feat(sts): use constructor if itself for assumerole

Author: AllanZhengYP

clients/client-sts/STSClient.ts

@@ -30,7 +30,8 @@ import {
 } from "@aws-sdk/middleware-host-header";
 import { getLoggerPlugin } from "@aws-sdk/middleware-logger";
 import { RetryInputConfig, RetryResolvedConfig, getRetryPlugin, resolveRetryConfig } from "@aws-sdk/middleware-retry";
-import { AwsAuthInputConfig, AwsAuthResolvedConfig, resolveAwsAuthConfig } from "@aws-sdk/middleware-signing";
+// import { AwsAuthInputConfig, AwsAuthResolvedConfig, resolveAwsAuthConfig } from "@aws-sdk/middleware-signing";
+import { StsAuthInputConfig, StsAuthResolvedConfig, resolveStsAuthConfig } from "@aws-sdk/middleware-sdk-sts";
 import {
   UserAgentInputConfig,
   UserAgentResolvedConfig,
@@ -180,7 +181,8 @@ export type STSClientConfig = Partial<__SmithyConfiguration<__HttpHandlerOptions
   EndpointsInputConfig &
   RetryInputConfig &
   HostHeaderInputConfig &
-  AwsAuthInputConfig &
+  // AwsAuthInputConfig &
+  StsAuthInputConfig &
   UserAgentInputConfig;
 
 export type STSClientResolvedConfig = __SmithyResolvedConfiguration<__HttpHandlerOptions> &
@@ -189,7 +191,8 @@ export type STSClientResolvedConfig = __SmithyResolvedConfiguration<__HttpHandle
   EndpointsResolvedConfig &
   RetryResolvedConfig &
   HostHeaderResolvedConfig &
-  AwsAuthResolvedConfig &
+  // AwsAuthResolvedConfig &
+  StsAuthResolvedConfig &
   UserAgentResolvedConfig;
 
 /**
@@ -216,7 +219,8 @@ export class STSClient extends __Client<
     let _config_2 = resolveEndpointsConfig(_config_1);
     let _config_3 = resolveRetryConfig(_config_2);
     let _config_4 = resolveHostHeaderConfig(_config_3);
-    let _config_5 = resolveAwsAuthConfig(_config_4);
+    // let _config_5 = resolveAwsAuthConfig(_config_4);
+    let _config_5 = resolveStsAuthConfig(_config_4, STSClient);
     let _config_6 = resolveUserAgentConfig(_config_5);
     super(_config_6);
     this.config = _config_6;

clients/client-sts/defaultRoleAssumers.ts

@@ -0,0 +1,24 @@
+import {
+  DefaultCredentialProvider,
+  getDefaultRoleAssumer as StsGetDefaultRoleAssumer,
+  getDefaultRoleAssumerWithWebIdentity as StsGetDefaultRoleAssumerWithWebIdentity,
+  RoleAssumer,
+  RoleAssumerWithWebIdentity,
+} from "./defaultStsRoleAssumers";
+import { STSClient, STSClientConfig } from "./STSClient";
+
+export const getDefaultRoleAssumer = (stsOptions: Pick<STSClientConfig, "logger" | "region">): RoleAssumer =>
+  StsGetDefaultRoleAssumer(stsOptions, STSClient);
+
+export const getDefaultRoleAssumerWithWebIdentity = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region">
+): RoleAssumerWithWebIdentity => StsGetDefaultRoleAssumerWithWebIdentity(stsOptions, STSClient);
+
+export const decorateDefaultCredentialProvider = (provider: DefaultCredentialProvider): DefaultCredentialProvider => (
+  input: any
+) =>
+  provider({
+    roleAssumer: getDefaultRoleAssumer(input),
+    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input),
+    ...input,
+  });

clients/client-sts/defaultStsRoleAssumers.ts

@@ -0,0 +1,119 @@
+import { Credentials, Provider } from "@aws-sdk/types";
+
+import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
+import {
+  AssumeRoleWithWebIdentityCommand,
+  AssumeRoleWithWebIdentityCommandInput,
+} from "./commands/AssumeRoleWithWebIdentityCommand";
+import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSClient";
+
+/**
+ * @internal
+ */
+export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+
+const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
+
+/**
+ * Inject the fallback STS region of us-east-1.
+ */
+const decorateDefaultRegion = (region: string | Provider<string> | undefined): string | Provider<string> => {
+  if (typeof region !== "function") {
+    return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
+  }
+  return async () => {
+    try {
+      return await region();
+    } catch (e) {
+      return ASSUME_ROLE_DEFAULT_REGION;
+    }
+  };
+};
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
+ * @internal
+ */
+export const getDefaultRoleAssumer = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region">,
+  stsClientCtor: new (options: STSClientConfig) => STSClient
+): RoleAssumer => {
+  let stsClient: STSClient;
+  return async (sourceCreds, params) => {
+    if (!stsClient) {
+      const { logger, region } = stsOptions;
+      stsClient = new stsClientCtor({
+        logger,
+        credentials: sourceCreds,
+        region: decorateDefaultRegion(region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+/**
+ * @internal
+ */
+export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
+ * @internal
+ */
+export const getDefaultRoleAssumerWithWebIdentity = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region">,
+  stsClientCtor: new (options: STSClientConfig) => STSClient
+): RoleAssumerWithWebIdentity => {
+  let stsClient: STSClient;
+  return async (params) => {
+    if (!stsClient) {
+      const { logger, region } = stsOptions;
+      stsClient = new stsClientCtor({
+        logger,
+        region: decorateDefaultRegion(region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+/**
+ * @internal
+ */
+export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+
+/**
+ * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
+ * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
+ * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
+ * dependencies.
+ *
+ * @internal
+ */
+export const decorateDefaultCredentialProvider = (provider: DefaultCredentialProvider): DefaultCredentialProvider => (
+  input: STSClientResolvedConfig
+) =>
+  provider({
+    roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor),
+    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor),
+    ...input,
+  });

clients/client-sts/index.ts

@@ -9,3 +9,4 @@ export * from "./commands/GetCallerIdentityCommand";
 export * from "./commands/GetFederationTokenCommand";
 export * from "./commands/GetSessionTokenCommand";
 export * from "./models/index";
+export * from "./defaultRoleAssumers";

clients/client-sts/package.json

@@ -36,6 +36,7 @@
     "@aws-sdk/middleware-host-header": "3.10.0",
     "@aws-sdk/middleware-logger": "3.10.0",
     "@aws-sdk/middleware-retry": "3.10.0",
+    "@aws-sdk/middleware-sdk-sts": "3.0.0",
     "@aws-sdk/middleware-serde": "3.10.0",
     "@aws-sdk/middleware-signing": "3.10.0",
     "@aws-sdk/middleware-stack": "3.10.0",
@@ -88,5 +89,11 @@
     "type": "git",
     "url": "https://github.com/aws/aws-sdk-js-v3.git",
     "directory": "clients/client-sts"
+  },
+  "exports": {
+    "./defaultRoleAssumers": {
+      "import": "./dist/es/defaultRoleAssumers.js",
+      "require": "./dist/cjs/defaultRoleAssumers.js"
+    }
   }
 }

clients/client-sts/runtimeConfig.ts

@@ -1,6 +1,7 @@
 import packageInfo from "./package.json";
 
 import { NODE_REGION_CONFIG_FILE_OPTIONS, NODE_REGION_CONFIG_OPTIONS } from "@aws-sdk/config-resolver";
+import { decorateDefaultCredentialProvider } from "./defaultStsRoleAssumers";
 import { defaultProvider as credentialDefaultProvider } from "@aws-sdk/credential-provider-node";
 import { Hash } from "@aws-sdk/hash-node";
 import { NODE_MAX_ATTEMPT_CONFIG_OPTIONS } from "@aws-sdk/middleware-retry";
@@ -22,7 +23,7 @@ export const ClientDefaultValues: Required<ClientDefaults> = {
   base64Decoder: fromBase64,
   base64Encoder: toBase64,
   bodyLengthChecker: calculateBodyLength,
-  credentialDefaultProvider,
+  credentialDefaultProvider: decorateDefaultCredentialProvider(credentialDefaultProvider),
   defaultUserAgentProvider: defaultUserAgent({
     serviceId: ClientSharedValues.serviceId,
     clientVersion: packageInfo.version,