diff --git a/backend/package-lock.json b/backend/package-lock.json index 97c3351399..220d4305ca 100644 --- a/backend/package-lock.json +++ b/backend/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "@aws-sdk/client-iam": "^3.525.0", "@aws-sdk/client-secrets-manager": "^3.504.0", + "@aws-sdk/client-sts": "^3.600.0", "@casl/ability": "^6.5.0", "@fastify/cookie": "^9.3.1", "@fastify/cors": "^8.5.0", @@ -1425,6 +1426,1064 @@ "@aws-sdk/credential-provider-node": "^3.504.0" } }, + "node_modules/@aws-sdk/client-sts": { + "version": "3.600.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.600.0.tgz", + "integrity": "sha512-KQG97B7LvTtTiGmjlrG1LRAY8wUvCQzrmZVV5bjrJ/1oXAU7DITYwVbSJeX9NWg6hDuSk0VE3MFwIXS2SvfLIA==", + "dependencies": { + "@aws-crypto/sha256-browser": "5.2.0", + "@aws-crypto/sha256-js": "5.2.0", + "@aws-sdk/client-sso-oidc": "3.600.0", + "@aws-sdk/core": "3.598.0", + "@aws-sdk/credential-provider-node": "3.600.0", + "@aws-sdk/middleware-host-header": "3.598.0", + "@aws-sdk/middleware-logger": "3.598.0", + "@aws-sdk/middleware-recursion-detection": "3.598.0", + "@aws-sdk/middleware-user-agent": "3.598.0", + "@aws-sdk/region-config-resolver": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@aws-sdk/util-endpoints": "3.598.0", + "@aws-sdk/util-user-agent-browser": "3.598.0", + "@aws-sdk/util-user-agent-node": "3.598.0", + "@smithy/config-resolver": "^3.0.2", + "@smithy/core": "^2.2.1", + "@smithy/fetch-http-handler": "^3.0.2", + "@smithy/hash-node": "^3.0.1", + "@smithy/invalid-dependency": "^3.0.1", + "@smithy/middleware-content-length": "^3.0.1", + "@smithy/middleware-endpoint": "^3.0.2", + "@smithy/middleware-retry": "^3.0.4", + "@smithy/middleware-serde": "^3.0.1", + "@smithy/middleware-stack": "^3.0.1", + "@smithy/node-config-provider": "^3.1.1", + "@smithy/node-http-handler": "^3.0.1", + "@smithy/protocol-http": "^4.0.1", + "@smithy/smithy-client": "^3.1.2", + "@smithy/types": "^3.1.0", + "@smithy/url-parser": "^3.0.1", + "@smithy/util-base64": "^3.0.0", + "@smithy/util-body-length-browser": "^3.0.0", + "@smithy/util-body-length-node": "^3.0.0", + "@smithy/util-defaults-mode-browser": "^3.0.4", + "@smithy/util-defaults-mode-node": "^3.0.4", + "@smithy/util-endpoints": "^2.0.2", + "@smithy/util-middleware": "^3.0.1", + "@smithy/util-retry": "^3.0.1", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/sha256-browser": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@aws-crypto/sha256-browser/-/sha256-browser-5.2.0.tgz", + "integrity": "sha512-AXfN/lGotSQwu6HNcEsIASo7kWXZ5HYWvfOmSNKDsEqC4OashTp8alTmaz+F7TC2L083SFv5RdB+qU3Vs1kZqw==", + "dependencies": { + "@aws-crypto/sha256-js": "^5.2.0", + "@aws-crypto/supports-web-crypto": "^5.2.0", + "@aws-crypto/util": "^5.2.0", + "@aws-sdk/types": "^3.222.0", + "@aws-sdk/util-locate-window": "^3.0.0", + "@smithy/util-utf8": "^2.0.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/sha256-browser/node_modules/@smithy/util-utf8": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz", + "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==", + "dependencies": { + "@smithy/util-buffer-from": "^2.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=14.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/sha256-js": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@aws-crypto/sha256-js/-/sha256-js-5.2.0.tgz", + "integrity": "sha512-FFQQyu7edu4ufvIZ+OadFpHHOt+eSTBaYaki44c+akjg7qZg9oOQeLlk77F6tSYqjDAFClrHJk9tMf0HdVyOvA==", + "dependencies": { + "@aws-crypto/util": "^5.2.0", + "@aws-sdk/types": "^3.222.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/supports-web-crypto": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@aws-crypto/supports-web-crypto/-/supports-web-crypto-5.2.0.tgz", + "integrity": "sha512-iAvUotm021kM33eCdNfwIN//F77/IADDSs58i+MDaOqFrVjZo9bAal0NK7HurRuWLLpF1iLX7gbWrjHjeo+YFg==", + "dependencies": { + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/util": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@aws-crypto/util/-/util-5.2.0.tgz", + "integrity": "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ==", + "dependencies": { + "@aws-sdk/types": "^3.222.0", + "@smithy/util-utf8": "^2.0.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-crypto/util/node_modules/@smithy/util-utf8": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz", + "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==", + "dependencies": { + "@smithy/util-buffer-from": "^2.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=14.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/client-sso": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso/-/client-sso-3.598.0.tgz", + "integrity": "sha512-nOI5lqPYa+YZlrrzwAJywJSw3MKVjvu6Ge2fCqQUNYMfxFB0NAaDFnl0EPjXi+sEbtCuz/uWE77poHbqiZ+7Iw==", + "dependencies": { + "@aws-crypto/sha256-browser": "5.2.0", + "@aws-crypto/sha256-js": "5.2.0", + "@aws-sdk/core": "3.598.0", + "@aws-sdk/middleware-host-header": "3.598.0", + "@aws-sdk/middleware-logger": "3.598.0", + "@aws-sdk/middleware-recursion-detection": "3.598.0", + "@aws-sdk/middleware-user-agent": "3.598.0", + "@aws-sdk/region-config-resolver": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@aws-sdk/util-endpoints": "3.598.0", + "@aws-sdk/util-user-agent-browser": "3.598.0", + "@aws-sdk/util-user-agent-node": "3.598.0", + "@smithy/config-resolver": "^3.0.2", + "@smithy/core": "^2.2.1", + "@smithy/fetch-http-handler": "^3.0.2", + "@smithy/hash-node": "^3.0.1", + "@smithy/invalid-dependency": "^3.0.1", + "@smithy/middleware-content-length": "^3.0.1", + "@smithy/middleware-endpoint": "^3.0.2", + "@smithy/middleware-retry": "^3.0.4", + "@smithy/middleware-serde": "^3.0.1", + "@smithy/middleware-stack": "^3.0.1", + "@smithy/node-config-provider": "^3.1.1", + "@smithy/node-http-handler": "^3.0.1", + "@smithy/protocol-http": "^4.0.1", + "@smithy/smithy-client": "^3.1.2", + "@smithy/types": "^3.1.0", + "@smithy/url-parser": "^3.0.1", + "@smithy/util-base64": "^3.0.0", + "@smithy/util-body-length-browser": "^3.0.0", + "@smithy/util-body-length-node": "^3.0.0", + "@smithy/util-defaults-mode-browser": "^3.0.4", + "@smithy/util-defaults-mode-node": "^3.0.4", + "@smithy/util-endpoints": "^2.0.2", + "@smithy/util-middleware": "^3.0.1", + "@smithy/util-retry": "^3.0.1", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/client-sso-oidc": { + "version": "3.600.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso-oidc/-/client-sso-oidc-3.600.0.tgz", + "integrity": "sha512-7+I8RWURGfzvChyNQSyj5/tKrqRbzRl7H+BnTOf/4Vsw1nFOi5ROhlhD4X/Y0QCTacxnaoNcIrqnY7uGGvVRzw==", + "dependencies": { + "@aws-crypto/sha256-browser": "5.2.0", + "@aws-crypto/sha256-js": "5.2.0", + "@aws-sdk/client-sts": "3.600.0", + "@aws-sdk/core": "3.598.0", + "@aws-sdk/credential-provider-node": "3.600.0", + "@aws-sdk/middleware-host-header": "3.598.0", + "@aws-sdk/middleware-logger": "3.598.0", + "@aws-sdk/middleware-recursion-detection": "3.598.0", + "@aws-sdk/middleware-user-agent": "3.598.0", + "@aws-sdk/region-config-resolver": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@aws-sdk/util-endpoints": "3.598.0", + "@aws-sdk/util-user-agent-browser": "3.598.0", + "@aws-sdk/util-user-agent-node": "3.598.0", + "@smithy/config-resolver": "^3.0.2", + "@smithy/core": "^2.2.1", + "@smithy/fetch-http-handler": "^3.0.2", + "@smithy/hash-node": "^3.0.1", + "@smithy/invalid-dependency": "^3.0.1", + "@smithy/middleware-content-length": "^3.0.1", + "@smithy/middleware-endpoint": "^3.0.2", + "@smithy/middleware-retry": "^3.0.4", + "@smithy/middleware-serde": "^3.0.1", + "@smithy/middleware-stack": "^3.0.1", + "@smithy/node-config-provider": "^3.1.1", + "@smithy/node-http-handler": "^3.0.1", + "@smithy/protocol-http": "^4.0.1", + "@smithy/smithy-client": "^3.1.2", + "@smithy/types": "^3.1.0", + "@smithy/url-parser": "^3.0.1", + "@smithy/util-base64": "^3.0.0", + "@smithy/util-body-length-browser": "^3.0.0", + "@smithy/util-body-length-node": "^3.0.0", + "@smithy/util-defaults-mode-browser": "^3.0.4", + "@smithy/util-defaults-mode-node": "^3.0.4", + "@smithy/util-endpoints": "^2.0.2", + "@smithy/util-middleware": "^3.0.1", + "@smithy/util-retry": "^3.0.1", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/core": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.598.0.tgz", + "integrity": "sha512-HaSjt7puO5Cc7cOlrXFCW0rtA0BM9lvzjl56x0A20Pt+0wxXGeTOZZOkXQIepbrFkV2e/HYukuT9e99vXDm59g==", + "dependencies": { + "@smithy/core": "^2.2.1", + "@smithy/protocol-http": "^4.0.1", + "@smithy/signature-v4": "^3.1.0", + "@smithy/smithy-client": "^3.1.2", + "@smithy/types": "^3.1.0", + "fast-xml-parser": "4.2.5", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-env": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.598.0.tgz", + "integrity": "sha512-vi1khgn7yXzLCcgSIzQrrtd2ilUM0dWodxj3PQ6BLfP0O+q1imO3hG1nq7DVyJtq7rFHs6+9N8G4mYvTkxby2w==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/property-provider": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-http": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.598.0.tgz", + "integrity": "sha512-N7cIafi4HVlQvEgvZSo1G4T9qb/JMLGMdBsDCT5XkeJrF0aptQWzTFH0jIdZcLrMYvzPcuEyO3yCBe6cy/ba0g==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/fetch-http-handler": "^3.0.2", + "@smithy/node-http-handler": "^3.0.1", + "@smithy/property-provider": "^3.1.1", + "@smithy/protocol-http": "^4.0.1", + "@smithy/smithy-client": "^3.1.2", + "@smithy/types": "^3.1.0", + "@smithy/util-stream": "^3.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-ini": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.598.0.tgz", + "integrity": "sha512-/ppcIVUbRwDIwJDoYfp90X3+AuJo2mvE52Y1t2VSrvUovYn6N4v95/vXj6LS8CNDhz2jvEJYmu+0cTMHdhI6eA==", + "dependencies": { + "@aws-sdk/credential-provider-env": "3.598.0", + "@aws-sdk/credential-provider-http": "3.598.0", + "@aws-sdk/credential-provider-process": "3.598.0", + "@aws-sdk/credential-provider-sso": "3.598.0", + "@aws-sdk/credential-provider-web-identity": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@smithy/credential-provider-imds": "^3.1.1", + "@smithy/property-provider": "^3.1.1", + "@smithy/shared-ini-file-loader": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + }, + "peerDependencies": { + "@aws-sdk/client-sts": "^3.598.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-node": { + "version": "3.600.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.600.0.tgz", + "integrity": "sha512-1pC7MPMYD45J7yFjA90SxpR0yaSvy+yZiq23aXhAPZLYgJBAxHLu0s0mDCk/piWGPh8+UGur5K0bVdx4B1D5hw==", + "dependencies": { + "@aws-sdk/credential-provider-env": "3.598.0", + "@aws-sdk/credential-provider-http": "3.598.0", + "@aws-sdk/credential-provider-ini": "3.598.0", + "@aws-sdk/credential-provider-process": "3.598.0", + "@aws-sdk/credential-provider-sso": "3.598.0", + "@aws-sdk/credential-provider-web-identity": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@smithy/credential-provider-imds": "^3.1.1", + "@smithy/property-provider": "^3.1.1", + "@smithy/shared-ini-file-loader": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-process": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.598.0.tgz", + "integrity": "sha512-rM707XbLW8huMk722AgjVyxu2tMZee++fNA8TJVNgs1Ma02Wx6bBrfIvlyK0rCcIRb0WdQYP6fe3Xhiu4e8IBA==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/property-provider": "^3.1.1", + "@smithy/shared-ini-file-loader": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-sso": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.598.0.tgz", + "integrity": "sha512-5InwUmrAuqQdOOgxTccRayMMkSmekdLk6s+az9tmikq0QFAHUCtofI+/fllMXSR9iL6JbGYi1940+EUmS4pHJA==", + "dependencies": { + "@aws-sdk/client-sso": "3.598.0", + "@aws-sdk/token-providers": "3.598.0", + "@aws-sdk/types": "3.598.0", + "@smithy/property-provider": "^3.1.1", + "@smithy/shared-ini-file-loader": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/credential-provider-web-identity": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.598.0.tgz", + "integrity": "sha512-GV5GdiMbz5Tz9JO4NJtRoFXjW0GPEujA0j+5J/B723rTN+REHthJu48HdBKouHGhdzkDWkkh1bu52V02Wprw8w==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/property-provider": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + }, + "peerDependencies": { + "@aws-sdk/client-sts": "^3.598.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/middleware-host-header": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.598.0.tgz", + "integrity": "sha512-WiaG059YBQwQraNejLIi0gMNkX7dfPZ8hDIhvMr5aVPRbaHH8AYF3iNSsXYCHvA2Cfa1O9haYXsuMF9flXnCmA==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/protocol-http": "^4.0.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/middleware-logger": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.598.0.tgz", + "integrity": "sha512-bxBjf/VYiu3zfu8SYM2S9dQQc3tz5uBAOcPz/Bt8DyyK3GgOpjhschH/2XuUErsoUO1gDJqZSdGOmuHGZQn00Q==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/middleware-recursion-detection": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.598.0.tgz", + "integrity": "sha512-vjT9BeFY9FeN0f8hm2l6F53tI0N5bUq6RcDkQXKNabXBnQxKptJRad6oP2X5y3FoVfBLOuDkQgiC2940GIPxtQ==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/protocol-http": "^4.0.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/middleware-user-agent": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.598.0.tgz", + "integrity": "sha512-4tjESlHG5B5MdjUaLK7tQs/miUtHbb6deauQx8ryqSBYOhfHVgb1ZnzvQR0bTrhpqUg0WlybSkDaZAICf9xctg==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@aws-sdk/util-endpoints": "3.598.0", + "@smithy/protocol-http": "^4.0.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/region-config-resolver": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.598.0.tgz", + "integrity": "sha512-oYXhmTokSav4ytmWleCr3rs/1nyvZW/S0tdi6X7u+dLNL5Jee+uMxWGzgOrWK6wrQOzucLVjS4E/wA11Kv2GTw==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/node-config-provider": "^3.1.1", + "@smithy/types": "^3.1.0", + "@smithy/util-config-provider": "^3.0.0", + "@smithy/util-middleware": "^3.0.1", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/token-providers": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.598.0.tgz", + "integrity": "sha512-TKY1EVdHVBnZqpyxyTHdpZpa1tUpb6nxVeRNn1zWG8QB5MvH4ALLd/jR+gtmWDNQbIG4cVuBOZFVL8hIYicKTA==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/property-provider": "^3.1.1", + "@smithy/shared-ini-file-loader": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + }, + "peerDependencies": { + "@aws-sdk/client-sso-oidc": "^3.598.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/types": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.598.0.tgz", + "integrity": "sha512-742uRl6z7u0LFmZwDrFP6r1wlZcgVPw+/TilluDJmCAR8BgRw3IR+743kUXKBGd8QZDRW2n6v/PYsi/AWCDDMQ==", + "dependencies": { + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/util-endpoints": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.598.0.tgz", + "integrity": "sha512-Qo9UoiVVZxcOEdiOMZg3xb1mzkTxrhd4qSlg5QQrfWPJVx/QOg+Iy0NtGxPtHtVZNHZxohYwDwV/tfsnDSE2gQ==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/types": "^3.1.0", + "@smithy/util-endpoints": "^2.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/util-user-agent-browser": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.598.0.tgz", + "integrity": "sha512-36Sxo6F+ykElaL1mWzWjlg+1epMpSe8obwhCN1yGE7Js9ywy5U6k6l+A3q3YM9YRbm740sNxncbwLklMvuhTKw==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/types": "^3.1.0", + "bowser": "^2.11.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@aws-sdk/util-user-agent-node": { + "version": "3.598.0", + "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.598.0.tgz", + "integrity": "sha512-oyWGcOlfTdzkC6SVplyr0AGh54IMrDxbhg5RxJ5P+V4BKfcDoDcZV9xenUk9NsOi9MuUjxMumb9UJGkDhM1m0A==", + "dependencies": { + "@aws-sdk/types": "3.598.0", + "@smithy/node-config-provider": "^3.1.1", + "@smithy/types": "^3.1.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + }, + "peerDependencies": { + "aws-crt": ">=1.0.0" + }, + "peerDependenciesMeta": { + "aws-crt": { + "optional": true + } + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/abort-controller": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-3.1.0.tgz", + "integrity": "sha512-XOm4LkuC0PsK1sf2bBJLIlskn5ghmVxiEBVlo/jg0R8hxASBKYYgOoJEhKWgOr4vWGkN+5rC+oyBAqHYtxjnwQ==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/config-resolver": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-3.0.3.tgz", + "integrity": "sha512-4wHqCMkdfVDP4qmr4fVPYOFOH+vKhOv3X4e6KEU9wIC8xXUQ24tnF4CW+sddGDX1zU86GGyQ7A+rg2xmUD6jpQ==", + "dependencies": { + "@smithy/node-config-provider": "^3.1.2", + "@smithy/types": "^3.2.0", + "@smithy/util-config-provider": "^3.0.0", + "@smithy/util-middleware": "^3.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/core": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@smithy/core/-/core-2.2.3.tgz", + "integrity": "sha512-SpyLOL2vgE6sUYM6nQfu82OirCPkCDKctyG3aMgjMlDPTJpUlmlNH0ttu9ZWwzEjrzzr8uABmPjJTRI7gk1HFQ==", + "dependencies": { + "@smithy/middleware-endpoint": "^3.0.3", + "@smithy/middleware-retry": "^3.0.6", + "@smithy/middleware-serde": "^3.0.2", + "@smithy/protocol-http": "^4.0.2", + "@smithy/smithy-client": "^3.1.4", + "@smithy/types": "^3.2.0", + "@smithy/util-middleware": "^3.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/credential-provider-imds": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-3.1.2.tgz", + "integrity": "sha512-gqVmUaNoeqyrOAjgZg+rTmFLsphh/vS59LCMdFfVpthVS0jbfBzvBmEPktBd+y9ME4DYMGHFAMSYJDK8q0noOQ==", + "dependencies": { + "@smithy/node-config-provider": "^3.1.2", + "@smithy/property-provider": "^3.1.2", + "@smithy/types": "^3.2.0", + "@smithy/url-parser": "^3.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/fetch-http-handler": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-3.1.0.tgz", + "integrity": "sha512-s7oQjEOUH9TYjctpITtWF4qxOdg7pBrP9eigEQ8SBsxF3dRFV0S28pGMllC83DUr7ECmErhO/BUwnULfoNhKgQ==", + "dependencies": { + "@smithy/protocol-http": "^4.0.2", + "@smithy/querystring-builder": "^3.0.2", + "@smithy/types": "^3.2.0", + "@smithy/util-base64": "^3.0.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/hash-node": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-3.0.2.tgz", + "integrity": "sha512-43uGA6o6QJQdXwAogybdTDHDd3SCdKyoiHIHb8PpdE2rKmVicjG9b1UgVwdgO8QPytmVqHFaUw27M3LZKwu8Yg==", + "dependencies": { + "@smithy/types": "^3.2.0", + "@smithy/util-buffer-from": "^3.0.0", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/hash-node/node_modules/@smithy/util-buffer-from": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-3.0.0.tgz", + "integrity": "sha512-aEOHCgq5RWFbP+UDPvPot26EJHjOC+bRgse5A8V3FSShqd5E5UN4qc7zkwsvJPPAVsf73QwYcHN1/gt/rtLwQA==", + "dependencies": { + "@smithy/is-array-buffer": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/invalid-dependency": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-3.0.2.tgz", + "integrity": "sha512-+BAY3fMhomtq470tswXyrdVBSUhiLuhBVT+rOmpbz5e04YX+s1dX4NxTLzZGwBjCpeWZNtTxP8zbIvvFk81gUg==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/is-array-buffer": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-3.0.0.tgz", + "integrity": "sha512-+Fsu6Q6C4RSJiy81Y8eApjEB5gVtM+oFKTffg+jSuwtvomJJrhUJBu2zS8wjXSgH/g1MKEWrzyChTBe6clb5FQ==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/middleware-content-length": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-3.0.2.tgz", + "integrity": "sha512-/Havz3PkYIEmwpqkyRTR21yJsWnFbD1ec4H1pUL+TkDnE7RCQkAVUQepLL/UeCaZeCBXvfdoKbOjSbV01xIinQ==", + "dependencies": { + "@smithy/protocol-http": "^4.0.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/middleware-endpoint": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-3.0.3.tgz", + "integrity": "sha512-ARAXHodhj4tttKa9y75zvENdSoHq6VGsSi7XS3+yLutrnxttJs6N10UMInCC1yi3/bopT8xug3iOP/y9R6sKJQ==", + "dependencies": { + "@smithy/middleware-serde": "^3.0.2", + "@smithy/node-config-provider": "^3.1.2", + "@smithy/shared-ini-file-loader": "^3.1.2", + "@smithy/types": "^3.2.0", + "@smithy/url-parser": "^3.0.2", + "@smithy/util-middleware": "^3.0.2", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/middleware-retry": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-3.0.6.tgz", + "integrity": "sha512-ICsFKp8eAyIMmxN5UT3IU37S6886L879TKtgxPsn/VD/laYNwqTLmJaCAn5//+2fRIrV0dnHp6LFlMwdXlWoUQ==", + "dependencies": { + "@smithy/node-config-provider": "^3.1.2", + "@smithy/protocol-http": "^4.0.2", + "@smithy/service-error-classification": "^3.0.2", + "@smithy/smithy-client": "^3.1.4", + "@smithy/types": "^3.2.0", + "@smithy/util-middleware": "^3.0.2", + "@smithy/util-retry": "^3.0.2", + "tslib": "^2.6.2", + "uuid": "^9.0.1" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/middleware-serde": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-3.0.2.tgz", + "integrity": "sha512-oT2abV5zLhBucJe1LIIFEcRgIBDbZpziuMPswTMbBQNcaEUycLFvX63zsFmqfwG+/ZQKsNx+BSE8W51CMuK7Yw==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/middleware-stack": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-3.0.2.tgz", + "integrity": "sha512-6fRcxomlNKBPIy/YjcnC7YHpMAjRvGUYlYVJAfELqZjkW0vQegNcImjY7T1HgYA6u3pAcCxKVBLYnkTw8z/l0A==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/node-config-provider": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-3.1.2.tgz", + "integrity": "sha512-388fEAa7+6ORj/BDC70peg3fyFBTTXJyXfXJ0Bwd6FYsRltePr2oGzIcm5AuC1WUSLtZ/dF+hYOnfTMs04rLvA==", + "dependencies": { + "@smithy/property-provider": "^3.1.2", + "@smithy/shared-ini-file-loader": "^3.1.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/node-http-handler": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-3.1.0.tgz", + "integrity": "sha512-pOpgB6B+VLXLwAyyvRz+ZAVXABlbAsJ2xvn3WZvrppAPImxwQOPFbeSUzWYMhpC8Tr7yQ3R8fG990QDhskkf1Q==", + "dependencies": { + "@smithy/abort-controller": "^3.1.0", + "@smithy/protocol-http": "^4.0.2", + "@smithy/querystring-builder": "^3.0.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/property-provider": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-3.1.2.tgz", + "integrity": "sha512-Hzp32BpeFFexBpO1z+ts8okbq/VLzJBadxanJAo/Wf2CmvXMBp6Q/TLWr7Js6IbMEcr0pDZ02V3u1XZkuQUJaA==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/protocol-http": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-4.0.2.tgz", + "integrity": "sha512-X/90xNWIOqSR2tLUyWxVIBdatpm35DrL44rI/xoeBWUuanE0iyCXJpTcnqlOpnEzgcu0xCKE06+g70TTu2j7RQ==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/querystring-builder": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-3.0.2.tgz", + "integrity": "sha512-xhv1+HacDYsOLdNt7zW+8Fe779KYAzmWvzs9bC5NlKM8QGYCwwuFwDBynhlU4D5twgi2pZ14Lm4h6RiAazCtmA==", + "dependencies": { + "@smithy/types": "^3.2.0", + "@smithy/util-uri-escape": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/querystring-parser": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-3.0.2.tgz", + "integrity": "sha512-C5hyRKgrZGPNh5QqIWzXnW+LXVrPmVQO0iJKjHeb5v3C61ZkP9QhrKmbfchcTyg/VnaE0tMNf/nmLpQlWuiqpg==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/service-error-classification": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-3.0.2.tgz", + "integrity": "sha512-cu0WV2XRttItsuXlcM0kq5MKdphbMMmSd2CXF122dJ75NrFE0o7rruXFGfxAp3BKzgF/DMxX+PllIA/cj4FHMw==", + "dependencies": { + "@smithy/types": "^3.2.0" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/shared-ini-file-loader": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-3.1.2.tgz", + "integrity": "sha512-tgnXrXbLMO8vo6VeuqabMw/eTzQHlLmZx0TC0TjtjJghnD0Xl4pEnJtBjTJr6XF5fHMNrt5BcczDXHJT9yNQnA==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/signature-v4": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-3.1.1.tgz", + "integrity": "sha512-2/vlG86Sr489XX8TA/F+VDA+P04ESef04pSz0wRtlQBExcSPjqO08rvrkcas2zLnJ51i+7ukOURCkgqixBYjSQ==", + "dependencies": { + "@smithy/is-array-buffer": "^3.0.0", + "@smithy/types": "^3.2.0", + "@smithy/util-hex-encoding": "^3.0.0", + "@smithy/util-middleware": "^3.0.2", + "@smithy/util-uri-escape": "^3.0.0", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/smithy-client": { + "version": "3.1.4", + "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-3.1.4.tgz", + "integrity": "sha512-y6xJROGrIoitjpwXLY7P9luDHvuT9jWpAluliuSFdBymFxcl6iyQjo9U/JhYfRHFNTruqsvKOrOESVuPGEcRmQ==", + "dependencies": { + "@smithy/middleware-endpoint": "^3.0.3", + "@smithy/middleware-stack": "^3.0.2", + "@smithy/protocol-http": "^4.0.2", + "@smithy/types": "^3.2.0", + "@smithy/util-stream": "^3.0.4", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/types": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/@smithy/types/-/types-3.2.0.tgz", + "integrity": "sha512-cKyeKAPazZRVqm7QPvcPD2jEIt2wqDPAL1KJKb0f/5I7uhollvsWZuZKLclmyP6a+Jwmr3OV3t+X0pZUUHS9BA==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/url-parser": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-3.0.2.tgz", + "integrity": "sha512-pRiPHrgibeAr4avtXDoBHmTLtthwA4l8jKYRfZjNgp+bBPyxDMPRg2TMJaYxqbKemvrOkHu9MIBTv2RkdNfD6w==", + "dependencies": { + "@smithy/querystring-parser": "^3.0.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-base64": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-3.0.0.tgz", + "integrity": "sha512-Kxvoh5Qtt0CDsfajiZOCpJxgtPHXOKwmM+Zy4waD43UoEMA+qPxxa98aE/7ZhdnBFZFXMOiBR5xbcaMhLtznQQ==", + "dependencies": { + "@smithy/util-buffer-from": "^3.0.0", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-base64/node_modules/@smithy/util-buffer-from": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-3.0.0.tgz", + "integrity": "sha512-aEOHCgq5RWFbP+UDPvPot26EJHjOC+bRgse5A8V3FSShqd5E5UN4qc7zkwsvJPPAVsf73QwYcHN1/gt/rtLwQA==", + "dependencies": { + "@smithy/is-array-buffer": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-body-length-browser": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-3.0.0.tgz", + "integrity": "sha512-cbjJs2A1mLYmqmyVl80uoLTJhAcfzMOyPgjwAYusWKMdLeNtzmMz9YxNl3/jRLoxSS3wkqkf0jwNdtXWtyEBaQ==", + "dependencies": { + "tslib": "^2.6.2" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-body-length-node": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-3.0.0.tgz", + "integrity": "sha512-Tj7pZ4bUloNUP6PzwhN7K386tmSmEET9QtQg0TgdNOnxhZvCssHji+oZTUIuzxECRfG8rdm2PMw2WCFs6eIYkA==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-config-provider": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-3.0.0.tgz", + "integrity": "sha512-pbjk4s0fwq3Di/ANL+rCvJMKM5bzAQdE5S/6RL5NXgMExFAi6UgQMPOm5yPaIWPpr+EOXKXRonJ3FoxKf4mCJQ==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-defaults-mode-browser": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-3.0.6.tgz", + "integrity": "sha512-tAgoc++Eq+KL7g55+k108pn7nAob3GLWNEMbXhZIQyBcBNaE/o3+r4AEbae0A8bWvLRvArVsjeiuhMykGa04/A==", + "dependencies": { + "@smithy/property-provider": "^3.1.2", + "@smithy/smithy-client": "^3.1.4", + "@smithy/types": "^3.2.0", + "bowser": "^2.11.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">= 10.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-defaults-mode-node": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-3.0.6.tgz", + "integrity": "sha512-UNerul6/E8aiCyFTBHk+RSIZCo7m96d/N5K3FeO/wFeZP6oy5HAicLzxqa85Wjv7MkXSxSySX29L/LwTV/QMag==", + "dependencies": { + "@smithy/config-resolver": "^3.0.3", + "@smithy/credential-provider-imds": "^3.1.2", + "@smithy/node-config-provider": "^3.1.2", + "@smithy/property-provider": "^3.1.2", + "@smithy/smithy-client": "^3.1.4", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">= 10.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-endpoints": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-2.0.3.tgz", + "integrity": "sha512-Dyi+pfLglDHSGsKSYunuUUSFM5V0tz7UDgv1Ex97yg+Xkn0Eb0rH0rcvl1n0MaJ11fac3HKDOH0DkALyQYCQag==", + "dependencies": { + "@smithy/node-config-provider": "^3.1.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-hex-encoding": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-3.0.0.tgz", + "integrity": "sha512-eFndh1WEK5YMUYvy3lPlVmYY/fZcQE1D8oSf41Id2vCeIkKJXPcYDCZD+4+xViI6b1XSd7tE+s5AmXzz5ilabQ==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-middleware": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-3.0.2.tgz", + "integrity": "sha512-7WW5SD0XVrpfqljBYzS5rLR+EiDzl7wCVJZ9Lo6ChNFV4VYDk37Z1QI5w/LnYtU/QKnSawYoHRd7VjSyC8QRQQ==", + "dependencies": { + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-retry": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-3.0.2.tgz", + "integrity": "sha512-HUVOb1k8p/IH6WFUjsLa+L9H1Zi/FAAB2CDOpWuffI1b2Txi6sknau8kNfC46Xrt39P1j2KDzCE1UlLa2eW5+A==", + "dependencies": { + "@smithy/service-error-classification": "^3.0.2", + "@smithy/types": "^3.2.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-stream": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-3.0.4.tgz", + "integrity": "sha512-CcMioiaOOsEVdb09pS7ux1ij7QcQ2jE/cE1+iin1DXMeRgAEQN/47m7Xztu7KFQuQsj0A5YwB2UN45q97CqKCg==", + "dependencies": { + "@smithy/fetch-http-handler": "^3.1.0", + "@smithy/node-http-handler": "^3.1.0", + "@smithy/types": "^3.2.0", + "@smithy/util-base64": "^3.0.0", + "@smithy/util-buffer-from": "^3.0.0", + "@smithy/util-hex-encoding": "^3.0.0", + "@smithy/util-utf8": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-stream/node_modules/@smithy/util-buffer-from": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-3.0.0.tgz", + "integrity": "sha512-aEOHCgq5RWFbP+UDPvPot26EJHjOC+bRgse5A8V3FSShqd5E5UN4qc7zkwsvJPPAVsf73QwYcHN1/gt/rtLwQA==", + "dependencies": { + "@smithy/is-array-buffer": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-uri-escape": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-3.0.0.tgz", + "integrity": "sha512-LqR7qYLgZTD7nWLBecUi4aqolw8Mhza9ArpNEQ881MJJIU2sE5iHCK6TdyqqzcDLy0OPe10IY4T8ctVdtynubg==", + "dependencies": { + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-utf8": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-3.0.0.tgz", + "integrity": "sha512-rUeT12bxFnplYDe815GXbq/oixEGHfRFFtcTF3YdDi/JaENIM6aSYYLJydG83UNzLXeRI5K8abYd/8Sp/QM0kA==", + "dependencies": { + "@smithy/util-buffer-from": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, + "node_modules/@aws-sdk/client-sts/node_modules/@smithy/util-utf8/node_modules/@smithy/util-buffer-from": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-3.0.0.tgz", + "integrity": "sha512-aEOHCgq5RWFbP+UDPvPot26EJHjOC+bRgse5A8V3FSShqd5E5UN4qc7zkwsvJPPAVsf73QwYcHN1/gt/rtLwQA==", + "dependencies": { + "@smithy/is-array-buffer": "^3.0.0", + "tslib": "^2.6.2" + }, + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/@aws-sdk/core": { "version": "3.496.0", "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.496.0.tgz", diff --git a/backend/package.json b/backend/package.json index ab397daa57..6ef9add0df 100644 --- a/backend/package.json +++ b/backend/package.json @@ -72,6 +72,7 @@ "dependencies": { "@aws-sdk/client-iam": "^3.525.0", "@aws-sdk/client-secrets-manager": "^3.504.0", + "@aws-sdk/client-sts": "^3.600.0", "@casl/ability": "^6.5.0", "@fastify/cookie": "^9.3.1", "@fastify/cors": "^8.5.0", diff --git a/backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts b/backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts new file mode 100644 index 0000000000..0d556a1c08 --- /dev/null +++ b/backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts @@ -0,0 +1,35 @@ +import { Knex } from "knex"; + +import { TableName } from "../schemas"; + +export async function up(knex: Knex): Promise { + const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn( + TableName.IntegrationAuth, + "awsAssumeIamRoleArnCipherText" + ); + const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV"); + const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag"); + if (await knex.schema.hasTable(TableName.IntegrationAuth)) { + await knex.schema.alterTable(TableName.IntegrationAuth, (t) => { + if (!hasAwsAssumeRoleCipherText) t.text("awsAssumeIamRoleArnCipherText"); + if (!hasAwsAssumeRoleIV) t.text("awsAssumeIamRoleArnIV"); + if (!hasAwsAssumeRoleTag) t.text("awsAssumeIamRoleArnTag"); + }); + } +} + +export async function down(knex: Knex): Promise { + const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn( + TableName.IntegrationAuth, + "awsAssumeIamRoleArnCipherText" + ); + const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV"); + const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag"); + if (await knex.schema.hasTable(TableName.IntegrationAuth)) { + await knex.schema.alterTable(TableName.IntegrationAuth, (t) => { + if (hasAwsAssumeRoleCipherText) t.dropColumn("awsAssumeIamRoleArnCipherText"); + if (hasAwsAssumeRoleIV) t.dropColumn("awsAssumeIamRoleArnIV"); + if (hasAwsAssumeRoleTag) t.dropColumn("awsAssumeIamRoleArnTag"); + }); + } +} diff --git a/backend/src/db/schemas/integration-auths.ts b/backend/src/db/schemas/integration-auths.ts index 185beae366..0a980edc80 100644 --- a/backend/src/db/schemas/integration-auths.ts +++ b/backend/src/db/schemas/integration-auths.ts @@ -29,7 +29,10 @@ export const IntegrationAuthsSchema = z.object({ keyEncoding: z.string(), projectId: z.string(), createdAt: z.date(), - updatedAt: z.date() + updatedAt: z.date(), + awsAssumeIamRoleArnCipherText: z.string().nullable().optional(), + awsAssumeIamRoleArnIV: z.string().nullable().optional(), + awsAssumeIamRoleArnTag: z.string().nullable().optional() }); export type TIntegrationAuths = z.infer; diff --git a/backend/src/lib/api-docs/constants.ts b/backend/src/lib/api-docs/constants.ts index 0e987f41b7..de0a1d4c25 100644 --- a/backend/src/lib/api-docs/constants.ts +++ b/backend/src/lib/api-docs/constants.ts @@ -692,6 +692,7 @@ export const INTEGRATION_AUTH = { integration: "The slug of integration for the auth object.", accessId: "The unique authorized access id of the external integration provider.", accessToken: "The unique authorized access token of the external integration provider.", + awsAssumeIamRoleArn: "The AWS IAM Role to be assumed by Infisical", url: "", namespace: "", refreshToken: "The refresh token for integration authorization." diff --git a/backend/src/lib/config/env.ts b/backend/src/lib/config/env.ts index f4da712936..5c325bdd93 100644 --- a/backend/src/lib/config/env.ts +++ b/backend/src/lib/config/env.ts @@ -101,6 +101,9 @@ const envSchema = z // azure CLIENT_ID_AZURE: zpStr(z.string().optional()), CLIENT_SECRET_AZURE: zpStr(z.string().optional()), + // aws + CLIENT_ID_AWS_INTEGRATION: zpStr(z.string().optional()), + CLIENT_SECRET_AWS_INTEGRATION: zpStr(z.string().optional()), // gitlab CLIENT_ID_GITLAB: zpStr(z.string().optional()), CLIENT_SECRET_GITLAB: zpStr(z.string().optional()), diff --git a/backend/src/server/routes/v1/integration-auth-router.ts b/backend/src/server/routes/v1/integration-auth-router.ts index 899c1cac83..963b7101cb 100644 --- a/backend/src/server/routes/v1/integration-auth-router.ts +++ b/backend/src/server/routes/v1/integration-auth-router.ts @@ -240,6 +240,12 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider) integration: z.string().trim().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.integration), accessId: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessId), accessToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessToken), + awsAssumeIamRoleArn: z + .string() + .url() + .trim() + .optional() + .describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.awsAssumeIamRoleArn), url: z.string().url().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.url), namespace: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.namespace), refreshToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.refreshToken) diff --git a/backend/src/services/integration-auth/integration-auth-service.ts b/backend/src/services/integration-auth/integration-auth-service.ts index 02091d88cb..a5514de71d 100644 --- a/backend/src/services/integration-auth/integration-auth-service.ts +++ b/backend/src/services/integration-auth/integration-auth-service.ts @@ -178,7 +178,8 @@ export const integrationAuthServiceFactory = ({ actorAuthMethod, accessId, namespace, - accessToken + accessToken, + awsAssumeIamRoleArn }: TSaveIntegrationAccessTokenDTO) => { if (!Object.values(Integrations).includes(integration as Integrations)) throw new BadRequestError({ message: "Invalid integration" }); @@ -230,7 +231,7 @@ export const integrationAuthServiceFactory = ({ updateDoc.accessExpiresAt = tokenDetails.accessExpiresAt; } - if (!refreshToken && (accessId || accessToken)) { + if (!refreshToken && (accessId || accessToken || awsAssumeIamRoleArn)) { if (accessToken) { const accessEncToken = encryptSymmetric128BitHexKeyUTF8(accessToken, key); updateDoc.accessIV = accessEncToken.iv; @@ -243,6 +244,12 @@ export const integrationAuthServiceFactory = ({ updateDoc.accessIdTag = accessEncToken.tag; updateDoc.accessIdCiphertext = accessEncToken.ciphertext; } + if (awsAssumeIamRoleArn) { + const awsAssumeIamRoleArnEnc = encryptSymmetric128BitHexKeyUTF8(awsAssumeIamRoleArn, key); + updateDoc.awsAssumeIamRoleArnCipherText = awsAssumeIamRoleArnEnc.ciphertext; + updateDoc.awsAssumeIamRoleArnIV = awsAssumeIamRoleArnEnc.iv; + updateDoc.awsAssumeIamRoleArnTag = awsAssumeIamRoleArnEnc.tag; + } } return integrationAuthDAL.create(updateDoc); }; @@ -251,6 +258,14 @@ export const integrationAuthServiceFactory = ({ const getIntegrationAccessToken = async (integrationAuth: TIntegrationAuths, botKey: string) => { let accessToken: string | undefined; let accessId: string | undefined; + // this means its not access token based + if ( + integrationAuth.integration === Integrations.AWS_SECRET_MANAGER && + integrationAuth.awsAssumeIamRoleArnCipherText + ) { + return { accessToken: "", accessId: "" }; + } + if (integrationAuth.accessTag && integrationAuth.accessIV && integrationAuth.accessCiphertext) { accessToken = decryptSymmetric128BitHexKeyUTF8({ ciphertext: integrationAuth.accessCiphertext, diff --git a/backend/src/services/integration-auth/integration-auth-types.ts b/backend/src/services/integration-auth/integration-auth-types.ts index 0a816035cc..5d1bfc18fc 100644 --- a/backend/src/services/integration-auth/integration-auth-types.ts +++ b/backend/src/services/integration-auth/integration-auth-types.ts @@ -17,6 +17,7 @@ export type TSaveIntegrationAccessTokenDTO = { url?: string; namespace?: string; refreshToken?: string; + awsAssumeIamRoleArn?: string; } & TProjectPermission; export type TDeleteIntegrationAuthsDTO = TProjectPermission & { diff --git a/backend/src/services/integration-auth/integration-sync-secret.ts b/backend/src/services/integration-auth/integration-sync-secret.ts index e693a7fea0..4d32f819a5 100644 --- a/backend/src/services/integration-auth/integration-sync-secret.ts +++ b/backend/src/services/integration-auth/integration-sync-secret.ts @@ -17,14 +17,17 @@ import { UntagResourceCommand, UpdateSecretCommand } from "@aws-sdk/client-secrets-manager"; +import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts"; import { Octokit } from "@octokit/rest"; import AWS, { AWSError } from "aws-sdk"; import { AxiosError } from "axios"; +import { randomUUID } from "crypto"; import sodium from "libsodium-wrappers"; import isEqual from "lodash.isequal"; import { z } from "zod"; import { SecretType, TIntegrationAuths, TIntegrations, TSecrets } from "@app/db/schemas"; +import { getConfig } from "@app/lib/config/env"; import { request } from "@app/lib/config/request"; import { BadRequestError } from "@app/lib/errors"; import { logger } from "@app/lib/logger"; @@ -695,24 +698,61 @@ const syncSecretsAWSSecretManager = async ({ integration, secrets, accessId, - accessToken + accessToken, + awsAssumeRoleArn, + projectId }: { integration: TIntegrations; secrets: Record; accessId: string | null; accessToken: string; + awsAssumeRoleArn: string | null; + projectId?: string; }) => { + const appCfg = getConfig(); const metadata = z.record(z.any()).parse(integration.metadata || {}); - if (!accessId) { - throw new Error("AWS access ID is required"); + if (!accessId && !awsAssumeRoleArn) { + throw new Error("AWS access ID/AWS Assume Role is required"); + } + + let accessKeyId = ""; + let secretAccessKey = ""; + let sessionToken; + if (awsAssumeRoleArn) { + const client = new STSClient({ + region: integration.region as string, + credentials: + appCfg.CLIENT_ID_AWS_INTEGRATION && appCfg.CLIENT_SECRET_AWS_INTEGRATION + ? { + accessKeyId: appCfg.CLIENT_ID_AWS_INTEGRATION, + secretAccessKey: appCfg.CLIENT_SECRET_AWS_INTEGRATION + } + : undefined + }); + const command = new AssumeRoleCommand({ + RoleArn: awsAssumeRoleArn, + RoleSessionName: `infisical-sm-${randomUUID()}`, + DurationSeconds: 900, // 15mins + ExternalId: projectId + }); + const response = await client.send(command); + if (!response.Credentials?.AccessKeyId || !response.Credentials?.SecretAccessKey) + throw new Error("Failed to assume role"); + accessKeyId = response.Credentials?.AccessKeyId; + secretAccessKey = response.Credentials?.SecretAccessKey; + sessionToken = response.Credentials?.SessionToken; + } else { + accessKeyId = accessId as string; + secretAccessKey = accessToken; } const secretsManager = new SecretsManagerClient({ region: integration.region as string, credentials: { - accessKeyId: accessId, - secretAccessKey: accessToken + accessKeyId, + secretAccessKey, + sessionToken } }); @@ -3568,7 +3608,9 @@ export const syncIntegrationSecrets = async ({ secrets, accessId, accessToken, - appendices + awsAssumeRoleArn, + appendices, + projectId }: { createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise>; updateManySecretsRawFn: (params: TUpdateManySecretsRawFn) => Promise>; @@ -3585,8 +3627,10 @@ export const syncIntegrationSecrets = async ({ integrationAuth: TIntegrationAuths; secrets: Record; accessId: string | null; + awsAssumeRoleArn: string | null; accessToken: string; appendices?: { prefix: string; suffix: string }; + projectId?: string; }) => { let response: { isSynced: boolean; syncMessage: string } | null = null; @@ -3620,7 +3664,9 @@ export const syncIntegrationSecrets = async ({ integration, secrets, accessId, - accessToken + accessToken, + awsAssumeRoleArn, + projectId }); break; case Integrations.HEROKU: diff --git a/backend/src/services/integration/integration-dal.ts b/backend/src/services/integration/integration-dal.ts index bada253c59..7c3a421a5c 100644 --- a/backend/src/services/integration/integration-dal.ts +++ b/backend/src/services/integration/integration-dal.ts @@ -120,7 +120,10 @@ export const integrationDALFactory = (db: TDbClient) => { db.ref("accessExpiresAt").withSchema(TableName.IntegrationAuth).as("accessExpiresAtAu"), db.ref("metadata").withSchema(TableName.IntegrationAuth).as("metadataAu"), db.ref("algorithm").withSchema(TableName.IntegrationAuth).as("algorithmAu"), - db.ref("keyEncoding").withSchema(TableName.IntegrationAuth).as("keyEncodingAu") + db.ref("keyEncoding").withSchema(TableName.IntegrationAuth).as("keyEncodingAu"), + db.ref("awsAssumeIamRoleArnCipherText").withSchema(TableName.IntegrationAuth), + db.ref("awsAssumeIamRoleArnIV").withSchema(TableName.IntegrationAuth), + db.ref("awsAssumeIamRoleArnTag").withSchema(TableName.IntegrationAuth) ); return docs.map( ({ @@ -146,6 +149,9 @@ export const integrationDALFactory = (db: TDbClient) => { algorithmAu: algorithm, keyEncodingAu: keyEncoding, accessExpiresAtAu: accessExpiresAt, + awsAssumeIamRoleArnIV, + awsAssumeIamRoleArnCipherText, + awsAssumeIamRoleArnTag, ...el }) => ({ ...el, @@ -174,7 +180,10 @@ export const integrationDALFactory = (db: TDbClient) => { metadata, algorithm, keyEncoding, - accessExpiresAt + accessExpiresAt, + awsAssumeIamRoleArnIV, + awsAssumeIamRoleArnCipherText, + awsAssumeIamRoleArnTag } }) ); diff --git a/backend/src/services/secret/secret-queue.ts b/backend/src/services/secret/secret-queue.ts index ac27d912f7..afcb3a6bd8 100644 --- a/backend/src/services/secret/secret-queue.ts +++ b/backend/src/services/secret/secret-queue.ts @@ -525,6 +525,18 @@ export const secretQueueFactory = ({ const botKey = await projectBotService.getBotKey(projectId); const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(integrationAuth, botKey); + const awsAssumeRoleArn = + integrationAuth.awsAssumeIamRoleArnTag && + integrationAuth.awsAssumeIamRoleArnIV && + integrationAuth.awsAssumeIamRoleArnCipherText + ? decryptSymmetric128BitHexKeyUTF8({ + ciphertext: integrationAuth.awsAssumeIamRoleArnCipherText, + iv: integrationAuth.awsAssumeIamRoleArnIV, + tag: integrationAuth.awsAssumeIamRoleArnTag, + key: botKey + }) + : null; + const secrets = await getIntegrationSecrets({ environment, projectId, @@ -544,6 +556,8 @@ export const secretQueueFactory = ({ } try { + // akhilmhdh: this needs to changed later to be more easier to use + // at present this is not at all extendable like to add a new parameter for just one integration need to modify multiple places const response = await syncIntegrationSecrets({ createManySecretsRawFn, updateManySecretsRawFn, @@ -552,7 +566,9 @@ export const secretQueueFactory = ({ integrationAuth, secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets, accessId: accessId as string, + awsAssumeRoleArn, accessToken, + projectId, appendices: { prefix: metadata?.secretPrefix || "", suffix: metadata?.secretSuffix || "" diff --git a/docs/images/integrations/aws/integration-aws-iam-assume-arn.png b/docs/images/integrations/aws/integration-aws-iam-assume-arn.png new file mode 100644 index 0000000000..1c36fc1517 Binary files /dev/null and b/docs/images/integrations/aws/integration-aws-iam-assume-arn.png differ diff --git a/docs/images/integrations/aws/integration-aws-iam-assume-permission.png b/docs/images/integrations/aws/integration-aws-iam-assume-permission.png new file mode 100644 index 0000000000..0fb8d493db Binary files /dev/null and b/docs/images/integrations/aws/integration-aws-iam-assume-permission.png differ diff --git a/docs/images/integrations/aws/integration-aws-iam-assume-role.png b/docs/images/integrations/aws/integration-aws-iam-assume-role.png new file mode 100644 index 0000000000..29094b060c Binary files /dev/null and b/docs/images/integrations/aws/integration-aws-iam-assume-role.png differ diff --git a/docs/images/integrations/aws/integration-aws-iam-assume-select.png b/docs/images/integrations/aws/integration-aws-iam-assume-select.png new file mode 100644 index 0000000000..63c5d2b01c Binary files /dev/null and b/docs/images/integrations/aws/integration-aws-iam-assume-select.png differ diff --git a/docs/images/integrations/aws/integrations-aws-secret-manager-auth.png b/docs/images/integrations/aws/integrations-aws-secret-manager-auth.png index cc17097e16..ae83fcf9a4 100644 Binary files a/docs/images/integrations/aws/integrations-aws-secret-manager-auth.png and b/docs/images/integrations/aws/integrations-aws-secret-manager-auth.png differ diff --git a/docs/integrations/cloud/aws-secret-manager.mdx b/docs/integrations/cloud/aws-secret-manager.mdx index 9b3a8a2f83..64df1df321 100644 --- a/docs/integrations/cloud/aws-secret-manager.mdx +++ b/docs/integrations/cloud/aws-secret-manager.mdx @@ -3,6 +3,156 @@ title: "AWS Secrets Manager" description: "Learn how to sync secrets from Infisical to AWS Secrets Manager." --- + + +Infisical will assume the provided role in your AWS account securely, without the need to share any credentials. + +Prerequisites: + +- Set up and add envars to [Infisical Cloud](https://app.infisical.com) + + + To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration. + +If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2. + +The following steps are for instances not deployed on AWS + + + Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console. + + + Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles: +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAssumeAnyRole", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::*:role/*" + } + ] +} +``` + + + Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys. + + ![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png) + ![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png) + ![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png) + + + 1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**. + 2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**. + + + + + + + 1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console. + ![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png) + + 2. Select **AWS Account** as the **Trusted Entity Type**. + 3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead. + 4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security. + + + + ![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png) + Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager: + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSecretsManagerAccess", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DescribeSecret", + "secretsmanager:TagResource", + "secretsmanager:UntagResource", + "kms:ListKeys", + "kms:ListAliases", + "kms:Encrypt", + "kms:Decrypt" + ], + "Resource": "*" + } + ] + } + ``` + + + + ![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png) + + + + 1. Navigate to your project's integrations tab in Infisical. + 2. Click on the **AWS Secrets Manager** tile. + ![Select AWS Secrets Manager](../../images/integrations.png) + + 3. Select the **AWS Assume Role** option. + ![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png) + + 4. Provide the **AWS IAM Role ARN** obtained from the previous step. + + Select how you want to integration to work by specifying a number of parameters: + + + The environment in Infisical from which you want to sync secrets to AWS Secrets Manager. + + + The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager. + + + The region that you want to integrate with in AWS Secrets Manager. + + + How you want the integration to map the secrets. The selected value could be either one to one or one to many. + + + The secret name/path in AWS into which you want to sync the secrets from Infisical. + + + ![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png) + + Optionally, you can add tags or specify the encryption key of all the secrets created via this integration: + + + The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API. + + + The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it. + + ![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png) + + Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager. + + + Infisical currently syncs environment variables to AWS Secrets Manager as + key-value pairs under one secret. We're actively exploring ways to help users + group environment variable key-pairs under multiple secrets for greater + control. + + + Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days. + + + + + + +Infisical will access your account using the provided AWS access key and secret key. + Prerequisites: - Set up and add envars to [Infisical Cloud](https://app.infisical.com) @@ -51,13 +201,13 @@ Prerequisites: ![access key 2](../../images/integrations/aws/integrations-aws-access-key-2.png) ![access key 3](../../images/integrations/aws/integrations-aws-access-key-3.png) - Navigate to your project's integrations tab in Infisical. - - ![integrations](../../images/integrations.png) - - Press on the AWS Secrets Manager tile and input your AWS access key ID and secret access key from the previous step. + 1. Navigate to your project's integrations tab in Infisical. + 2. Click on the **AWS Secrets Manager** tile. + ![Select AWS Secrets Manager](../../images/integrations.png) - ![integration auth](../../images/integrations/aws/integrations-aws-secret-manager-auth.png) + 3. Select the **Access Key** option for Authentication Mode. + ![Select Access Key](../../images/integrations/aws/integrations-aws-secret-manager-auth.png) + 4. Provide the **access key** and **secret key** for the AWS Iam User. @@ -105,3 +255,5 @@ Prerequisites: + + diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx index 754409dfeb..09eb86647b 100644 --- a/docs/self-hosting/configuration/envars.mdx +++ b/docs/self-hosting/configuration/envars.mdx @@ -445,6 +445,16 @@ To help you sync secrets from Infisical to services such as Github and Gitlab, I + + + The AWS IAM User access key for assuming roles. + + + + The AWS IAM User secret key for assuming roles. + + + OAuth2 client id for Azure integration diff --git a/frontend/src/hooks/api/integrationAuth/queries.tsx b/frontend/src/hooks/api/integrationAuth/queries.tsx index d800e53130..45ac90a846 100644 --- a/frontend/src/hooks/api/integrationAuth/queries.tsx +++ b/frontend/src/hooks/api/integrationAuth/queries.tsx @@ -802,6 +802,7 @@ export const useSaveIntegrationAccessToken = () => { refreshToken, accessId, accessToken, + awsAssumeIamRoleArn, url, namespace }: { @@ -810,6 +811,7 @@ export const useSaveIntegrationAccessToken = () => { refreshToken?: string; accessId?: string; accessToken?: string; + awsAssumeIamRoleArn?: string; url?: string; namespace?: string; }) => { @@ -821,6 +823,7 @@ export const useSaveIntegrationAccessToken = () => { refreshToken, accessId, accessToken, + awsAssumeIamRoleArn, url, namespace }); diff --git a/frontend/src/pages/integrations/aws-secret-manager/authorize.tsx b/frontend/src/pages/integrations/aws-secret-manager/authorize.tsx index c901d0a569..c330d60c47 100644 --- a/frontend/src/pages/integrations/aws-secret-manager/authorize.tsx +++ b/frontend/src/pages/integrations/aws-secret-manager/authorize.tsx @@ -1,54 +1,70 @@ -import { useState } from "react"; +import { Controller, useForm } from "react-hook-form"; import Head from "next/head"; import Image from "next/image"; import Link from "next/link"; import { useRouter } from "next/router"; import { faArrowUpRightFromSquare, faBookOpen } from "@fortawesome/free-solid-svg-icons"; import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"; +import { zodResolver } from "@hookform/resolvers/zod"; +import { z } from "zod"; +import { + Button, + Card, + CardBody, + CardTitle, + FormControl, + Input, + Select, + SelectItem +} from "@app/components/v2"; import { useSaveIntegrationAccessToken } from "@app/hooks/api"; -import { Button, Card, CardTitle, FormControl, Input } from "../../../components/v2"; +enum AwsAuthType { + AccessKey = "access-key", + AssumeRole = "assume-role" +} + +const formSchema = z.discriminatedUnion("type", [ + z.object({ + type: z.literal(AwsAuthType.AccessKey), + accessKey: z.string().min(1), + accessSecretKey: z.string().min(1) + }), + z.object({ + type: z.literal(AwsAuthType.AssumeRole), + iamRoleArn: z.string().min(1) + }) +]); + +type TForm = z.infer; export default function AWSSecretManagerCreateIntegrationPage() { const router = useRouter(); const { mutateAsync } = useSaveIntegrationAccessToken(); - const [isLoading, setIsLoading] = useState(false); - - const [accessKey, setAccessKey] = useState(""); - const [accessKeyErrorText, setAccessKeyErrorText] = useState(""); - const [accessSecretKey, setAccessSecretKey] = useState(""); - const [accessSecretKeyErrorText, setAccessSecretKeyErrorText] = useState(""); + const { control, handleSubmit, formState, watch } = useForm({ + resolver: zodResolver(formSchema), + defaultValues: { + type: AwsAuthType.AccessKey + } + }); + const formAwsAuthTypeField = watch("type"); - const handleButtonClick = async () => { + const handleFormSubmit = async (data: TForm) => { try { - setAccessKeyErrorText(""); - setAccessSecretKeyErrorText(""); - - if (accessKey.length === 0) { - setAccessKeyErrorText("Access key cannot be blank"); - return; - } - - if (accessSecretKey.length === 0) { - setAccessSecretKeyErrorText("Secret access key cannot be blank"); - return; - } - - setIsLoading(true); - const integrationAuth = await mutateAsync({ workspaceId: localStorage.getItem("projectData.id"), integration: "aws-secret-manager", - accessId: accessKey, - accessToken: accessSecretKey + ...(data.type === AwsAuthType.AssumeRole + ? { + awsAssumeIamRoleArn: data.iamRoleArn + } + : { + accessId: data.accessKey, + accessToken: data.accessSecretKey + }) }); - - setAccessKey(""); - setAccessSecretKey(""); - setIsLoading(false); - router.push( `/integrations/aws-secret-manager/create?integrationAuthId=${integrationAuth.id}` ); @@ -69,7 +85,7 @@ export default function AWSSecretManagerCreateIntegrationPage() { subTitle="After adding the details below, you will be prompted to set up an integration for a particular Infisical project and environment." >
-
+
- - setAccessKey(e.target.value)} /> - - - setAccessSecretKey(e.target.value)} - /> - - + +
+ ( + + + + )} + /> + {formAwsAuthTypeField === AwsAuthType.AccessKey ? ( + <> + ( + + + + )} + /> + ( + + + + )} + /> + + ) : ( + ( + + + + )} + /> + )} + + +
);