-
Notifications
You must be signed in to change notification settings - Fork 559
/
index.ts
85 lines (78 loc) · 3.04 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import { chain, memoize, ProviderError } from "@aws-sdk/property-provider";
import { fromEnv } from "@aws-sdk/credential-provider-env";
import {
ENV_CMDS_FULL_URI,
ENV_CMDS_RELATIVE_URI,
fromContainerMetadata,
fromInstanceMetadata,
RemoteProviderInit
} from "@aws-sdk/credential-provider-imds";
import {
ENV_PROFILE,
fromIni,
FromIniInit
} from "@aws-sdk/credential-provider-ini";
import {
fromProcess,
FromProcessInit
} from "@aws-sdk/credential-provider-process";
import { CredentialProvider } from "@aws-sdk/types";
export const ENV_IMDS_DISABLED = "AWS_EC2_METADATA_DISABLED";
/**
* Creates a credential provider that will attempt to find credentials from the
* following sources (listed in order of precedence):
* * Environment variables exposed via `process.env`
* * Shared credentials and config ini files
* * The EC2/ECS Instance Metadata Service
*
* The default credential provider will invoke one provider at a time and only
* continue to the next if no credentials have been located. For example, if
* the process finds values defined via the `AWS_ACCESS_KEY_ID` and
* `AWS_SECRET_ACCESS_KEY` environment variables, the files at
* `~/.aws/credentials` and `~/.aws/config` will not be read, nor will any
* messages be sent to the Instance Metadata Service.
*
* @param init Configuration that is passed to each individual
* provider
*
* @see fromEnv The function used to source credentials from
* environment variables
* @see fromIni The function used to source credentials from INI
* files
* @see fromProcess The functino used to sources credentials from
* credential_process in INI files
* @see fromInstanceMetadata The function used to source credentials from the
* EC2 Instance Metadata Service
* @see fromContainerMetadata The function used to source credentials from the
* ECS Container Metadata Service
*/
export function defaultProvider(
init: FromIniInit & RemoteProviderInit & FromProcessInit = {}
): CredentialProvider {
const { profile = process.env[ENV_PROFILE] } = init;
const providerChain = profile
? fromIni(init)
: chain(fromEnv(), fromIni(init), fromProcess(init), remoteProvider(init));
return memoize(
providerChain,
credentials =>
credentials.expiration !== undefined &&
credentials.expiration - getEpochTs() < 300,
credentials => credentials.expiration !== undefined
);
}
function getEpochTs() {
return Math.floor(Date.now() / 1000);
}
function remoteProvider(init: RemoteProviderInit): CredentialProvider {
if (process.env[ENV_CMDS_RELATIVE_URI] || process.env[ENV_CMDS_FULL_URI]) {
return fromContainerMetadata(init);
}
if (process.env[ENV_IMDS_DISABLED]) {
return () =>
Promise.reject(
new ProviderError("EC2 Instance Metadata Service access disabled")
);
}
return fromInstanceMetadata(init);
}