feat(credential-provider-node): add support for web identity provider

[ejhayes]

Issue

Fixes #2148

Description

Adds default support for web identity credentials. This is useful when using this SDK with IAM Roles for Service accounts in EKS which set AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE behind the scenes. Without this the default behavior of the SDK is to use credentials from IMDS.

Testing

Tests have been updated.

Additional context

Additional updates include:

• Update README.md to include web identity params and default load order information (fixes typo)
• Set init param of fromTokenFile to optional. Default to the default web identity assume role function from client-sts if not provided

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[ejhayes]

@AllanZhengYP I'm a tad stumped on this particular error getting thrown. Looks like you ran into something similar in #2055. Unfortunately adding to noHoist doesn't seem to make a difference on the builds. Any thoughts would be greatly appreciated!

[AllanZhengYP]

Hi @ejhayes,

The original issue should already be fixed:

aws-sdk-js-v3/packages/credential-provider-ini/src/index.ts

Line 1 in b7729ab

import { AssumeRoleWithWebIdentityParams, fromTokenFile } from "@aws-sdk/credential-provider-web-identity";

Now the fromIni() should be able to resolve the EKS credentials already in the default node credential provider. Can you try with the latest client?

[ejhayes]

Thanks for the quick response @AllanZhengYP -- fromIni works as expected if an ini config file exists. What doesn't work though is setting these values as environment variables (which is done when using this with EKS):

const {getSignedUrl} = require("@aws-sdk/s3-request-presigner");
const {S3Client,GetObjectCommand} = require("@aws-sdk/client-s3");

getSignedUrl(new S3Client(), new GetObjectCommand({
    Bucket: 'mybucket',
    Key: 'somekey'
}), {
    expiresIn: 3600
}).then((url) => {
    console.log(url);
    console.log('Done');
})
.catch((err) => {
    console.log(err);
});

AWS_WEB_IDENTITY_TOKEN_FILE=token AWS_ROLE_ARN=arn:aws:iam::****:role/**** AWS_REGION=**** node test.js
Error: TimeoutError
    at ClientRequest.<anonymous> (****/node_modules/@aws-sdk/credential-provider-imds/dist/cjs/remoteProvider/httpRequest.js:17:20)
    at ClientRequest.emit (events.js:310:20)
    at Socket.emitRequestTimeout (_http_client.js:709:9)
    at Object.onceWrapper (events.js:416:28)
    at Socket.emit (events.js:322:22)
    at Socket._onTimeout (net.js:479:8)
    at listOnTimeout (internal/timers.js:549:17)
    at processTimers (internal/timers.js:492:7) {
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}

This works fine with the cli:

$ aws --version
aws-cli/2.1.28 Python/3.9.2 Darwin/20.3.0 source/x86_64 prompt/off
$ AWS_WEB_IDENTITY_TOKEN_FILE=token AWS_ROLE_ARN=arn:aws:iam::****:role/**** AWS_REGION=**** aws s3 presign s3://mybucket/somekey
https://mybucket.s3.****.amazonaws.com/somekey?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA****%2Fs3%2Faws4_request&X-Amz-Date=****&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=****&X-Amz-Signature=****

[carlosescura]

Same issue here, we can't have our code to seamlessly work between local environments and EKS because of the lack of "auto-config" using ENV vars.

[AllanZhengYP]

The reason to the failed CI is from the circular dependency you introduced in the credential-provider-web-identity package. I provided some explanation for why it's the case and how to fix it.

[codecov-commenter]

Codecov Report

❗ No coverage uploaded for pull request base (main@2384e24). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2260   +/-   ##
=======================================
  Coverage        ?   60.06%           
=======================================
  Files           ?      472           
  Lines           ?    24838           
  Branches        ?     5883           
=======================================
  Hits            ?    14918           
  Misses          ?     9920           
  Partials        ?        0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2384e24...e00022d. Read the comment docs.

[aws-sdk-js-automation]

AWS CodeBuild CI Report

• CodeBuild project: sdk-staging-test
• Commit ID: 7d6792c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[ejhayes]

Thanks for the input @AllanZhengYP! Looks like all tests are passing now

[ejhayes]

#2177

[ejhayes]

@AllanZhengYP Is this something that could be merged in? Would be great to have this functionality supported in the default credential provider!

[ejhayes]

Hey @trivikr or @AllanZhengYP -- any way these changes could be merged in? Would be great to have this SDK working in EKS using the environment variables that are automatically set rather than having to create a config file!

[AllanZhengYP]

@ejhayes This looks awesome. 🚢 Thank you a lot for the contribution!

[ejhayes]

Thanks @AllanZhengYP! Looks like this is still blocked from merging. What else is needed to merge these changes in?

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.