - init.logger?.debug("@aws-sdk/custom-credential-chain - No valid credentials found. Throwing error."); |
71 | 128 | throw new CredentialsProviderError("Could not load credentials from any providers", { |
72 | 129 | tryNextLink: false, |
73 | | - logger: init.logger, |
| 130 | + logger, |
74 | 131 | }); |
75 | 132 | } |
76 | 133 | )(); |
|
0 commit comments