116 lines
4.3 KiB
JavaScript
116 lines
4.3 KiB
JavaScript
var AWS = require('../core');
|
|
var STS = require('../../clients/sts');
|
|
|
|
/**
|
|
* Represents credentials retrieved from STS Web Identity Federation support.
|
|
*
|
|
* By default this provider gets credentials using the
|
|
* {AWS.STS.assumeRoleWithWebIdentity} service operation. This operation
|
|
* requires a `RoleArn` containing the ARN of the IAM trust policy for the
|
|
* application for which credentials will be given. In addition, the
|
|
* `WebIdentityToken` must be set to the token provided by the identity
|
|
* provider. See {constructor} for an example on creating a credentials
|
|
* object with proper `RoleArn` and `WebIdentityToken` values.
|
|
*
|
|
* ## Refreshing Credentials from Identity Service
|
|
*
|
|
* In addition to AWS credentials expiring after a given amount of time, the
|
|
* login token from the identity provider will also expire. Once this token
|
|
* expires, it will not be usable to refresh AWS credentials, and another
|
|
* token will be needed. The SDK does not manage refreshing of the token value,
|
|
* but this can be done through a "refresh token" supported by most identity
|
|
* providers. Consult the documentation for the identity provider for refreshing
|
|
* tokens. Once the refreshed token is acquired, you should make sure to update
|
|
* this new token in the credentials object's {params} property. The following
|
|
* code will update the WebIdentityToken, assuming you have retrieved an updated
|
|
* token from the identity provider:
|
|
*
|
|
* ```javascript
|
|
* AWS.config.credentials.params.WebIdentityToken = updatedToken;
|
|
* ```
|
|
*
|
|
* Future calls to `credentials.refresh()` will now use the new token.
|
|
*
|
|
* @!attribute params
|
|
* @return [map] the map of params passed to
|
|
* {AWS.STS.assumeRoleWithWebIdentity}. To update the token, set the
|
|
* `params.WebIdentityToken` property.
|
|
* @!attribute data
|
|
* @return [map] the raw data response from the call to
|
|
* {AWS.STS.assumeRoleWithWebIdentity}. Use this if you want to get
|
|
* access to other properties from the response.
|
|
*/
|
|
AWS.WebIdentityCredentials = AWS.util.inherit(AWS.Credentials, {
|
|
/**
|
|
* Creates a new credentials object.
|
|
* @param (see AWS.STS.assumeRoleWithWebIdentity)
|
|
* @example Creating a new credentials object
|
|
* AWS.config.credentials = new AWS.WebIdentityCredentials({
|
|
* RoleArn: 'arn:aws:iam::1234567890:role/WebIdentity',
|
|
* WebIdentityToken: 'ABCDEFGHIJKLMNOP', // token from identity service
|
|
* RoleSessionName: 'web' // optional name, defaults to web-identity
|
|
* }, {
|
|
* // optionally provide configuration to apply to the underlying AWS.STS service client
|
|
* // if configuration is not provided, then configuration will be pulled from AWS.config
|
|
*
|
|
* // specify timeout options
|
|
* httpOptions: {
|
|
* timeout: 100
|
|
* }
|
|
* });
|
|
* @see AWS.STS.assumeRoleWithWebIdentity
|
|
* @see AWS.Config
|
|
*/
|
|
constructor: function WebIdentityCredentials(params, clientConfig) {
|
|
AWS.Credentials.call(this);
|
|
this.expired = true;
|
|
this.params = params;
|
|
this.params.RoleSessionName = this.params.RoleSessionName || 'web-identity';
|
|
this.data = null;
|
|
this._clientConfig = AWS.util.copy(clientConfig || {});
|
|
},
|
|
|
|
/**
|
|
* Refreshes credentials using {AWS.STS.assumeRoleWithWebIdentity}
|
|
*
|
|
* @callback callback function(err)
|
|
* Called when the STS service responds (or fails). When
|
|
* this callback is called with no error, it means that the credentials
|
|
* information has been loaded into the object (as the `accessKeyId`,
|
|
* `secretAccessKey`, and `sessionToken` properties).
|
|
* @param err [Error] if an error occurred, this value will be filled
|
|
* @see get
|
|
*/
|
|
refresh: function refresh(callback) {
|
|
this.coalesceRefresh(callback || AWS.util.fn.callback);
|
|
},
|
|
|
|
/**
|
|
* @api private
|
|
*/
|
|
load: function load(callback) {
|
|
var self = this;
|
|
self.createClients();
|
|
self.service.assumeRoleWithWebIdentity(function (err, data) {
|
|
self.data = null;
|
|
if (!err) {
|
|
self.data = data;
|
|
self.service.credentialsFrom(data, self);
|
|
}
|
|
callback(err);
|
|
});
|
|
},
|
|
|
|
/**
|
|
* @api private
|
|
*/
|
|
createClients: function() {
|
|
if (!this.service) {
|
|
var stsConfig = AWS.util.merge({}, this._clientConfig);
|
|
stsConfig.params = this.params;
|
|
this.service = new STS(stsConfig);
|
|
}
|
|
}
|
|
|
|
});
|