feat(credential-providers): make credential providers aware of contextual client region

Author: kuhe

package.json

@@ -24,6 +24,7 @@
     "copy-models": "node ./scripts/copy-models",
     "extract:docs": "node ./scripts/extract-docs/index.js",
     "g:vitest": "cd $INIT_CWD && vitest",
+    "g:jest": "cd $INIT_CWD && jest",
     "generate-clients": "node ./scripts/generate-clients",
     "generate:clients:generic": "node ./scripts/generate-clients/generic",
     "generate:defaults-mode-provider": "./scripts/generate-defaults-mode-provider/index.js",

packages/core/src/submodules/httpAuthSchemes/aws_sdk/resolveAwsSdkSigV4Config.ts

@@ -106,29 +106,33 @@ export const resolveAwsSdkSigV4Config = <T>(
 ): T & AwsSdkSigV4AuthResolvedConfig => {
   let isUserSupplied = false;
   // Normalize credentials
-  let normalizedCreds: AwsCredentialIdentityProvider | undefined;
+  let credentialsProvider: AwsCredentialIdentityProvider | undefined;
   if (config.credentials) {
     isUserSupplied = true;
-    normalizedCreds = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
+    credentialsProvider = memoizeIdentityProvider(config.credentials, isIdentityExpired, doesIdentityRequireRefresh);
   }
-  if (!normalizedCreds) {
+  if (!credentialsProvider) {
     // credentialDefaultProvider should always be populated, but in case
     // it isn't, set a default identity provider that throws an error
     if (config.credentialDefaultProvider) {
-      normalizedCreds = normalizeProvider(
+      credentialsProvider = normalizeProvider(
         config.credentialDefaultProvider(
           Object.assign({}, config as any, {
             parentClientConfig: config,
           })
         )
       );
     } else {
-      normalizedCreds = async () => {
+      credentialsProvider = async () => {
         throw new Error("`credentials` is missing");
       };
     }
   }
 
+  const contextBoundCredentialsProvider = async () => {
+    return credentialsProvider!({ contextClientConfig: config });
+  };
+
   // Populate sigv4 arguments
   const {
     // Default for signingEscapePath
@@ -170,7 +174,7 @@ export const resolveAwsSdkSigV4Config = <T>(
 
           const params: SignatureV4Init & SignatureV4CryptoInit = {
             ...config,
-            credentials: normalizedCreds!,
+            credentials: contextBoundCredentialsProvider,
             region: config.signingRegion,
             service: config.signingName,
             sha256,
@@ -206,7 +210,7 @@ export const resolveAwsSdkSigV4Config = <T>(
 
       const params: SignatureV4Init & SignatureV4CryptoInit = {
         ...config,
-        credentials: normalizedCreds!,
+        credentials: contextBoundCredentialsProvider,
         region: config.signingRegion,
         service: config.signingName,
         sha256,
@@ -224,10 +228,10 @@ export const resolveAwsSdkSigV4Config = <T>(
     signingEscapePath,
     credentials: isUserSupplied
       ? async () =>
-          normalizedCreds!().then((creds: AttributedAwsCredentialIdentity) =>
+          contextBoundCredentialsProvider!().then((creds: AttributedAwsCredentialIdentity) =>
             setCredentialFeature(creds, "CREDENTIALS_CODE", "e")
           )
-      : normalizedCreds!,
+      : contextBoundCredentialsProvider!,
     signer,
   };
 };

packages/credential-provider-cognito-identity/src/fromCognitoIdentity.ts

@@ -1,6 +1,6 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import type { AwsIdentityProperties, CredentialProviderOptions, RegionalIdentityProvider } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
-import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
+import type { AwsCredentialIdentity, Logger } from "@smithy/types";
 
 import { CognitoProviderParameters } from "./CognitoProviderParameters";
 import { resolveLogins } from "./resolveLogins";
@@ -18,7 +18,7 @@ export interface CognitoIdentityCredentials extends AwsCredentialIdentity {
 /**
  * @internal
  */
-export type CognitoIdentityCredentialProvider = Provider<CognitoIdentityCredentials>;
+export type CognitoIdentityCredentialProvider = RegionalIdentityProvider<CognitoIdentityCredentials>;
 
 /**
  * @internal
@@ -29,7 +29,7 @@ export type CognitoIdentityCredentialProvider = Provider<CognitoIdentityCredenti
  * Results from this function call are not cached internally.
  */
 export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters): CognitoIdentityCredentialProvider {
-  return async (): Promise<CognitoIdentityCredentials> => {
+  return async (awsIdentityProperties?: AwsIdentityProperties): Promise<CognitoIdentityCredentials> => {
     parameters.logger?.debug("@aws-sdk/credential-provider-cognito-identity - fromCognitoIdentity");
     const { GetCredentialsForIdentityCommand, CognitoIdentityClient } = await import("./loadCognitoIdentity");
 
@@ -44,7 +44,10 @@ export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters):
       parameters.client ??
       new CognitoIdentityClient(
         Object.assign({}, parameters.clientConfig ?? {}, {
-          region: parameters.clientConfig?.region ?? parameters.parentClientConfig?.region,
+          region:
+            parameters.clientConfig?.region ??
+            parameters.parentClientConfig?.region ??
+            awsIdentityProperties?.contextClientConfig?.region,
         })
       )
     ).send(

packages/credential-provider-cognito-identity/src/fromCognitoIdentityPool.ts

@@ -1,4 +1,4 @@
-import type { CredentialProviderOptions } from "@aws-sdk/types";
+import type { AwsIdentityProperties, CredentialProviderOptions } from "@aws-sdk/types";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { Logger } from "@smithy/types";
 
@@ -35,12 +35,15 @@ export function fromCognitoIdentityPool({
     ? `aws:cognito-identity-credentials:${identityPoolId}:${userIdentifier}`
     : undefined;
 
-  let provider: CognitoIdentityCredentialProvider = async () => {
+  let provider: CognitoIdentityCredentialProvider = async (awsIdentityProperties?: AwsIdentityProperties) => {
     const { GetIdCommand, CognitoIdentityClient } = await import("./loadCognitoIdentity");
     const _client =
       client ??
       new CognitoIdentityClient(
-        Object.assign({}, clientConfig ?? {}, { region: clientConfig?.region ?? parentClientConfig?.region })
+        Object.assign({}, clientConfig ?? {}, {
+          region:
+            clientConfig?.region ?? parentClientConfig?.region ?? awsIdentityProperties?.contextClientConfig?.region,
+        })
       );
 
     let identityId: string | undefined = (cacheKey && (await cache.getItem(cacheKey))) as string | undefined;

packages/credential-provider-ini/src/fromIni.ts

@@ -1,7 +1,8 @@
 import type { AssumeRoleWithWebIdentityParams } from "@aws-sdk/credential-provider-web-identity";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
+import type { RegionalAwsCredentialIdentityProvider } from "@aws-sdk/types";
 import { getProfileName, parseKnownFiles, SourceProfileInit } from "@smithy/shared-ini-file-loader";
-import type { AwsCredentialIdentity, AwsCredentialIdentityProvider, Pluggable } from "@smithy/types";
+import type { AwsCredentialIdentity, Pluggable } from "@smithy/types";
 
 import { AssumeRoleParams } from "./resolveAssumeRoleCredentials";
 import { resolveProfileData } from "./resolveProfileData";
@@ -55,8 +56,15 @@ export interface FromIniInit extends SourceProfileInit, CredentialProviderOption
  * role assumption and multi-factor authentication.
  */
 export const fromIni =
-  (init: FromIniInit = {}): AwsCredentialIdentityProvider =>
-  async () => {
+  (_init: FromIniInit = {}): RegionalAwsCredentialIdentityProvider =>
+  async (props = {}) => {
+    const init: FromIniInit = {
+      ..._init,
+      parentClientConfig: {
+        region: props.contextClientConfig?.region,
+        ..._init.parentClientConfig,
+      },
+    };
     init.logger?.debug("@aws-sdk/credential-provider-ini - fromIni");
     const profiles = await parseKnownFiles(init);
     return resolveProfileData(getProfileName(init), profiles, init);

packages/credential-provider-node/package.json

@@ -16,7 +16,7 @@
     "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
     "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
     "test": "yarn g:vitest run",
-    "test:integration": "jest -c jest.config.integ.js",
+    "test:integration": "yarn g:jest -c jest.config.integ.js",
     "test:watch": "yarn g:vitest watch"
   },
   "keywords": [

packages/credential-provider-node/src/credential-provider-node.integ.spec.ts

@@ -1,5 +1,6 @@
 import { STS } from "@aws-sdk/client-sts";
 import * as credentialProviderHttp from "@aws-sdk/credential-provider-http";
+import { fromIni } from "@aws-sdk/credential-providers";
 import { HttpResponse } from "@smithy/protocol-http";
 import type { SourceProfileInit } from "@smithy/shared-ini-file-loader";
 import type { HttpRequest, NodeHttpHandlerOptions, ParsedIniData } from "@smithy/types";
@@ -67,6 +68,8 @@ jest.mock("@smithy/node-http-handler", () => {
         assumeRoleArns.push(request.body.match(/RoleArn=(.*?)&/)?.[1]);
       }
 
+      const region = (request.hostname.match(/sts\.(.*?)\./) || [, "unknown"])[1];
+
       if (request.headers.Authorization === "container-authorization") {
         body.write(
           JSON.stringify({
@@ -94,7 +97,7 @@ jest.mock("@smithy/node-http-handler", () => {
   <Credentials>
     <AccessKeyId>STS_ARWI_ACCESS_KEY_ID</AccessKeyId>
     <SecretAccessKey>STS_ARWI_SECRET_ACCESS_KEY</SecretAccessKey>
-    <SessionToken>STS_ARWI_SESSION_TOKEN</SessionToken>
+    <SessionToken>STS_ARWI_SESSION_TOKEN_${region}</SessionToken>
     <Expiration>3000-01-01T00:00:00.000Z</Expiration>
   </Credentials>
 </AssumeRoleWithWebIdentityResult>
@@ -109,7 +112,7 @@ jest.mock("@smithy/node-http-handler", () => {
   <Credentials>
     <AccessKeyId>STS_AR_ACCESS_KEY_ID</AccessKeyId>
     <SecretAccessKey>STS_AR_SECRET_ACCESS_KEY</SecretAccessKey>
-    <SessionToken>STS_AR_SESSION_TOKEN</SessionToken>
+    <SessionToken>STS_AR_SESSION_TOKEN_${region}</SessionToken>
     <Expiration>3000-01-01T00:00:00.000Z</Expiration>
   </Credentials>
 </AssumeRoleResult>
@@ -379,7 +382,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
@@ -409,7 +412,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_eu-west-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
@@ -439,9 +442,41 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-gov-stsar-1",
+        expiration: new Date("3000-01-01T00:00:00.000Z"),
+        $source: {
+          CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
+          CREDENTIALS_STS_ASSUME_ROLE: "i",
+        },
+      });
+    });
+
+    it("should use the context client's region for STS even if initialized separately in a code-level provider", async () => {
+      sts = new STS({
+        region: "eu-west-1",
+        credentials: fromIni(),
+      });
+      iniProfileData.assume = {
+        region: "eu-west-1",
+        aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+        aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+      };
+      Object.assign(iniProfileData.default, {
+        region: "eu-west-1",
+        role_arn: "ROLE_ARN",
+        role_session_name: "ROLE_SESSION_NAME",
+        external_id: "EXTERNAL_ID",
+        source_profile: "assume",
+      });
+      await sts.getCallerIdentity({});
+      const credentials = await sts.config.credentials();
+      expect(credentials).toEqual({
+        accessKeyId: "STS_AR_ACCESS_KEY_ID",
+        secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+        sessionToken: "STS_AR_SESSION_TOKEN_eu-west-1",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
+          CREDENTIALS_CODE: "e",
           CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
           CREDENTIALS_STS_ASSUME_ROLE: "i",
         },
@@ -458,7 +493,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
         secretAccessKey: "STS_ARWI_SECRET_ACCESS_KEY",
-        sessionToken: "STS_ARWI_SESSION_TOKEN",
+        sessionToken: "STS_ARWI_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN: "q",
@@ -484,7 +519,7 @@ describe("credential-provider-node integration test", () => {
         expect(credentials).toEqual({
           accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
           secretAccessKey: "STS_ARWI_SECRET_ACCESS_KEY",
-          sessionToken: "STS_ARWI_SESSION_TOKEN",
+          sessionToken: "STS_ARWI_SESSION_TOKEN_us-gov-sts-1",
           expiration: new Date("3000-01-01T00:00:00.000Z"),
           $source: {
             CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN: "q",
@@ -562,7 +597,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_CODE: "e",
@@ -605,7 +640,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_CODE: "e",
@@ -650,7 +685,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_CODE: "e",
@@ -702,7 +737,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_AR_ACCESS_KEY_ID",
         secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
-        sessionToken: "STS_AR_SESSION_TOKEN",
+        sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_CODE: "e",
@@ -753,7 +788,7 @@ describe("credential-provider-node integration test", () => {
       expect(credentials).toEqual({
         accessKeyId: "STS_ARWI_ACCESS_KEY_ID",
         secretAccessKey: "STS_ARWI_SECRET_ACCESS_KEY",
-        sessionToken: "STS_ARWI_SESSION_TOKEN",
+        sessionToken: "STS_ARWI_SESSION_TOKEN_us-west-2",
         expiration: new Date("3000-01-01T00:00:00.000Z"),
         $source: {
           CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN: "h",

packages/credential-provider-web-identity/src/fromWebToken.ts

@@ -1,6 +1,9 @@
-import { setCredentialFeature } from "@aws-sdk/core/client";
-import type { CredentialProviderOptions } from "@aws-sdk/types";
-import type { AwsCredentialIdentity, AwsCredentialIdentityProvider, Pluggable } from "@smithy/types";
+import type {
+  AwsIdentityProperties,
+  CredentialProviderOptions,
+  RegionalAwsCredentialIdentityProvider,
+} from "@aws-sdk/types";
+import type { AwsCredentialIdentity, Pluggable } from "@smithy/types";
 
 /**
  * @public
@@ -152,8 +155,8 @@ export interface FromWebTokenInit
  * @internal
  */
 export const fromWebToken =
-  (init: FromWebTokenInit): AwsCredentialIdentityProvider =>
-  async () => {
+  (init: FromWebTokenInit): RegionalAwsCredentialIdentityProvider =>
+  async (awsIdentityProperties?: AwsIdentityProperties) => {
     init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken");
     const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init;
 
@@ -166,7 +169,10 @@ export const fromWebToken =
         {
           ...init.clientConfig,
           credentialProviderLogger: init.logger,
-          parentClientConfig: init.parentClientConfig,
+          parentClientConfig: {
+            region: awsIdentityProperties?.contextClientConfig?.region,
+            ...init.parentClientConfig,
+          },
         },
         init.clientPlugins
       );

packages/credential-providers/src/fromIni.ts

@@ -1,5 +1,5 @@
 import { fromIni as _fromIni, FromIniInit } from "@aws-sdk/credential-provider-ini";
-import { AwsCredentialIdentityProvider } from "@smithy/types";
+import type { RegionalAwsCredentialIdentityProvider } from "@aws-sdk/types";
 
 /**
  * Creates a credential provider function that reads from a shared credentials file at `~/.aws/credentials` and a
@@ -40,7 +40,7 @@ import { AwsCredentialIdentityProvider } from "@smithy/types";
  * });
  * ```
  */
-export const fromIni = (init: FromIniInit = {}): AwsCredentialIdentityProvider =>
+export const fromIni = (init: FromIniInit = {}): RegionalAwsCredentialIdentityProvider =>
   _fromIni({
     ...init,
   });

packages/middleware-signing/README.md

@@ -2,3 +2,6 @@
 
 [![NPM version](https://img.shields.io/npm/v/@aws-sdk/middleware-signing/latest.svg)](https://www.npmjs.com/package/@aws-sdk/middleware-signing)
 [![NPM downloads](https://img.shields.io/npm/dm/@aws-sdk/middleware-signing.svg)](https://www.npmjs.com/package/@aws-sdk/middleware-signing)
+
+This package is deprecated. It is only used in "legacy auth", and no longer used in the
+AWS SDK as of the Smithy Reference Architecture implementation of identity and auth.