Clients don't use credentials returned from custom credentials providers when configured through extensions #6954
Description
Checkboxes for prior research
- I've gone through Developer Guide and API reference
- I've checked AWS Forums and StackOverflow.
- I've searched for previous similar issues and didn't find any solution.
Describe the bug
When using an SDK extension to configure a credentials provider for a client, the client calls the credentials provider but does not use the credentials that it returns. Instead it uses the default credentials from the environment where it's running from.
Regression Issue
- Select this option if this issue appears to be a regression.
SDK version number
@aws-sdk/[email protected]
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v18.20.5
Reproduction Steps
First, you'll need to have default credentials for an account configured in your environment, let's call this AccountOne.
You'll also need temporary credentials from another account that we'll call AccountTwo.
import { STS } from '@aws-sdk/client-sts';
import { AwsCredentialIdentityProvider } from '@smithy/types';
const fromStaticCredentialProvider = async () => ({
// TODO: Use temporary credentials from AccountTwo
accessKeyId: 'accessKeyId',
secretAccessKey: 'secretAccessKey',
sessionToken: 'sessionToken',
});
interface ExtensionConfiguration {
setCredentials(credentials: AwsCredentialIdentityProvider): void;
}
class StaticCredentialsExtension {
static create(): StaticCredentialsExtension {
return new StaticCredentialsExtension();
}
configure(extensionConfiguration: ExtensionConfiguration): void {
extensionConfiguration.setCredentials(fromStaticCredentialProvider);
}
}
// Returns AccountTwo identity which is expected
new STS({
credentials: fromStaticCredentialProvider,
})
.getCallerIdentity()
.then((callerIdentity) => console.log('credentials', callerIdentity));
// Returns AccountOne identity which is incorrect
new STS({
extensions: [StaticCredentialsExtension.create()],
})
.getCallerIdentity()
.then((callerIdentity) => console.log('extensions', callerIdentity));Observed Behavior
When a client is configured with a credentials provider through the credentials parameter, it uses the credentials returned by that credentials provider when making API calls.
However if the credential provider is configured through an SDK extension in the extensions parameter, the client still calls the credentials provider function but does not use the credentials it returns when making API calls.
Expected Behavior
Configuring credentials through extensions should behave the same way as credentials parameter and should use the credentials returned from the credentials provider function.
Possible Solution
No response
Additional Information/Context
No response