Security News
NIST Misses 2024 Deadline to Clear NVD Backlog
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
@aws-sdk/credential-provider-web-identity
Advanced tools
AWS credential provider that calls STS assumeRole for temporary AWS credentials
The @aws-sdk/credential-provider-web-identity npm package is designed to provide AWS credentials to your application by leveraging web identity tokens. This is particularly useful for applications that authenticate users through federated identity providers such as Amazon Cognito, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider. It simplifies the process of assuming an AWS IAM role by using the web identity token, allowing your application to access AWS services securely.
Creating credentials from web identity tokens
This feature allows you to create AWS credentials by providing a web identity token, the ARN of the role to assume, and a session name. It's particularly useful for serverless applications that rely on federated authentication.
const { fromWebToken } = require('@aws-sdk/credential-provider-web-identity');
const credentials = fromWebToken({
roleArn: 'arn:aws:iam::123456789012:role/WebIdentityRole',
roleSessionName: 'web-identity-session',
webIdentityToken: process.env.WEB_IDENTITY_TOKEN
});
The AWS SDK for JavaScript is a comprehensive package that includes support for creating credentials from web identity tokens, among many other AWS services. Compared to @aws-sdk/credential-provider-web-identity, the aws-sdk package is more extensive, offering a wide range of AWS services and not just credential provision. However, it might be heavier for applications that only require credential management.
This package provides authentication capabilities for Amazon Cognito User Pools. It's similar to @aws-sdk/credential-provider-web-identity in that it deals with web identity and federated identities but is specifically tailored for Amazon Cognito, whereas @aws-sdk/credential-provider-web-identity is more generic and can work with any OpenID Connect compatible identity provider.
This module includes functions which get credentials by calling STS assumeRoleWithWebIdentity API.
The function fromTokenFile
returns CredentialProvider
that reads credentials as follows:
webIdentityTokenFile
or environment variable AWS_WEB_IDENTITY_TOKEN_FILE
.roleArn
or environment variable AWS_ROLE_ARN
.roleSessionName
or environment variable AWS_ROLE_SESSION_NAME
.
If session name is not defined, it comes up with a role session name.roleAssumerWithWebIdentity
option to get credentials.Configuration Key | Environment Variable | Required | Description |
---|---|---|---|
webIdentityTokenFile | AWS_WEB_IDENTITY_TOKEN_FILE | true | File location of where the OIDC token is stored |
roleArn | AWS_IAM_ROLE_ARN | true | The IAM role wanting to be assumed |
roleSessionName | AWS_IAM_ROLE_SESSION_NAME | false | The IAM session name used to distinguish sessions |
The following options are supported:
roleAssumerWithWebIdentity
- A function that assumes a role with web identity
and returns a promise fulfilled with credentials for the assumed role. You may call
sts:assumeRoleWithWebIdentity
API within this function.A basic example of using fromTokenFile:
import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
import { fromTokenFile } from "@aws-sdk/credential-provider-web-identity";
const stsClient = new STSClient({});
const roleAssumerWithWebIdentity = async (params) => {
const { Credentials } = await stsClient.send(
new AssumeRoleWithWebIdentityCommand(params)
);
if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
}
return {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
expiration: Credentials.Expiration,
};
};
const client = new FooClient({
credentials: fromTokenFile({
roleAssumerWithWebIdentity
});
});
The values can be defined in environment variables as follows:
$ node
> Object.fromEntries(Object.entries(process.env).filter(([key, value]) => key.startsWith("AWS_")));
{
AWS_WEB_IDENTITY_TOKEN_FILE: '/temp/token',
AWS_ROLE_ARN: 'arn:aws:iam::123456789012:role/example-role-arn'
}
The values can be defined in configuration keys as follows:
...
const client = new FooClient({
credentials: fromTokenFile({
webIdentityTokenFile: "/temp/token",
roleArn: "arn:aws:iam::123456789012:role/example-role-arn",
roleAssumerWithWebIdentity
});
});
FAQs
AWS credential provider that calls STS assumeRole for temporary AWS credentials
The npm package @aws-sdk/credential-provider-web-identity receives a total of 15,871,918 weekly downloads. As such, @aws-sdk/credential-provider-web-identity popularity was classified as popular.
We found that @aws-sdk/credential-provider-web-identity demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.