fix(credential-provider-ini): pass clientConfig to sso and sso-oidc inner clients

Author: kuhe

packages/credential-provider-ini/src/fromIni.ts

@@ -39,7 +39,8 @@ export interface FromIniInit extends SourceProfileInit, CredentialProviderOption
   roleAssumerWithWebIdentity?: (params: AssumeRoleWithWebIdentityParams) => Promise<AwsCredentialIdentity>;
 
   /**
-   * STSClientConfig to be used for creating STS Client for assuming role.
+   * STSClientConfig or SSOClientConfig to be used for creating inner client
+   * for auth operations.
    * @internal
    */
   clientConfig?: any;

packages/credential-provider-ini/src/resolveSsoCredentials.ts

@@ -1,20 +1,19 @@
 import { setCredentialFeature } from "@aws-sdk/core/client";
 import type { SsoProfile } from "@aws-sdk/credential-provider-sso";
-import type { CredentialProviderOptions } from "@aws-sdk/types";
 import type { IniSection, Profile } from "@smithy/types";
 
+import type { FromIniInit } from "./fromIni";
+
 /**
  * @internal
  */
-export const resolveSsoCredentials = async (
-  profile: string,
-  profileData: IniSection,
-  options: CredentialProviderOptions = {}
-) => {
+export const resolveSsoCredentials = async (profile: string, profileData: IniSection, options: FromIniInit = {}) => {
   const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
   return fromSSO({
     profile,
     logger: options.logger,
+    parentClientConfig: options.parentClientConfig,
+    clientConfig: options.clientConfig,
   })().then((creds) => {
     if (profileData.sso_session) {
       return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r");

packages/credential-provider-sso/src/fromSSO.ts

@@ -133,6 +133,7 @@ export const fromSSO =
         ssoRoleName: sso_role_name,
         ssoClient: ssoClient,
         clientConfig: init.clientConfig,
+        parentClientConfig: init.parentClientConfig,
         profile: profileName,
       });
     } else if (!ssoStartUrl || !ssoAccountId || !ssoRegion || !ssoRoleName) {
@@ -150,6 +151,7 @@ export const fromSSO =
         ssoRoleName,
         ssoClient,
         clientConfig: init.clientConfig,
+        parentClientConfig: init.parentClientConfig,
         profile: profileName,
       });
     }

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -20,6 +20,7 @@ export const resolveSSOCredentials = async ({
   ssoRoleName,
   ssoClient,
   clientConfig,
+  parentClientConfig,
   profile,
   logger,
 }: FromSSOInit & SsoCredentialsParameters): Promise<AwsCredentialIdentity> => {
@@ -65,6 +66,7 @@ export const resolveSSOCredentials = async ({
     ssoClient ||
     new SSOClient(
       Object.assign({}, clientConfig ?? {}, {
+        logger: clientConfig?.logger ?? parentClientConfig?.logger,
         region: clientConfig?.region ?? ssoRegion,
       })
     );

packages/token-providers/src/fromSso.spec.ts

@@ -48,6 +48,7 @@ describe(fromSso.name, () => {
     accessToken: "mockNewAccessToken",
     expiresIn: 3600,
     refreshToken: "mockNewRefreshToken",
+    $metadata: {},
   };
   const mockNewToken = {
     token: mockNewTokenFromService.accessToken,

packages/token-providers/src/fromSso.ts

@@ -20,7 +20,12 @@ import { writeSSOTokenToFile } from "./writeSSOTokenToFile";
  */
 const lastRefreshAttemptTime = new Date(0);
 
-export interface FromSsoInit extends SourceProfileInit, CredentialProviderOptions {}
+export interface FromSsoInit extends SourceProfileInit, CredentialProviderOptions {
+  /**
+   * @see SSOOIDCClientConfig in \@aws-sdk/client-sso-oidc.
+   */
+  clientConfig?: any;
+}
 
 /**
  * Creates a token provider that will read from SSO token cache or ssoOidc.createToken() call.
@@ -101,7 +106,7 @@ export const fromSso =
 
     try {
       lastRefreshAttemptTime.setTime(Date.now());
-      const newSsoOidcToken = await getNewSsoOidcToken(ssoToken, ssoRegion);
+      const newSsoOidcToken = await getNewSsoOidcToken(ssoToken, ssoRegion, init);
       validateTokenKey("accessToken", newSsoOidcToken.accessToken);
       validateTokenKey("expiresIn", newSsoOidcToken.expiresIn);
       const newTokenExpiration = new Date(Date.now() + newSsoOidcToken.expiresIn! * 1000);

packages/token-providers/src/getNewSsoOidcToken.ts

@@ -1,16 +1,17 @@
 import { SSOToken } from "@smithy/shared-ini-file-loader";
 
+import { FromSsoInit } from "./fromSso";
 import { getSsoOidcClient } from "./getSsoOidcClient";
 
 /**
  * Returns a new SSO OIDC token from ssoOids.createToken() API call.
  * @internal
  */
-export const getNewSsoOidcToken = async (ssoToken: SSOToken, ssoRegion: string) => {
+export const getNewSsoOidcToken = async (ssoToken: SSOToken, ssoRegion: string, init: FromSsoInit = {}) => {
   // @ts-ignore Cannot find module '@aws-sdk/client-sso-oidc'
   const { CreateTokenCommand } = await import("@aws-sdk/client-sso-oidc");
 
-  const ssoOidcClient = await getSsoOidcClient(ssoRegion);
+  const ssoOidcClient = await getSsoOidcClient(ssoRegion, init);
   return ssoOidcClient.send(
     new CreateTokenCommand({
       clientId: ssoToken.clientId,

packages/token-providers/src/getSsoOidcClient.ts

@@ -1,23 +1,18 @@
-const ssoOidcClientsHash: Record<string, any> = {};
+import { FromSsoInit } from "./fromSso";
 
 /**
- * Returns a SSOOIDC client for the given region. If the client has already been created,
- * it will be returned from the hash.
+ * Returns a SSOOIDC client for the given region.
  * @internal
  */
-export const getSsoOidcClient = async (ssoRegion: string) => {
+export const getSsoOidcClient = async (ssoRegion: string, init: FromSsoInit = {}) => {
   // @ts-ignore Cannot find module '@aws-sdk/client-sso-oidc'
   const { SSOOIDCClient } = await import("@aws-sdk/client-sso-oidc");
 
-  // return ssoOidsClient if already created.
-  if (ssoOidcClientsHash[ssoRegion]) {
-    return ssoOidcClientsHash[ssoRegion];
-  }
-
-  // Create new SSOOIDC client, and store is in hash.
-  // If we need to support configuration of SsoOidc client in future through code,
-  // the provision to pass region from client configuration needs to be added.
-  const ssoOidcClient = new SSOOIDCClient({ region: ssoRegion });
-  ssoOidcClientsHash[ssoRegion] = ssoOidcClient;
+  const ssoOidcClient = new SSOOIDCClient(
+    Object.assign({}, init.clientConfig ?? {}, {
+      region: ssoRegion ?? init.clientConfig.region,
+      logger: init.clientConfig?.logger ?? init.parentClientConfig?.logger,
+    })
+  );
   return ssoOidcClient;
 };