Merge pull request #145 from james-michael/master

Adding support for authentication using WebIdentity (EKS roles)
Nike-Inc · Nov 15, 2021 · 20c39b8 · 20c39b8
2 parents f7663fd + 2419f91
commit 20c39b8
Show file tree

Hide file tree

Showing 3 changed files with 4,322 additions and 2,467 deletions.
diff --git a/lib/sts.js b/lib/sts.js
@@ -1,4 +1,6 @@
 const { defaultProvider: fetchAwsCredentials } = require('@aws-sdk/credential-provider-node')
+const { getDefaultRoleAssumerWithWebIdentity } = require('@aws-sdk/client-sts')
+const { fromTokenFile } = require('@aws-sdk/credential-provider-web-identity')
 const crypto = require('crypto')
 
 const CHINA_REGIONS = ['cn-north-1', 'cn-northwest-1']
@@ -18,13 +20,36 @@ function hash (string, encoding) {
 }
 
 const getAuthenticationHeaders = async (region) => {
-  // Fetch credentials from the AWS Default credentials provider chain
   let awsCredentials
+  let credsErrors = []
+
+  // Fetch credentials from the AWS Default credentials provider chain
   try {
     awsCredentials = await fetchAwsCredentials()()
-  } catch (e) {
-    throw new Error('Failed to get AWS credentials, do you have IAM credentials available?\n' +
-      'See: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html\nmsg: \'' + e.message + '\'')
+  } catch (error) {
+    credsErrors.push(error)
+  }
+
+  try {
+    // IMPORTANT: When running with EKS roles, it is required to explicitly specify a value for roleAssumerWithWebIdentity.
+    // There is a default function available in @aws-sdk/client-sts package. Source: https://github.com/aws/aws-sdk-js-v3/tree/main/packages/credential-provider-node
+    if (!awsCredentials) {
+      awsCredentials = await fromTokenFile({
+        roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
+      })()
+    }
+  } catch (error) {
+    credsErrors.push(error)
+  }
+
+  if (!awsCredentials) {
+    // Not successful in getting credentials.
+    throw new Error(
+      'Failed to get AWS credentials, do you have IAM credentials available?\n' +
+        "See: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html\nmsg: '" +
+        credsErrors.map(err => err.message).join('\n') +
+        "'"
+    )
   }
   const { accessKeyId, secretAccessKey, sessionToken } = awsCredentials