feat(credential-provider-assume-role): add fromTokenFile credential provider

[trivikr]

Issue

Fixes: #1808

Description

Adds fromTokenFile credential provider to read credentials from EKS service account.

• Reads file location of where the OIDC token is stored from either environment or config file parameters.
• Reads IAM role wanting to be assumed from either environment or config file paramters.
• Reads optional role session name to be used to distinguish sessions from either environment or config file paramters.
  If session name is not defined, it comes up with a role session name.
• Reads OIDC roken from file on disk.
• Calls sts:AssumeRoleWithWebIdentity to get credentials.
• Uses credentials of source_profile to assume the role specified if specified.

Environment Variable	Config Variable	Required	Description
AWS_WEB_IDENTITY_TOKEN_FILE	web_identity_token_file	true	File location of where the OIDC token is stored
AWS_IAM_ROLE_ARN	role_arn	true	The IAM role wanting to be assumed
AWS_IAM_ROLE_SESSION_NAME	role_session_name	false	The IAM session name used to distinguish sessions

Testing

A basic example of using fromTokenFile:

import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
import { fromTokenFile } from "@aws-sdk/credential-provider-assume-role";

const stsClient = new STSClient({});

const roleAssumerWithWebIdentity = async (params) => {
  const { Credentials } = await stsClient.send(
    new AssumeRoleWithWebIdentityCommand(params)
  );
  if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
    throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
  }
  return {
    accessKeyId: Credentials.AccessKeyId,
    secretAccessKey: Credentials.SecretAccessKey,
    sessionToken: Credentials.SessionToken,
    expiration: Credentials.Expiration,
  };
};

const client = new FooClient({
  credentials: fromTokenFile({
    roleAssumerWithWebIdentity
  });
});

Values in environment variables

The values can be defined in environment varaibles as follows:

$ node
> Object.fromEntries(Object.entries(process.env).filter(([key, value]) => key.startsWith("AWS_")));
{
  AWS_WEB_IDENTITY_TOKEN_FILE: '/temp/token',
  AWS_ROLE_ARN: 'arn:aws:iam::123456789012:role/example-role-arn'
}

Values in configuration files

The values can be defined in configuration files as follows:

[sample-profile]
web_identity_token_file = /temp/token
role_session_name = arn:aws:iam::123456789012:role/example-role-arn

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (main@906e4b0). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2147   +/-   ##
=======================================
  Coverage        ?   78.74%           
=======================================
  Files           ?      381           
  Lines           ?    16129           
  Branches        ?     3463           
=======================================
  Hits            ?    12701           
  Misses          ?     3428           
  Partials        ?        0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 906e4b0...286099b. Read the comment docs.

[AllanZhengYP]

If we allow roleAssumer chaining here, should we allow other assume role options? Like MFA serial, and MFA token? I'm comparing to normal INI credential provider

aws-sdk-js-v3/packages/credential-provider-ini/src/index.ts

Lines 188 to 197 in 34cecf1

	if (mfa_serial) {
	if (!options.mfaCodeProvider) {
	throw new ProviderError(
	`Profile ${profileName} requires multi-factor authentication,` + ` but no MFA code callback was provided.`,
	false
	);
	}
	params.SerialNumber = mfa_serial;
	params.TokenCode = await options.mfaCodeProvider(mfa_serial);
	}

[trivikr]

If we allow roleAssumer chaining here, should we allow other assume role options?

Short answer: Yes.
Long answer: Not in this PR. A separate PR should be created to introduce reusable fromAssumeRole function.

[aws-sdk-js-automation]

AWS CodeBuild CI Report

• CodeBuild project: sdk-staging-test
• Commit ID: 37864ed
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[trivikr]

Decision after offline discussion with @AllanZhengYP :

• The package name would be changed to credential-provider-web-identity.
• The profile chaining code will be moved to credential-provider-ini similar to what Java does in https://github.com/aws/aws-sdk-java-v2/blob/6e68364be32e166fd1c11a55c0e4e4f989375105/core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java#L100-L139
• The fromTokenFile implementation will be very simple. It would read values from environment variables if not passed. It would assign generated value for role session name if it's not available.
• The fromTokenFile credential provider will be called before fromIni in defaultProvide in future, when roleAssumer and roleAssumeWithWebIdentity are implemented.

The fromProcess and fromSSO credentials providers will be called from fromIni in future PRs.

[trivikr]

Closing in favor of the following PRs:

• add fromTokenFile credentials provider feat(credential-provider-web-identity): add fromTokenFile credentials provider  #2177
• call fromTokenFile credentials provider in fromIni feat(credential-provider-ini): call fromTokenFile in assumeRole chaining #2178

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.