DefaultAwsSecurityCredentialsSupplier

DefaultAwsSecurityCredentialsSupplier

Internal AWS security credentials supplier implementation used by AwsClient when a credential source is provided instead of a user defined supplier. The logic is summarized as:

  1. If imdsv2_session_token_url is provided in the credential source, then fetch the aws session token and include it in the headers of the metadata requests. This is a requirement for IDMSv2 but optional for IDMSv1.
  2. Retrieve AWS region from availability-zone. 3a. Check AWS credentials in environment variables. If not found, get from security-credentials endpoint. 3b. Get AWS credentials from security-credentials endpoint. In order to retrieve this, the AWS role needs to be determined by calling security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name
  3. Generate the signed request to AWS STS GetCallerIdentity action.
  4. Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS.

Constructor

new DefaultAwsSecurityCredentialsSupplier(opts)

Instantiates a new DefaultAwsSecurityCredentialsSupplier using information from the credential_source stored in the ADC file.

Parameters:
Name Type Description
opts

The default aws security credentials supplier options object to build the supplier with.

Methods

(async) getAwsRegion(context)

Returns the active AWS region. This first checks to see if the region is available as an environment variable. If it is not, then the supplier will call the region URL.

Parameters:
Name Type Description
context

ExternalAccountSupplierContext from the calling AwsClient, contains the requested audience and subject token type for the external account identity.
Returns:
Type Description

A promise that resolves with the AWS region string.

(async) getAwsSecurityCredentials(context)

Returns AWS security credentials. This first checks to see if the credentials is available as environment variables. If it is not, then the supplier will call the security credentials URL.

Parameters:
Name Type Description
context

ExternalAccountSupplierContext from the calling AwsClient, contains the requested audience and subject token type for the external account identity.
Returns:
Type Description

A promise that resolves with the AWS security credentials.