@aws-sdk/credential-provider-node
Advanced tools
AWS credential provider that sources credentials from a Node.JS environment.
This module provides a factory function, defaultProvider, that will attempt to
source AWS credentials from a Node.JS environment. It will attempt to find
credentials from the following sources (listed in order of precedence):
process.envThe default credential provider will invoke one provider at a time and only
continue to the next if no credentials have been located. For example, if the
process finds values defined via the AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY environment variables, the files at ~/.aws/credentials
and ~/.aws/config will not be read, nor will any messages be sent to the
Instance Metadata Service.
If invalid configuration is encountered (such as a profile in
~/.aws/credentials specifying as its source_profile the name of a profile
that does not exist), then the chained provider will be rejected with an error
and will not invoke the next provider in the list.
IMPORTANT: if you intend to acquire credentials using EKS
IAM Roles for Service Accounts,
then you must explicitly specify a value for roleAssumerWithWebIdentity. There is a
default function available in @aws-sdk/client-sts package. An example of using
this:
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { defaultProvider } = require("@aws-sdk/credential-provider-node");
const { S3Client, GetObjectCommand } = require("@aws-sdk/client-s3");
const provider = defaultProvider({
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
// You must explicitly pass a region if you are not using us-east-1
region: "eu-west-1",
}),
});
const client = new S3Client({ credentialDefaultProvider: provider });
IMPORTANT: We provide a wrapper of this provider in @aws-sdk/credential-providers
package to save you from importing getDefaultRoleAssumerWithWebIdentity() or
getDefaultRoleAssume() from STS package. Similarly, you can do:
const { fromNodeProviderChain } = require("@aws-sdk/credential-providers");
const credentials = fromNodeProviderChain();
const client = new S3Client({ credentials });
You may customize how credentials are resolved by providing an options hash to
the defaultProvider factory function. The following options are
supported:
profile - The configuration profile to use. If not specified, the provider
will use the value in the AWS_PROFILE environment variable or a default of
default.filepath - The path to the shared credentials file. If not specified, the
provider will use the value in the AWS_SHARED_CREDENTIALS_FILE environment
variable or a default of ~/.aws/credentials.configFilepath - The path to the shared config file. If not specified, the
provider will use the value in the AWS_CONFIG_FILE environment variable or a
default of ~/.aws/config.mfaCodeProvider - A function that returns a a promise fulfilled with an
MFA token code for the provided MFA Serial code. If a profile requires an MFA
code and mfaCodeProvider is not a valid function, the credential provider
promise will be rejected.roleAssumer - A function that assumes a role and returns a promise
fulfilled with credentials for the assumed role. If not specified, no role
will be assumed, and an error will be thrown.roleArn - ARN to assume. If not specified, the provider will use the value
in the AWS_ROLE_ARN environment variable.webIdentityTokenFile - File location of where the OIDC token is stored.
If not specified, the provider will use the value in the AWS_WEB_IDENTITY_TOKEN_FILE
environment variable.roleAssumerWithWebIdentity - A function that assumes a role with web identity and
returns a promise fulfilled with credentials for the assumed role.timeout - The connection timeout (in milliseconds) to apply to any remote
requests. If not specified, a default value of 1000 (one second) is used.maxRetries - The maximum number of times any HTTP connections should be
retried. If not specified, a default value of 0 will be used.The aws-sdk package is the previous version of the AWS SDK for JavaScript. It includes credential providers as part of its core, but it is not as modular as @aws-sdk/credential-provider-node, which allows for more flexible and lightweight installations.
The aws-credentials package is another tool for managing AWS credentials. It is not as comprehensive or officially supported as @aws-sdk/credential-provider-node, and it may not integrate as seamlessly with the AWS SDK.
aws-profile-utils is a utility package for managing AWS profiles and credentials. While it provides some similar functionalities, it is not as focused on credential retrieval for SDK usage and does not provide the same level of integration with AWS SDK services.
FAQs
AWS credential provider that sources credentials from a Node.JS environment.
The npm package @aws-sdk/credential-provider-node receives a total of 46,250,290 weekly downloads. As such, @aws-sdk/credential-provider-node popularity was classified as popular.
We found that @aws-sdk/credential-provider-node demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Security News
pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.
Security News
The remediated findings include organization permission bugs, stale project access after transfers, OIDC replay edge cases, audit logging gaps, and an IDOR in API token deletion.