saml_credentials.js
3.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
var AWS = require('../core');
var STS = require('../../clients/sts');
/**
* Represents credentials retrieved from STS SAML support.
*
* By default this provider gets credentials using the
* {AWS.STS.assumeRoleWithSAML} service operation. This operation
* requires a `RoleArn` containing the ARN of the IAM trust policy for the
* application for which credentials will be given, as well as a `PrincipalArn`
* representing the ARN for the SAML identity provider. In addition, the
* `SAMLAssertion` must be set to the token provided by the identity
* provider. See {constructor} for an example on creating a credentials
* object with proper `RoleArn`, `PrincipalArn`, and `SAMLAssertion` values.
*
* ## Refreshing Credentials from Identity Service
*
* In addition to AWS credentials expiring after a given amount of time, the
* login token from the identity provider will also expire. Once this token
* expires, it will not be usable to refresh AWS credentials, and another
* token will be needed. The SDK does not manage refreshing of the token value,
* but this can be done through a "refresh token" supported by most identity
* providers. Consult the documentation for the identity provider for refreshing
* tokens. Once the refreshed token is acquired, you should make sure to update
* this new token in the credentials object's {params} property. The following
* code will update the SAMLAssertion, assuming you have retrieved an updated
* token from the identity provider:
*
* ```javascript
* AWS.config.credentials.params.SAMLAssertion = updatedToken;
* ```
*
* Future calls to `credentials.refresh()` will now use the new token.
*
* @!attribute params
* @return [map] the map of params passed to
* {AWS.STS.assumeRoleWithSAML}. To update the token, set the
* `params.SAMLAssertion` property.
*/
AWS.SAMLCredentials = AWS.util.inherit(AWS.Credentials, {
/**
* Creates a new credentials object.
* @param (see AWS.STS.assumeRoleWithSAML)
* @example Creating a new credentials object
* AWS.config.credentials = new AWS.SAMLCredentials({
* RoleArn: 'arn:aws:iam::1234567890:role/SAMLRole',
* PrincipalArn: 'arn:aws:iam::1234567890:role/SAMLPrincipal',
* SAMLAssertion: 'base64-token', // base64-encoded token from IdP
* });
* @see AWS.STS.assumeRoleWithSAML
*/
constructor: function SAMLCredentials(params) {
AWS.Credentials.call(this);
this.expired = true;
this.params = params;
},
/**
* Refreshes credentials using {AWS.STS.assumeRoleWithSAML}
*
* @callback callback function(err)
* Called when the STS service responds (or fails). When
* this callback is called with no error, it means that the credentials
* information has been loaded into the object (as the `accessKeyId`,
* `secretAccessKey`, and `sessionToken` properties).
* @param err [Error] if an error occurred, this value will be filled
* @see get
*/
refresh: function refresh(callback) {
this.coalesceRefresh(callback || AWS.util.fn.callback);
},
/**
* @api private
*/
load: function load(callback) {
var self = this;
self.createClients();
self.service.assumeRoleWithSAML(function (err, data) {
if (!err) {
self.service.credentialsFrom(data, self);
}
callback(err);
});
},
/**
* @api private
*/
createClients: function() {
this.service = this.service || new STS({params: this.params});
}
});