git-off

web_identity_credentials.js (3797B)

---

 var AWS = require('../core');
 var STS = require('../../clients/sts');
 
 /**
  * Represents credentials retrieved from STS Web Identity Federation support.
  *
  * By default this provider gets credentials using the
  * {AWS.STS.assumeRoleWithWebIdentity} service operation. This operation
  * requires a `RoleArn` containing the ARN of the IAM trust policy for the
  * application for which credentials will be given. In addition, the
  * `WebIdentityToken` must be set to the token provided by the identity
  * provider. See {constructor} for an example on creating a credentials
  * object with proper `RoleArn` and `WebIdentityToken` values.
  *
  * ## Refreshing Credentials from Identity Service
  *
  * In addition to AWS credentials expiring after a given amount of time, the
  * login token from the identity provider will also expire. Once this token
  * expires, it will not be usable to refresh AWS credentials, and another
  * token will be needed. The SDK does not manage refreshing of the token value,
  * but this can be done through a "refresh token" supported by most identity
  * providers. Consult the documentation for the identity provider for refreshing
  * tokens. Once the refreshed token is acquired, you should make sure to update
  * this new token in the credentials object's {params} property. The following
  * code will update the WebIdentityToken, assuming you have retrieved an updated
  * token from the identity provider:
  *
  * ```javascript
  * AWS.config.credentials.params.WebIdentityToken = updatedToken;
  * ```
  *
  * Future calls to `credentials.refresh()` will now use the new token.
  *
  * @!attribute params
  *   @return [map] the map of params passed to
  *     {AWS.STS.assumeRoleWithWebIdentity}. To update the token, set the
  *     `params.WebIdentityToken` property.
  * @!attribute data
  *   @return [map] the raw data response from the call to
  *     {AWS.STS.assumeRoleWithWebIdentity}. Use this if you want to get
  *     access to other properties from the response.
  */
 AWS.WebIdentityCredentials = AWS.util.inherit(AWS.Credentials, {
   /**
    * Creates a new credentials object.
    * @param (see AWS.STS.assumeRoleWithWebIdentity)
    * @example Creating a new credentials object
    *   AWS.config.credentials = new AWS.WebIdentityCredentials({
    *     RoleArn: 'arn:aws:iam::1234567890:role/WebIdentity',
    *     WebIdentityToken: 'ABCDEFGHIJKLMNOP', // token from identity service
    *     RoleSessionName: 'web' // optional name, defaults to web-identity
    *   });
    * @see AWS.STS.assumeRoleWithWebIdentity
    */
   constructor: function WebIdentityCredentials(params) {
     AWS.Credentials.call(this);
     this.expired = true;
     this.params = params;
     this.params.RoleSessionName = this.params.RoleSessionName || 'web-identity';
     this.data = null;
   },
 
   /**
    * Refreshes credentials using {AWS.STS.assumeRoleWithWebIdentity}
    *
    * @callback callback function(err)
    *   Called when the STS service responds (or fails). When
    *   this callback is called with no error, it means that the credentials
    *   information has been loaded into the object (as the `accessKeyId`,
    *   `secretAccessKey`, and `sessionToken` properties).
    *   @param err [Error] if an error occurred, this value will be filled
    * @see get
    */
   refresh: function refresh(callback) {
     var self = this;
     self.createClients();
     if (!callback) callback = function(err) { if (err) throw err; };
 
     self.service.assumeRoleWithWebIdentity(function (err, data) {
       self.data = null;
       if (!err) {
         self.data = data;
         self.service.credentialsFrom(data, self);
       }
       callback(err);
     });
   },
 
   /**
    * @api private
    */
   createClients: function() {
     this.service = this.service || new STS({params: this.params});
   }
 
 });