feat(credential-providers): add credentialScope field

Author: kuhe

clients/client-sts/src/defaultStsRoleAssumers.ts

@@ -1,8 +1,7 @@
 // smithy-typescript generated code
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
-import { Credentials } from "@aws-sdk/types";
-import { Provider } from "@smithy/types";
+import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
 import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
 import {
@@ -14,7 +13,10 @@ import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSC
 /**
  * @internal
  */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+export type RoleAssumer = (
+  sourceCreds: AwsCredentialIdentity,
+  params: AssumeRoleCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 
@@ -43,7 +45,7 @@ export const getDefaultRoleAssumer = (
   stsClientCtor: new (options: STSClientConfig) => STSClient
 ): RoleAssumer => {
   let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
+  let closureSourceCreds: AwsCredentialIdentity;
   return async (sourceCreds, params) => {
     closureSourceCreds = sourceCreds;
     if (!stsClient) {
@@ -65,14 +67,18 @@ export const getDefaultRoleAssumer = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
 
 /**
  * @internal
  */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+export type RoleAssumerWithWebIdentity = (
+  params: AssumeRoleWithWebIdentityCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 /**
  * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
@@ -101,14 +107,16 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
 
 /**
  * @internal
  */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+export type DefaultCredentialProvider = (input: any) => Provider<AwsCredentialIdentity>;
 
 /**
  * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -1,5 +1,4 @@
-import { Credentials } from "@aws-sdk/types";
-import { Provider } from "@smithy/types";
+import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
 import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
 import {
@@ -11,7 +10,10 @@ import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSC
 /**
  * @internal
  */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+export type RoleAssumer = (
+  sourceCreds: AwsCredentialIdentity,
+  params: AssumeRoleCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 
@@ -40,7 +42,7 @@ export const getDefaultRoleAssumer = (
   stsClientCtor: new (options: STSClientConfig) => STSClient
 ): RoleAssumer => {
   let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
+  let closureSourceCreds: AwsCredentialIdentity;
   return async (sourceCreds, params) => {
     closureSourceCreds = sourceCreds;
     if (!stsClient) {
@@ -62,14 +64,18 @@ export const getDefaultRoleAssumer = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
 
 /**
  * @internal
  */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+export type RoleAssumerWithWebIdentity = (
+  params: AssumeRoleWithWebIdentityCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 /**
  * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
@@ -98,14 +104,16 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
 
 /**
  * @internal
  */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+export type DefaultCredentialProvider = (input: any) => Provider<AwsCredentialIdentity>;
 
 /**
  * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
@@ -120,6 +128,9 @@ export const decorateDefaultCredentialProvider =
   (input: STSClientResolvedConfig) =>
     provider({
       roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor as new (options: STSClientConfig) => STSClient),
-      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor as new (options: STSClientConfig) => STSClient),
+      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(
+        input,
+        input.stsClientCtor as new (options: STSClientConfig) => STSClient
+      ),
       ...input,
     });

packages/credential-provider-env/src/fromEnv.ts

@@ -17,6 +17,10 @@ export const ENV_SESSION = "AWS_SESSION_TOKEN";
  * @internal
  */
 export const ENV_EXPIRATION = "AWS_CREDENTIAL_EXPIRATION";
+/**
+ * @internal
+ */
+export const ENV_CREDENTIAL_SCOPE = "AWS_CREDENTIAL_SCOPE";
 
 /**
  * @internal
@@ -30,13 +34,15 @@ export const fromEnv = (): AwsCredentialIdentityProvider => async () => {
   const secretAccessKey: string | undefined = process.env[ENV_SECRET];
   const sessionToken: string | undefined = process.env[ENV_SESSION];
   const expiry: string | undefined = process.env[ENV_EXPIRATION];
+  const credentialScope: string | undefined = process.env[ENV_CREDENTIAL_SCOPE];
 
   if (accessKeyId && secretAccessKey) {
     return {
       accessKeyId,
       secretAccessKey,
       ...(sessionToken && { sessionToken }),
       ...(expiry && { expiration: new Date(expiry) }),
+      ...(credentialScope && { credentialScope }),
     };
   }
 

packages/credential-provider-ini/src/resolveStaticCredentials.ts

@@ -7,6 +7,7 @@ export interface StaticCredsProfile extends Profile {
   aws_access_key_id: string;
   aws_secret_access_key: string;
   aws_session_token?: string;
+  aws_credential_scope?: string;
 }
 
 /**
@@ -27,4 +28,5 @@ export const resolveStaticCredentials = (profile: StaticCredsProfile): Promise<A
     accessKeyId: profile.aws_access_key_id,
     secretAccessKey: profile.aws_secret_access_key,
     sessionToken: profile.aws_session_token,
+    credentialScope: profile.aws_credential_scope,
   });

packages/credential-provider-process/src/ProcessCredentials.ts

@@ -7,4 +7,5 @@ export type ProcessCredentials = {
   SecretAccessKey: string;
   SessionToken?: string;
   Expiration?: number;
+  CredentialScope?: string;
 };

packages/credential-provider-process/src/getValidatedProcessCredentials.ts

@@ -30,5 +30,6 @@ export const getValidatedProcessCredentials = (
     secretAccessKey: data.SecretAccessKey,
     ...(data.SessionToken && { sessionToken: data.SessionToken }),
     ...(data.Expiration && { expiration: new Date(data.Expiration) }),
+    ...(data.CredentialScope && { credentialScope: data.CredentialScope }),
   };
 };

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -9,7 +9,7 @@ import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
 
 /**
- * @private
+ * @internal
  */
 export const resolveSSOCredentials = async ({
   ssoStartUrl,
@@ -67,9 +67,13 @@ export const resolveSSOCredentials = async ({
   }
 
   const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp;
+  // TODO(credentialScope): Extract from ssoResp object with other credential fields
+  // TODO(credentialScope): when this field becomes defined on the shape.
+  const credentialScope = (ssoResp?.roleCredentials as any)?.credentialScope;
+
   if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
     throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
   }
 
-  return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) };
+  return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration), credentialScope };
 };

packages/credential-providers/src/fromTemporaryCredentials.ts

@@ -78,6 +78,8 @@ export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOption
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };