feat(credential-provider-web-identity): add fromTokenFile credentials provider

[trivikr]

Issue

Fixes: #1808

Description

Adds fromTokenFile credential provider to read credentials from EKS service account.

• Reads file location of where the OIDC token is stored from either provided option webIdentityTokenFile or environment variable AWS_WEB_IDENTITY_TOKEN_FILE.
• Reads IAM role wanting to be assumed from either provided option roleArn or environment variable AWS_ROLE_ARN.
• Reads optional role session name to be used to distinguish sessions from provided option roleSessionName or environment variable AWS_ROLE_SESSION_NAME.
  If session name is not defined, it comes up with a role session name.
• Reads OIDC token from file on disk.
• Calls sts:AssumeRoleWithWebIdentity via roleAssumerWithWebIdentity option to get credentials.

Configuration Key	Environment Variable	Required	Description
webIdentityTokenFile	AWS_WEB_IDENTITY_TOKEN_FILE	true	File location of where the OIDC token is stored
roleArn	AWS_IAM_ROLE_ARN	true	The IAM role wanting to be assumed
roleSessionName	AWS_IAM_ROLE_SESSION_NAME	false	The IAM session name used to distinguish sessions

Testing

A basic example of using fromTokenFile:

import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
import { fromTokenFile } from "@aws-sdk/credential-provider-web-identity";

const stsClient = new STSClient({});

const roleAssumerWithWebIdentity = async (params) => {
  const { Credentials } = await stsClient.send(
    new AssumeRoleWithWebIdentityCommand(params)
  );
  if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
    throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
  }
  return {
    accessKeyId: Credentials.AccessKeyId,
    secretAccessKey: Credentials.SecretAccessKey,
    sessionToken: Credentials.SessionToken,
    expiration: Credentials.Expiration,
  };
};

const client = new FooClient({
  credentials: fromTokenFile({
    roleAssumerWithWebIdentity
  });
});

Values in environment variables

The values can be defined in environment varaibles as follows:

$ node
> Object.fromEntries(Object.entries(process.env).filter(([key, value]) => key.startsWith("AWS_")));
{
  AWS_WEB_IDENTITY_TOKEN_FILE: '/temp/token',
  AWS_ROLE_ARN: 'arn:aws:iam::123456789012:role/example-role-arn'
}

Values in configuration keys

The values can be defined in configuration keys as follows:

...
const client = new FooClient({
  credentials: fromTokenFile({
    webIdentityTokenFile: "/temp/token",
    roleArn: "arn:aws:iam::123456789012:role/example-role-arn",
    roleAssumerWithWebIdentity
  });
});

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[aws-sdk-js-automation]

AWS CodeBuild CI Report

• CodeBuild project: sdk-staging-test
• Commit ID: abad64c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[AllanZhengYP]

🚢

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.