web_identity_credentials.js
4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
var AWS = require('../core');
var STS = require('../../clients/sts');
/**
* Represents credentials retrieved from STS Web Identity Federation support.
*
* By default this provider gets credentials using the
* {AWS.STS.assumeRoleWithWebIdentity} service operation. This operation
* requires a `RoleArn` containing the ARN of the IAM trust policy for the
* application for which credentials will be given. In addition, the
* `WebIdentityToken` must be set to the token provided by the identity
* provider. See {constructor} for an example on creating a credentials
* object with proper `RoleArn` and `WebIdentityToken` values.
*
* ## Refreshing Credentials from Identity Service
*
* In addition to AWS credentials expiring after a given amount of time, the
* login token from the identity provider will also expire. Once this token
* expires, it will not be usable to refresh AWS credentials, and another
* token will be needed. The SDK does not manage refreshing of the token value,
* but this can be done through a "refresh token" supported by most identity
* providers. Consult the documentation for the identity provider for refreshing
* tokens. Once the refreshed token is acquired, you should make sure to update
* this new token in the credentials object's {params} property. The following
* code will update the WebIdentityToken, assuming you have retrieved an updated
* token from the identity provider:
*
* ```javascript
* AWS.config.credentials.params.WebIdentityToken = updatedToken;
* ```
*
* Future calls to `credentials.refresh()` will now use the new token.
*
* @!attribute params
* @return [map] the map of params passed to
* {AWS.STS.assumeRoleWithWebIdentity}. To update the token, set the
* `params.WebIdentityToken` property.
* @!attribute data
* @return [map] the raw data response from the call to
* {AWS.STS.assumeRoleWithWebIdentity}. Use this if you want to get
* access to other properties from the response.
*/
AWS.WebIdentityCredentials = AWS.util.inherit(AWS.Credentials, {
/**
* Creates a new credentials object.
* @param (see AWS.STS.assumeRoleWithWebIdentity)
* @example Creating a new credentials object
* AWS.config.credentials = new AWS.WebIdentityCredentials({
* RoleArn: 'arn:aws:iam::1234567890:role/WebIdentity',
* WebIdentityToken: 'ABCDEFGHIJKLMNOP', // token from identity service
* RoleSessionName: 'web' // optional name, defaults to web-identity
* }, {
* // optionally provide configuration to apply to the underlying AWS.STS service client
* // if configuration is not provided, then configuration will be pulled from AWS.config
*
* // specify timeout options
* httpOptions: {
* timeout: 100
* }
* });
* @see AWS.STS.assumeRoleWithWebIdentity
* @see AWS.Config
*/
constructor: function WebIdentityCredentials(params, clientConfig) {
AWS.Credentials.call(this);
this.expired = true;
this.params = params;
this.params.RoleSessionName = this.params.RoleSessionName || 'web-identity';
this.data = null;
this._clientConfig = AWS.util.copy(clientConfig || {});
},
/**
* Refreshes credentials using {AWS.STS.assumeRoleWithWebIdentity}
*
* @callback callback function(err)
* Called when the STS service responds (or fails). When
* this callback is called with no error, it means that the credentials
* information has been loaded into the object (as the `accessKeyId`,
* `secretAccessKey`, and `sessionToken` properties).
* @param err [Error] if an error occurred, this value will be filled
* @see get
*/
refresh: function refresh(callback) {
this.coalesceRefresh(callback || AWS.util.fn.callback);
},
/**
* @api private
*/
load: function load(callback) {
var self = this;
self.createClients();
self.service.assumeRoleWithWebIdentity(function (err, data) {
self.data = null;
if (!err) {
self.data = data;
self.service.credentialsFrom(data, self);
}
callback(err);
});
},
/**
* @api private
*/
createClients: function() {
if (!this.service) {
var stsConfig = AWS.util.merge({}, this._clientConfig);
stsConfig.params = this.params;
this.service = new STS(stsConfig);
}
}
});