Skip to content

Call fromTokenFile credential provider by default in credential-provider-node #2148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
trivikr opened this issue Mar 17, 2021 · 3 comments · Fixed by #2260
Closed

Call fromTokenFile credential provider by default in credential-provider-node #2148

trivikr opened this issue Mar 17, 2021 · 3 comments · Fixed by #2260
Labels
feature-request New feature or enhancement. May require GitHub community feedback.

Comments

@trivikr
Copy link
Member

trivikr commented Mar 17, 2021

Is your feature request related to a problem? Please describe.

The credential provider which gets credentials using sts:assumeRoleWithWebIdentity call after reading OIDS token from a file on a disk was added in #2147

It isn't called in default Node.js crendential provider chain due to a circular dependency issue.
Details: #1808 (comment)

Describe the solution you'd like

Call fromTokenFile credential provider by default in credential-provider-node

Describe alternatives you've considered

Explicitly calling fromTokenFile while creating client instance.
@trivikr trivikr added the feature-request New feature or enhancement. May require GitHub community feedback. label Mar 17, 2021
@trivikr trivikr mentioned this issue Mar 17, 2021
Closed
@TysonAndre TysonAndre mentioned this issue Apr 2, 2021
Closed
@ejhayes
Copy link

ejhayes commented Apr 14, 2021
edited
Loading

This would be very helpful as this is how the cli works. Right now I'm using EKS Service roles which sets both AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables. It would be nice if the SDK could pick up these values (just like it does for env vars like AWS_PROFILE for example) rather than having to manually set this:

// current behavior
const client = new S3Client({
    credentials: fromTokenFile({
        roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
    })
});

// ideal behavior
const client = new S3Client();

@trivikr any idea if this is something that will be added in?

@ejhayes ejhayes mentioned this issue Apr 15, 2021
Merged
@busla
Copy link

busla commented May 17, 2021

In case someone stumbles upon this issue, here is an example of how this could be implemented

import { fromTokenFile } from '@aws-sdk/credential-provider-web-identity'
import { ECRClient } from '@aws-sdk/client-ecr'
import { getDefaultRoleAssumerWithWebIdentity } from '@aws-sdk/client-sts'

export const client = new ECRClient({
  region: process.env.AWS_REGION || 'some-region-name',
  credentialDefaultProvider: () =>
    fromTokenFile({
      webIdentityTokenFile: process.env.AWS_WEB_IDENTITY_TOKEN_FILE,
      roleArn: process.env.AWS_ROLE_ARN,
      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(),
    }),
  }),
})

Note that credentialDefaultProvider expects a callback

References:

@github-actions
Copy link

github-actions bot commented Jun 1, 2021

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature-request New feature or enhancement. May require GitHub community feedback.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(credential-provider-node): add support for web identity provider ejhayes/aws-sdk-js-v3
3 participants
@ejhayes @busla @trivikr