feat(NODE-6988): require aws sdk for aws auth

Author: durran

src/cmap/auth/aws_temporary_credentials.ts

@@ -1,10 +1,5 @@
 import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
 import { MongoAWSError } from '../../error';
-import { request } from '../../utils';
-
-const AWS_RELATIVE_URI = 'http://169.254.170.2';
-const AWS_EC2_URI = 'http://169.254.169.254';
-const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 
 /**
  * @internal
@@ -32,7 +27,7 @@ export type AWSCredentialProvider = () => Promise<AWSCredentials>;
 export abstract class AWSTemporaryCredentialProvider {
   abstract getCredentials(): Promise<AWSTempCredentials>;
   private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
-  protected static get awsSDK() {
+  static get awsSDK() {
     AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
     return AWSTemporaryCredentialProvider._awsSDK;
   }
@@ -144,42 +139,3 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
     }
   }
 }
-
-/**
- * @internal
- * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
- * section of the Auth spec.
- */
-export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
-  override async getCredentials(): Promise<AWSTempCredentials> {
-    // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
-    // is set then drivers MUST assume that it was set by an AWS ECS agent
-    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
-      return await request(
-        `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`
-      );
-    }
-
-    // Otherwise assume we are on an EC2 instance
-
-    // get a token
-    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
-      method: 'PUT',
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
-    });
-
-    // get role name
-    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    // get temp credentials
-    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    return creds;
-  }
-}

src/cmap/auth/mongodb_aws.ts

@@ -12,8 +12,7 @@ import {
   type AWSCredentialProvider,
   AWSSDKCredentialProvider,
   type AWSTempCredentials,
-  AWSTemporaryCredentialProvider,
-  LegacyAWSTemporaryCredentialProvider
+  type AWSTemporaryCredentialProvider
 } from './aws_temporary_credentials';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
@@ -41,9 +40,7 @@ export class MongoDBAWS extends AuthProvider {
     super();
 
     this.credentialProvider = credentialProvider;
-    this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
-      ? new AWSSDKCredentialProvider(credentialProvider)
-      : new LegacyAWSTemporaryCredentialProvider();
+    this.credentialFetcher = new AWSSDKCredentialProvider(credentialProvider);
   }
 
   override async auth(authContext: AuthContext): Promise<void> {

test/integration/auth/mongodb_aws.test.ts

@@ -153,7 +153,6 @@ describe('MONGODB-AWS', function () {
     });
 
     it('authenticates with a user provided credentials provider', async function () {
-      // @ts-expect-error We intentionally access a protected variable.
       const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
       const provider = async () => {
         providerCount++;