feat(NODE-6161): allow custom aws sdk config

durran · durran · commit cb0e46570142 · 2025-01-29T13:11:46.000+01:00
diff --git a/src/cmap/auth/aws_temporary_credentials.ts b/src/cmap/auth/aws_temporary_credentials.ts
@@ -21,6 +21,9 @@ export interface AWSTempCredentials {
   Expiration?: Date;
 }
 
+/** @internal */
+export type AWSCredentialProvider = () => Promise<AWSCredentials>;
+
 /**
  * @internal
  *
@@ -41,7 +44,20 @@ export abstract class AWSTemporaryCredentialProvider {
 
 /** @internal */
 export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
-  private _provider?: () => Promise<AWSCredentials>;
+  private _provider?: AWSCredentialProvider;
+
+  /**
+   * Create the SDK credentials provider.
+   * @param credentialsProvider - The credentials provider.
+   */
+  constructor(credentialsProvider?: AWSCredentialProvider) {
+    super();
+
+    if (credentialsProvider) {
+      this._provider = credentialsProvider;
+    }
+  }
+
   /**
    * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
    * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
@@ -9,6 +9,7 @@ import {
 import { ByteUtils, maxWireVersion, ns, randomBytes } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
 import {
+  type AWSCredentialProvider,
   AWSSDKCredentialProvider,
   type AWSTempCredentials,
   AWSTemporaryCredentialProvider,
@@ -34,11 +35,11 @@ interface AWSSaslContinuePayload {
 
 export class MongoDBAWS extends AuthProvider {
   private credentialFetcher: AWSTemporaryCredentialProvider;
-  constructor() {
+  constructor(credentialProvider?: AWSCredentialProvider) {
     super();
 
     this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
-      ? new AWSSDKCredentialProvider()
+      ? new AWSSDKCredentialProvider(credentialProvider)
       : new LegacyAWSTemporaryCredentialProvider();
   }
 
diff --git a/src/connection_string.ts b/src/connection_string.ts
@@ -3,6 +3,7 @@ import ConnectionString from 'mongodb-connection-string-url';
 import { URLSearchParams } from 'url';
 
 import type { Document } from './bson';
+import { type AWSCredentialProvider } from './cmap/auth/aws_temporary_credentials';
 import { MongoCredentials } from './cmap/auth/mongo_credentials';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './cmap/auth/providers';
 import { addContainerMetadata, makeClientMetadata } from './cmap/handshake/client_metadata';
@@ -751,6 +752,14 @@ export const OPTIONS = {
   autoSelectFamilyAttemptTimeout: {
     type: 'uint'
   },
+  awsCredentialsProvider: {
+    transform({ values: [value] }): AWSCredentialProvider {
+      if (typeof value === 'function') {
+        return value as AWSCredentialProvider;
+      }
+      throw new MongoParseError(`Option awsCredentialProvider must be a function, got ${value}`);
+    }
+  },
   bsonRegExp: {
     type: 'boolean'
   },
diff --git a/src/mongo_client.ts b/src/mongo_client.ts
@@ -5,6 +5,7 @@ import type { ConnectionOptions as TLSConnectionOptions, TLSSocketOptions } from
 import { type BSONSerializeOptions, type Document, resolveBSONOptions } from './bson';
 import { ChangeStream, type ChangeStreamDocument, type ChangeStreamOptions } from './change_stream';
 import type { AutoEncrypter, AutoEncryptionOptions } from './client-side-encryption/auto_encrypter';
+import { type AWSCredentialProvider } from './cmap/auth/aws_temporary_credentials';
 import {
   type AuthMechanismProperties,
   DEFAULT_ALLOWED_HOSTS,
@@ -299,6 +300,10 @@ export interface MongoClientOptions extends BSONSerializeOptions, SupportedNodeC
    * TODO: NODE-5671 - remove internal flag
    */
   mongodbLogMaxDocumentLength?: number;
+  /**
+   * A custom AWS SDK credentials provider to use instead of the default.
+   */
+  awsCredentialsProvider?: AWSCredentialProvider;
 
   /** @internal */
   __skipPingOnConnect?: boolean;
diff --git a/src/mongo_client_auth_providers.ts b/src/mongo_client_auth_providers.ts
@@ -1,4 +1,5 @@
 import { type AuthProvider } from './cmap/auth/auth_provider';
+import { type AWSCredentialProvider } from './cmap/auth/aws_temporary_credentials';
 import { GSSAPI } from './cmap/auth/gssapi';
 import { type AuthMechanismProperties } from './cmap/auth/mongo_credentials';
 import { MongoDBAWS } from './cmap/auth/mongodb_aws';
@@ -13,8 +14,11 @@ import { X509 } from './cmap/auth/x509';
 import { MongoInvalidArgumentError } from './error';
 
 /** @internal */
-const AUTH_PROVIDERS = new Map<AuthMechanism | string, (workflow?: Workflow) => AuthProvider>([
-  [AuthMechanism.MONGODB_AWS, () => new MongoDBAWS()],
+const AUTH_PROVIDERS = new Map<AuthMechanism | string, (param?: any) => AuthProvider>([
+  [
+    AuthMechanism.MONGODB_AWS,
+    (credentialProvider?: AWSCredentialProvider) => new MongoDBAWS(credentialProvider)
+  ],
   [
     AuthMechanism.MONGODB_CR,
     () => {
