index.jsโข6.85 kB
'use strict';
var credentialProviderEnv = require('@aws-sdk/credential-provider-env');
var propertyProvider = require('@smithy/property-provider');
var sharedIniFileLoader = require('@smithy/shared-ini-file-loader');
const ENV_IMDS_DISABLED = "AWS_EC2_METADATA_DISABLED";
const remoteProvider = async (init) => {
const { ENV_CMDS_FULL_URI, ENV_CMDS_RELATIVE_URI, fromContainerMetadata, fromInstanceMetadata } = await import('@smithy/credential-provider-imds');
if (process.env[ENV_CMDS_RELATIVE_URI] || process.env[ENV_CMDS_FULL_URI]) {
init.logger?.debug("@aws-sdk/credential-provider-node - remoteProvider::fromHttp/fromContainerMetadata");
const { fromHttp } = await import('@aws-sdk/credential-provider-http');
return propertyProvider.chain(fromHttp(init), fromContainerMetadata(init));
}
if (process.env[ENV_IMDS_DISABLED] && process.env[ENV_IMDS_DISABLED] !== "false") {
return async () => {
throw new propertyProvider.CredentialsProviderError("EC2 Instance Metadata Service access disabled", { logger: init.logger });
};
}
init.logger?.debug("@aws-sdk/credential-provider-node - remoteProvider::fromInstanceMetadata");
return fromInstanceMetadata(init);
};
function memoizeChain(providers, treatAsExpired) {
const chain = internalCreateChain(providers);
let activeLock;
let passiveLock;
let credentials;
const provider = async (options) => {
if (options?.forceRefresh) {
return await chain(options);
}
if (credentials?.expiration) {
if (credentials?.expiration?.getTime() < Date.now()) {
credentials = undefined;
}
}
if (activeLock) {
await activeLock;
}
else if (!credentials || treatAsExpired?.(credentials)) {
if (credentials) {
if (!passiveLock) {
passiveLock = chain(options).then((c) => {
credentials = c;
passiveLock = undefined;
});
}
}
else {
activeLock = chain(options).then((c) => {
credentials = c;
activeLock = undefined;
});
return provider(options);
}
}
return credentials;
};
return provider;
}
const internalCreateChain = (providers) => async (awsIdentityProperties) => {
let lastProviderError;
for (const provider of providers) {
try {
return await provider(awsIdentityProperties);
}
catch (err) {
lastProviderError = err;
if (err?.tryNextLink) {
continue;
}
throw err;
}
}
throw lastProviderError;
};
let multipleCredentialSourceWarningEmitted = false;
const defaultProvider = (init = {}) => memoizeChain([
async () => {
const profile = init.profile ?? process.env[sharedIniFileLoader.ENV_PROFILE];
if (profile) {
const envStaticCredentialsAreSet = process.env[credentialProviderEnv.ENV_KEY] && process.env[credentialProviderEnv.ENV_SECRET];
if (envStaticCredentialsAreSet) {
if (!multipleCredentialSourceWarningEmitted) {
const warnFn = init.logger?.warn && init.logger?.constructor?.name !== "NoOpLogger"
? init.logger.warn.bind(init.logger)
: console.warn;
warnFn(`@aws-sdk/credential-provider-node - defaultProvider::fromEnv WARNING:
Multiple credential sources detected:
Both AWS_PROFILE and the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY static credentials are set.
This SDK will proceed with the AWS_PROFILE value.
However, a future version may change this behavior to prefer the ENV static credentials.
Please ensure that your environment only sets either the AWS_PROFILE or the
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair.
`);
multipleCredentialSourceWarningEmitted = true;
}
}
throw new propertyProvider.CredentialsProviderError("AWS_PROFILE is set, skipping fromEnv provider.", {
logger: init.logger,
tryNextLink: true,
});
}
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromEnv");
return credentialProviderEnv.fromEnv(init)();
},
async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromSSO");
const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
throw new propertyProvider.CredentialsProviderError("Skipping SSO provider in default chain (inputs do not include SSO fields).", { logger: init.logger });
}
const { fromSSO } = await import('@aws-sdk/credential-provider-sso');
return fromSSO(init)(awsIdentityProperties);
},
async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromIni");
const { fromIni } = await import('@aws-sdk/credential-provider-ini');
return fromIni(init)(awsIdentityProperties);
},
async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromProcess");
const { fromProcess } = await import('@aws-sdk/credential-provider-process');
return fromProcess(init)(awsIdentityProperties);
},
async (awsIdentityProperties) => {
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromTokenFile");
const { fromTokenFile } = await import('@aws-sdk/credential-provider-web-identity');
return fromTokenFile(init)(awsIdentityProperties);
},
async () => {
init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider");
return (await remoteProvider(init))();
},
async () => {
throw new propertyProvider.CredentialsProviderError("Could not load credentials from any providers", {
tryNextLink: false,
logger: init.logger,
});
},
], credentialsTreatedAsExpired);
const credentialsWillNeedRefresh = (credentials) => credentials?.expiration !== undefined;
const credentialsTreatedAsExpired = (credentials) => credentials?.expiration !== undefined && credentials.expiration.getTime() - Date.now() < 300000;
exports.credentialsTreatedAsExpired = credentialsTreatedAsExpired;
exports.credentialsWillNeedRefresh = credentialsWillNeedRefresh;
exports.defaultProvider = defaultProvider;