chore: update aws auth generator with default role assumers

Author: AllanZhengYP

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddAwsAuthPlugin.java

@@ -22,6 +22,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.BiConsumer;
 import java.util.function.Consumer;
 import software.amazon.smithy.aws.traits.ServiceTrait;
 import software.amazon.smithy.codegen.core.SymbolProvider;
@@ -37,6 +38,7 @@
 import software.amazon.smithy.typescript.codegen.TypeScriptWriter;
 import software.amazon.smithy.typescript.codegen.integration.RuntimeClientPlugin;
 import software.amazon.smithy.typescript.codegen.integration.TypeScriptIntegration;
+import software.amazon.smithy.utils.IoUtils;
 import software.amazon.smithy.utils.ListUtils;
 import software.amazon.smithy.utils.MapUtils;
 import software.amazon.smithy.utils.SetUtils;
@@ -45,6 +47,9 @@
  * Configure clients with AWS auth configurations and plugin.
  */
 public final class AddAwsAuthPlugin implements TypeScriptIntegration {
+    static final String STS_CLIENT_PREFIX = "sts-client-";
+    static final String ROLE_ASSUMERS_FILE = "defaultRoleAssumers";
+    static final String STS_ROLE_ASSUMERS_FILE = "defaultStsRoleAssumers";
 
     @Override
     public void addConfigInterfaceFields(
@@ -66,7 +71,13 @@ public List<RuntimeClientPlugin> getClientPlugins() {
         return ListUtils.of(
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_CONFIG)
-                    .servicePredicate((m, s) -> !areAllOptionalAuthOperations(m, s))
+                    .servicePredicate((m, s) -> !areAllOptionalAuthOperations(m, s) && !testServiceId(s, "STS"))
+                    .build(),
+            RuntimeClientPlugin.builder()
+                    .withConventions(AwsDependency.STS_MIDDLEWARE.dependency,
+                            "StsAuth", HAS_CONFIG)
+                    .additionalResolveFunctionParameters("STSClient")
+                    .servicePredicate((m, s) -> testServiceId(s, "STS"))
                     .build(),
             RuntimeClientPlugin.builder()
                     .withConventions(AwsDependency.MIDDLEWARE_SIGNING.dependency, "AwsAuth", HAS_MIDDLEWARE)
@@ -104,17 +115,70 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
             case NODE:
                 return MapUtils.of(
                     "credentialDefaultProvider", writer -> {
+                        if (!testServiceId(service, "STS")) {
+                            writer.addDependency(AwsDependency.STS_CLIENT);
+                            writer.addImport("decorateDefaultCredentialProvider", "decorateDefaultCredentialProvider", 
+                                    AwsDependency.STS_CLIENT.packageName);
+                        } else {
+                            writer.addImport("decorateDefaultCredentialProvider", "decorateDefaultCredentialProvider", 
+                                    "./" + ROLE_ASSUMERS_FILE);
+                        }
                         writer.addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE);
                         writer.addImport("defaultProvider", "credentialDefaultProvider",
                                 AwsDependency.CREDENTIAL_PROVIDER_NODE.packageName);
-                        writer.write("credentialDefaultProvider,");
+                        writer.write("credentialDefaultProvider: decorateDefaultCredentialProvider("
+                                + "credentialDefaultProvider),");
                     }
                 );
             default:
                 return Collections.emptyMap();
         }
     }
 
+    @Override
+    public void writeAdditionalFiles(
+        TypeScriptSettings settings,
+        Model model,
+        SymbolProvider symbolProvider,
+        BiConsumer<String, Consumer<TypeScriptWriter>> writerFactory
+    ) {
+        ServiceShape service = settings.getService(model);
+        if (!testServiceId(service, "STS")) {
+            return;
+        }
+        writerFactory.accept("defaultRoleAssumers.ts", writer -> {
+            String source = IoUtils.readUtf8Resource(getClass(), 
+                    String.format("%s%s.ts", STS_CLIENT_PREFIX, ROLE_ASSUMERS_FILE));
+            writer.write("$L", source);
+        });
+        writerFactory.accept("defaultStsRoleAssumers.ts", writer -> {
+            String source = IoUtils.readUtf8Resource(getClass(), 
+                    String.format("%s%s.ts", STS_CLIENT_PREFIX, STS_ROLE_ASSUMERS_FILE));
+            writer.write("$L", source);
+        });
+
+        // String utilsFileLocation = String.format("%s%s", docClientPrefix, DocumentClientUtils.CLIENT_UTILS_FILE);
+        //     writerFactory.accept(String.format("%s%s/%s.ts", docClientPrefix,
+        //         DocumentClientUtils.CLIENT_COMMANDS_FOLDER, DocumentClientUtils.CLIENT_UTILS_FILE), writer -> {
+        //         writer.write(IoUtils.readUtf8Resource(AddDocumentClientPlugin.class,
+        //             String.format("%s.ts", utilsFileLocation)));
+        //     });
+    }
+
+    @Override
+    public void writeAdditionalExports(
+        TypeScriptSettings settings,
+        Model model,
+        SymbolProvider symbolProvider,
+        TypeScriptWriter writer
+    ) {
+        ServiceShape service = settings.getService(model);
+        if (!testServiceId(service, "STS")) {
+            return;
+        }
+        writer.write("export * from $S", "./" + ROLE_ASSUMERS_FILE);
+    }
+
     private static boolean testServiceId(Shape serviceShape, String expectedId) {
         return serviceShape.getTrait(ServiceTrait.class).map(ServiceTrait::getSdkId).orElse("").equals(expectedId);
     }

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AwsDependency.java

@@ -59,6 +59,8 @@ public enum AwsDependency implements SymbolDependencyContainer {
     AWS_SDK_EVENTSTREAM_HANDLER_NODE(NORMAL_DEPENDENCY, "@aws-sdk/eventstream-handler-node", "^1.0.0-rc.1"),
     TRANSCRIBE_STREAMING_MIDDLEWARE(NORMAL_DEPENDENCY, "@aws-sdk/middleware-sdk-transcribe-streaming",
             "^1.0.0-rc.1"),
+    STS_MIDDLEWARE(NORMAL_DEPENDENCY, "@aws-sdk/middleware-sdk-sts", "3.11.0"),
+    STS_CLIENT(NORMAL_DEPENDENCY, "@aws-sdk/client-sts", "3.11.0"),
     RETRY_CONFIG_PROVIDER(NORMAL_DEPENDENCY, "@aws-sdk/retry-config-provider", "^1.0.0-rc.1"),
     NODE_CONFIG_PROVIDER(NORMAL_DEPENDENCY, "@aws-sdk/node-config-provider", "^1.0.0-rc.1"),
     MIDDLEWARE_LOGGER(NORMAL_DEPENDENCY, "@aws-sdk/middleware-logger", "^1.0.0-rc.1"),

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultRoleAssumers.ts

@@ -0,0 +1,38 @@
+import {
+  DefaultCredentialProvider,
+  getDefaultRoleAssumer as StsGetDefaultRoleAssumer,
+  getDefaultRoleAssumerWithWebIdentity as StsGetDefaultRoleAssumerWithWebIdentity,
+  RoleAssumer,
+  RoleAssumerWithWebIdentity,
+} from "./defaultStsRoleAssumers";
+import { STSClient, STSClientConfig } from "./STSClient";
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
+ */
+export const getDefaultRoleAssumer = (stsOptions: Pick<STSClientConfig, "logger" | "region"> = {}): RoleAssumer =>
+  StsGetDefaultRoleAssumer(stsOptions, STSClient);
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
+ */
+export const getDefaultRoleAssumerWithWebIdentity = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region"> = {}
+): RoleAssumerWithWebIdentity => StsGetDefaultRoleAssumerWithWebIdentity(stsOptions, STSClient);
+
+/**
+ * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
+ * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
+ * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
+ * dependencies.
+ *
+ * @internal
+ */
+export const decorateDefaultCredentialProvider = (provider: DefaultCredentialProvider): DefaultCredentialProvider => (
+  input: any
+) =>
+  provider({
+    roleAssumer: getDefaultRoleAssumer(input),
+    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input),
+    ...input,
+  });

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -0,0 +1,119 @@
+import { Credentials, Provider } from "@aws-sdk/types";
+
+import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
+import {
+  AssumeRoleWithWebIdentityCommand,
+  AssumeRoleWithWebIdentityCommandInput,
+} from "./commands/AssumeRoleWithWebIdentityCommand";
+import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSClient";
+
+/**
+ * @internal
+ */
+export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+
+const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
+
+/**
+ * Inject the fallback STS region of us-east-1.
+ */
+const decorateDefaultRegion = (region: string | Provider<string> | undefined): string | Provider<string> => {
+  if (typeof region !== "function") {
+    return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
+  }
+  return async () => {
+    try {
+      return await region();
+    } catch (e) {
+      return ASSUME_ROLE_DEFAULT_REGION;
+    }
+  };
+};
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
+ * @internal
+ */
+export const getDefaultRoleAssumer = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region">,
+  stsClientCtor: new (options: STSClientConfig) => STSClient
+): RoleAssumer => {
+  let stsClient: STSClient;
+  return async (sourceCreds, params) => {
+    if (!stsClient) {
+      const { logger, region } = stsOptions;
+      stsClient = new stsClientCtor({
+        logger,
+        credentials: sourceCreds,
+        region: decorateDefaultRegion(region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+/**
+ * @internal
+ */
+export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+
+/**
+ * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
+ * @internal
+ */
+export const getDefaultRoleAssumerWithWebIdentity = (
+  stsOptions: Pick<STSClientConfig, "logger" | "region">,
+  stsClientCtor: new (options: STSClientConfig) => STSClient
+): RoleAssumerWithWebIdentity => {
+  let stsClient: STSClient;
+  return async (params) => {
+    if (!stsClient) {
+      const { logger, region } = stsOptions;
+      stsClient = new stsClientCtor({
+        logger,
+        region: decorateDefaultRegion(region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+/**
+ * @internal
+ */
+export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+
+/**
+ * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
+ * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
+ * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
+ * dependencies.
+ *
+ * @internal
+ */
+export const decorateDefaultCredentialProvider = (provider: DefaultCredentialProvider): DefaultCredentialProvider => (
+  input: STSClientResolvedConfig
+) =>
+  provider({
+    roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor),
+    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor),
+    ...input,
+  });

scripts/generate-clients/copy-to-clients.js

@@ -20,12 +20,17 @@ const getOverwritablePredicate = (packageName) => (pathName) => {
     "endpoints.ts",
     "README.md",
   ];
+  const additionalGeneratedFiles = {
+    "@aws-sdk/client-sts": ["defaultRoleAssumers.ts", "defaultStsRoleAssumers.ts"],
+  };
   return (
     pathName
       .toLowerCase()
       .startsWith(
         packageName.toLowerCase().replace("@aws-sdk/client-", "").replace("@aws-sdk/aws-", "").replace(/-/g, "")
-      ) || overwritablePathnames.indexOf(pathName) >= 0
+      ) ||
+    overwritablePathnames.indexOf(pathName) >= 0 ||
+    additionalGeneratedFiles[packageName.toLowerCase()]?.indexOf(pathName) >= 0
   );
 };