temporary_credentials.js
4.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
var AWS = require('../core');
var STS = require('../../clients/sts');
/**
* Represents temporary credentials retrieved from {AWS.STS}. Without any
* extra parameters, credentials will be fetched from the
* {AWS.STS.getSessionToken} operation. If an IAM role is provided, the
* {AWS.STS.assumeRole} operation will be used to fetch credentials for the
* role instead.
*
* @note AWS.TemporaryCredentials is deprecated, but remains available for
* backwards compatibility. {AWS.ChainableTemporaryCredentials} is the
* preferred class for temporary credentials.
*
* To setup temporary credentials, configure a set of master credentials
* using the standard credentials providers (environment, EC2 instance metadata,
* or from the filesystem), then set the global credentials to a new
* temporary credentials object:
*
* ```javascript
* // Note that environment credentials are loaded by default,
* // the following line is shown for clarity:
* AWS.config.credentials = new AWS.EnvironmentCredentials('AWS');
*
* // Now set temporary credentials seeded from the master credentials
* AWS.config.credentials = new AWS.TemporaryCredentials();
*
* // subsequent requests will now use temporary credentials from AWS STS.
* new AWS.S3().listBucket(function(err, data) { ... });
* ```
*
* @!attribute masterCredentials
* @return [AWS.Credentials] the master (non-temporary) credentials used to
* get and refresh temporary credentials from AWS STS.
* @note (see constructor)
*/
AWS.TemporaryCredentials = AWS.util.inherit(AWS.Credentials, {
/**
* Creates a new temporary credentials object.
*
* @note In order to create temporary credentials, you first need to have
* "master" credentials configured in {AWS.Config.credentials}. These
* master credentials are necessary to retrieve the temporary credentials,
* as well as refresh the credentials when they expire.
* @param params [map] a map of options that are passed to the
* {AWS.STS.assumeRole} or {AWS.STS.getSessionToken} operations.
* If a `RoleArn` parameter is passed in, credentials will be based on the
* IAM role.
* @param masterCredentials [AWS.Credentials] the master (non-temporary) credentials
* used to get and refresh temporary credentials from AWS STS.
* @example Creating a new credentials object for generic temporary credentials
* AWS.config.credentials = new AWS.TemporaryCredentials();
* @example Creating a new credentials object for an IAM role
* AWS.config.credentials = new AWS.TemporaryCredentials({
* RoleArn: 'arn:aws:iam::1234567890:role/TemporaryCredentials',
* });
* @see AWS.STS.assumeRole
* @see AWS.STS.getSessionToken
*/
constructor: function TemporaryCredentials(params, masterCredentials) {
AWS.Credentials.call(this);
this.loadMasterCredentials(masterCredentials);
this.expired = true;
this.params = params || {};
if (this.params.RoleArn) {
this.params.RoleSessionName =
this.params.RoleSessionName || 'temporary-credentials';
}
},
/**
* Refreshes credentials using {AWS.STS.assumeRole} or
* {AWS.STS.getSessionToken}, depending on whether an IAM role ARN was passed
* to the credentials {constructor}.
*
* @callback callback function(err)
* Called when the STS service responds (or fails). When
* this callback is called with no error, it means that the credentials
* information has been loaded into the object (as the `accessKeyId`,
* `secretAccessKey`, and `sessionToken` properties).
* @param err [Error] if an error occurred, this value will be filled
* @see get
*/
refresh: function refresh (callback) {
this.coalesceRefresh(callback || AWS.util.fn.callback);
},
/**
* @api private
*/
load: function load (callback) {
var self = this;
self.createClients();
self.masterCredentials.get(function () {
self.service.config.credentials = self.masterCredentials;
var operation = self.params.RoleArn ?
self.service.assumeRole : self.service.getSessionToken;
operation.call(self.service, function (err, data) {
if (!err) {
self.service.credentialsFrom(data, self);
}
callback(err);
});
});
},
/**
* @api private
*/
loadMasterCredentials: function loadMasterCredentials (masterCredentials) {
this.masterCredentials = masterCredentials || AWS.config.credentials;
while (this.masterCredentials.masterCredentials) {
this.masterCredentials = this.masterCredentials.masterCredentials;
}
if (typeof this.masterCredentials.get !== 'function') {
this.masterCredentials = new AWS.Credentials(this.masterCredentials);
}
},
/**
* @api private
*/
createClients: function () {
this.service = this.service || new STS({params: this.params});
}
});