feat: export default role assumers from sts client

Author: AllanZhengYP

clients/client-sts/defaultRoleAssumers.ts

@@ -0,0 +1,99 @@
+import { Credentials, Provider } from "@aws-sdk/types";
+
+import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
+import {
+  AssumeRoleWithWebIdentityCommand,
+  AssumeRoleWithWebIdentityCommandInput,
+} from "./commands/AssumeRoleWithWebIdentityCommand";
+import { STSClient, STSClientConfig } from "./STSClient";
+
+type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+
+const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
+
+// Inject the fallback STS region of us-east-1.
+const decorateDefaultRegion = (region: STSClientConfig["region"]): STSClientConfig["region"] => {
+  if (typeof region !== "function") {
+    return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
+  }
+  return async () => {
+    try {
+      return await region();
+    } catch (e) {
+      return ASSUME_ROLE_DEFAULT_REGION;
+    }
+  };
+};
+
+/**
+ * The default role assumer that used by credential providers when STS.AssumeRole API is needed.
+ */
+const getDefaultAssumer = (stsOptions: STSClientConfig): RoleAssumer => {
+  let stsClient: STSClient;
+  return async (sourceCreds, params) => {
+    if (!stsClient) {
+      const { logger } = stsOptions;
+      stsClient = new STSClient({
+        logger,
+        credentials: sourceCreds,
+        region: decorateDefaultRegion(stsOptions.region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+
+/**
+ * The default role assumer that used by credential providers when STS.AssumeRole API is needed.
+ */
+const getDefaultAssumerWithWebIdentity = (stsOptions: STSClientConfig): RoleAssumerWithWebIdentity => {
+  let stsClient: STSClient;
+  return async (params) => {
+    if (!stsClient) {
+      const { logger } = stsOptions;
+      stsClient = new STSClient({
+        logger,
+        region: decorateDefaultRegion(stsOptions.region),
+      });
+    }
+    const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
+    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
+      throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
+    }
+    return {
+      accessKeyId: Credentials.AccessKeyId,
+      secretAccessKey: Credentials.SecretAccessKey,
+      sessionToken: Credentials.SessionToken,
+      expiration: Credentials.Expiration,
+    };
+  };
+};
+
+type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+/**
+ * The default credential providers requires STS client to assume role with desired API: sts:assumeRole,
+ * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
+ * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
+ * dependencies.
+ *
+ * @internal
+ */
+export const decorateDefaultCredentialProvider = (provider: DefaultCredentialProvider): DefaultCredentialProvider => (
+  input: any
+) =>
+  provider({
+    roleAssumer: getDefaultAssumer(input),
+    roleAssumerWithWebIdentity: getDefaultAssumerWithWebIdentity(input),
+    ...input,
+  });

clients/client-sts/package.json

@@ -89,5 +89,11 @@
     "type": "git",
     "url": "https://github.com/aws/aws-sdk-js-v3.git",
     "directory": "clients/client-sts"
+  },
+  "exports": {
+    "./defaultRoleAssumers": {
+      "require": "./dist/cjs/defaultRoleAssumers.js",
+      "import": "./dist/es/defaultRoleAssumers.js"
+    }
   }
 }

clients/client-sts/runtimeConfig.ts

@@ -22,7 +22,12 @@ export const ClientDefaultValues: Required<ClientDefaults> = {
   base64Decoder: fromBase64,
   base64Encoder: toBase64,
   bodyLengthChecker: calculateBodyLength,
-  credentialDefaultProvider,
+  credentialDefaultProvider: (input) => {
+    /**
+     * Inline require to avoid circular dependencies
+     */
+    return require("./defaultRoleAssumers").decorateDefaultCredentialProvider(credentialDefaultProvider)(input);
+  },
   defaultUserAgentProvider: defaultUserAgent({
     serviceId: ClientSharedValues.serviceId,
     clientVersion: packageInfo.version,

scripts/generate-clients/copy-to-clients.js

@@ -135,6 +135,9 @@ const copyToClients = async (sourceDir, destinationDir) => {
             directory: `clients/${clientName}`,
           },
         };
+        if (clientName === "client-sts" && destManifest.exports) {
+          mergedManifest["exports"] = destManifest.exports;
+        }
         writeFileSync(destSubPath, JSON.stringify(mergedManifest, null, 2).concat(`\n`));
       } else if (overwritablePredicate(packageSub) || !existsSync(destSubPath)) {
         if (lstatSync(packageSubPath).isDirectory()) removeSync(destSubPath);