feat(rds-signer): profile awareness for rds and dsql signers

kuhe · kuhe · commit b48810cbd248 · 2024-12-13T19:23:58.000Z
diff --git a/packages/dsql-signer/src/Signer.ts b/packages/dsql-signer/src/Signer.ts
@@ -12,7 +12,8 @@ type DsqlSignerAction = "DbConnect" | "DbConnectAdmin";
 
 export interface DsqlSignerConfig {
   /**
-   * The AWS credentials to sign requests with. Uses the default credential provider chain if not specified.
+   * The AWS credentials to sign requests with.
+   * Uses the default credential provider chain if not specified.
    */
   credentials?: AwsCredentialIdentity | AwsCredentialIdentityProvider;
 
@@ -22,7 +23,8 @@ export interface DsqlSignerConfig {
   hostname: string;
 
   /**
-   * The region the database is located in. Uses the region inferred from the runtime if omitted.
+   * The region the database is located in.
+   * Uses the region from the profile or inferred from the runtime if omitted.
    */
   region?: string;
 
@@ -35,6 +37,16 @@ export interface DsqlSignerConfig {
    * The amount of time in seconds the generated token is valid.
    */
   expiresIn?: number;
+
+  /**
+   * Optional. Can be provided to configure region from a profile
+   * if operating in an environment with a file system having
+   * an AWS configuration file.
+   *
+   * The credentials will also resolve based on this profile, if using
+   * a credentials provider that includes the AWS configuration file.
+   */
+  profile?: string;
 }
 
 /**
diff --git a/packages/rds-signer/src/Signer.ts b/packages/rds-signer/src/Signer.ts
@@ -13,7 +13,8 @@ import { getRuntimeConfig as __getRuntimeConfig } from "./runtimeConfig";
 
 export interface SignerConfig {
   /**
-   * The AWS credentials to sign requests with. Uses the default credential provider chain if not specified.
+   * The AWS credentials to sign requests with.
+   * Uses the default credential provider chain if not specified.
    */
   credentials?: AwsCredentialIdentity | AwsCredentialIdentityProvider;
   /**
@@ -25,7 +26,9 @@ export interface SignerConfig {
    */
   port: number;
   /**
-   * The region the database is located in. Uses the region inferred from the runtime if omitted.
+   * The region the database is located in.
+   * Uses the region of the given profile or inferred from the runtime if
+   * both are omitted.
    */
   region?: string;
   /**
@@ -36,6 +39,15 @@ export interface SignerConfig {
    * The username to login as.
    */
   username: string;
+  /**
+   * Optional. Can be provided to configure region from a profile
+   * if operating in an environment with a file system having
+   * an AWS configuration file.
+   *
+   * The credentials will also resolve based on this profile, if using
+   * a credentials provider that includes the AWS configuration file.
+   */
+  profile?: string;
 }
 
 /**
diff --git a/packages/rds-signer/src/runtimeConfig.ts b/packages/rds-signer/src/runtimeConfig.ts
@@ -12,8 +12,17 @@ export const getRuntimeConfig = (config: SignerConfig) => {
   return {
     runtime: "node",
     sha256: config?.sha256 ?? Hash.bind(null, "sha256"),
-    credentials: config?.credentials ?? fromNodeProviderChain(),
-    region: config?.region ?? loadConfig(NODE_REGION_CONFIG_OPTIONS, NODE_REGION_CONFIG_FILE_OPTIONS),
+    credentials:
+      config?.credentials ??
+      fromNodeProviderChain({
+        profile: config.profile,
+      }),
+    region:
+      config?.region ??
+      loadConfig(NODE_REGION_CONFIG_OPTIONS, {
+        ...NODE_REGION_CONFIG_FILE_OPTIONS,
+        profile: config.profile,
+      }),
     ...config,
   };
 };
