What is @aws-sdk/credential-provider-node?
The @aws-sdk/credential-provider-node package provides a way to retrieve AWS credentials from various sources within a Node.js environment. It is part of the AWS SDK for JavaScript (v3) and is designed to work seamlessly with other AWS SDK modules to authenticate requests made to AWS services.
What are @aws-sdk/credential-provider-node's main functionalities?
Loading credentials from environment variables
This feature allows the retrieval of AWS credentials set in environment variables. It is useful when deploying applications on platforms where setting environment variables is the standard way to pass configuration.
const { fromEnv } = require('@aws-sdk/credential-provider-node');
const credentials = fromEnv();
Loading credentials from the shared credentials file
This feature enables the use of AWS credentials stored in the shared credentials file, typically located at ~/.aws/credentials. It is helpful for developers working locally or on EC2 instances with assigned IAM roles.
const { fromIni } = require('@aws-sdk/credential-provider-node');
const credentials = fromIni({ profile: 'my-profile' });
Loading credentials from EC2 Instance Metadata Service
This feature is for retrieving AWS credentials from the EC2 Instance Metadata Service. It is particularly useful for applications running on EC2 instances where IAM roles are used for granting permissions.
const { fromInstanceMetadata } = require('@aws-sdk/credential-provider-node');
const credentials = fromInstanceMetadata();
Loading credentials from ECS Container Metadata Service
This feature fetches AWS credentials from the ECS Container Metadata Service. It is intended for applications running in Amazon ECS containers with Task Roles.
const { fromContainerMetadata } = require('@aws-sdk/credential-provider-node');
const credentials = fromContainerMetadata();
Loading credentials from SSO
This feature allows the loading of AWS credentials via AWS Single Sign-On (SSO). It is useful for users who authenticate through SSO to access multiple AWS accounts.
const { fromSSO } = require('@aws-sdk/credential-provider-node');
const credentials = fromSSO();
Other packages similar to @aws-sdk/credential-provider-node
aws-sdk
The aws-sdk package is the previous version of the AWS SDK for JavaScript. It includes credential providers as part of its core, but it is not as modular as @aws-sdk/credential-provider-node, which allows for more flexible and lightweight installations.
aws-credentials
The aws-credentials package is another tool for managing AWS credentials. It is not as comprehensive or officially supported as @aws-sdk/credential-provider-node, and it may not integrate as seamlessly with the AWS SDK.
aws-profile-utils
aws-profile-utils is a utility package for managing AWS profiles and credentials. While it provides some similar functionalities, it is not as focused on credential retrieval for SDK usage and does not provide the same level of integration with AWS SDK services.
@aws-sdk/credential-provider-node
AWS Credential Provider for Node.JS
This module provides a factory function, fromEnv
, that will attempt to source
AWS credentials from a Node.JS environment. It will attempt to find credentials
from the following sources (listed in order of precedence):
- Environment variables exposed via
process.env
- SSO credentials from token cache
- Web identity token credentials
- Shared credentials and config ini files
- The EC2/ECS Instance Metadata Service
The default credential provider will invoke one provider at a time and only
continue to the next if no credentials have been located. For example, if the
process finds values defined via the AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
environment variables, the files at ~/.aws/credentials
and ~/.aws/config
will not be read, nor will any messages be sent to the
Instance Metadata Service.
If invalid configuration is encountered (such as a profile in
~/.aws/credentials
specifying as its source_profile
the name of a profile
that does not exist), then the chained provider will be rejected with an error
and will not invoke the next provider in the list.
IMPORTANT: if you intend to acquire credentials using EKS
IAM Roles for Service Accounts
then you must explicitly specify a value for roleAssumerWithWebIdentity
. There is a
default function available in @aws-sdk/client-sts
package. An example of using
this:
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { defaultProvider } = require("@aws-sdk/credential-provider-node");
const { S3Client, GetObjectCommand } = require("@aws-sdk/client-s3");
const provider = defaultProvider({
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(),
});
const client = new S3Client({ credentialDefaultProvider: provider });
IMPORTANT: We provide a wrapper of this provider in @aws-sdk/credential-providers
package to save you from importing getDefaultRoleAssumerWithWebIdentity()
or
getDefaultRoleAssume()
from STS package. Similarly, you can do:
const { fromNodeProviderChain } = require("@aws-sdk/credential-providers");
const credentials = fromNodeProviderChain();
const client = new S3Client({ credentials });
Supported configuration
You may customize how credentials are resolved by providing an options hash to
the defaultProvider
factory function. The following options are
supported:
profile
- The configuration profile to use. If not specified, the provider
will use the value in the AWS_PROFILE
environment variable or a default of
default
.filepath
- The path to the shared credentials file. If not specified, the
provider will use the value in the AWS_SHARED_CREDENTIALS_FILE
environment
variable or a default of ~/.aws/credentials
.configFilepath
- The path to the shared config file. If not specified, the
provider will use the value in the AWS_CONFIG_FILE
environment variable or a
default of ~/.aws/config
.mfaCodeProvider
- A function that returns a a promise fulfilled with an
MFA token code for the provided MFA Serial code. If a profile requires an MFA
code and mfaCodeProvider
is not a valid function, the credential provider
promise will be rejected.roleAssumer
- A function that assumes a role and returns a promise
fulfilled with credentials for the assumed role. If not specified, the SDK
will create an STS client and call its assumeRole
method.roleArn
- ARN to assume. If not specified, the provider will use the value
in the AWS_ROLE_ARN
environment variable.webIdentityTokenFile
- File location of where the OIDC
token is stored.
If not specified, the provider will use the value in the AWS_WEB_IDENTITY_TOKEN_FILE
environment variable.roleAssumerWithWebIdentity
- A function that assumes a role with web identity and
returns a promise fulfilled with credentials for the assumed role.timeout
- The connection timeout (in milliseconds) to apply to any remote
requests. If not specified, a default value of 1000
(one second) is used.maxRetries
- The maximum number of times any HTTP connections should be
retried. If not specified, a default value of 0
will be used.
Related packages: