@aws-sdk/credential-provider-web-identity
Advanced tools
Package description
The @aws-sdk/credential-provider-web-identity npm package is designed to provide AWS credentials to your application by leveraging web identity tokens. This is particularly useful for applications that authenticate users through federated identity providers such as Amazon Cognito, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider. It simplifies the process of assuming an AWS IAM role by using the web identity token, allowing your application to access AWS services securely.
Creating credentials from web identity tokens
This feature allows you to create AWS credentials by providing a web identity token, the ARN of the role to assume, and a session name. It's particularly useful for serverless applications that rely on federated authentication.
const { fromWebToken } = require('@aws-sdk/credential-provider-web-identity');
const credentials = fromWebToken({
roleArn: 'arn:aws:iam::123456789012:role/WebIdentityRole',
roleSessionName: 'web-identity-session',
webIdentityToken: process.env.WEB_IDENTITY_TOKEN
});The AWS SDK for JavaScript is a comprehensive package that includes support for creating credentials from web identity tokens, among many other AWS services. Compared to @aws-sdk/credential-provider-web-identity, the aws-sdk package is more extensive, offering a wide range of AWS services and not just credential provision. However, it might be heavier for applications that only require credential management.
This package provides authentication capabilities for Amazon Cognito User Pools. It's similar to @aws-sdk/credential-provider-web-identity in that it deals with web identity and federated identities but is specifically tailored for Amazon Cognito, whereas @aws-sdk/credential-provider-web-identity is more generic and can work with any OpenID Connect compatible identity provider.
Changelog
Readme
This module includes functions which get credentials by calling STS assumeRoleWithWebIdentity API.
The function fromWebToken returns CredentialProvider that get credentials calling sts:assumeRoleWithWebIdentity
API via roleAssumerWithWebIdentity.
This configuration supports all the input parameters from sts:AssumeWithWebIdentity API. The following options are supported:
roleArn - The Amazon Resource Name (ARN) of the role that the caller is assuming.webIdentityToken - The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider.roleSessionName - An identifier for the assumed role session.providerId - The fully qualified host component of the domain name of the identity provider. Do not specify this
value for OpenID Connect ID tokens.policyArns - The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session
policies.policy - An IAM policy in JSON format that you want to use as an inline session policy.durationSeconds - The duration, in seconds, of the role session. Default to 3600.roleAssumerWithWebIdentity - A function that assumes a role with web identity
and returns a promise fulfilled with credentials for the assumed role. You may call
sts:assumeRoleWithWebIdentity API within this function.You can directly configure individual identity providers to access AWS resources using web identity federation. AWS currently supports authenticating users using web identity federation through several identity providers:
You must first register your application with the providers that your application supports. Next, create an IAM role and set up permissions for it. The IAM role you create is then used to grant the permissions you configured for it through the respective identity provider. For example, you can set up a role that allows users who logged in through Facebook to have read access to a specific Amazon S3 bucket you control.
After you have both an IAM role with configured privileges and an application registered with your chosen identity providers, you can set up the SDK to get credentials for the IAM role using helper code, as follows:
import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
import { fromWebToken } from "@aws-sdk/credential-provider-web-identity";
const stsClient = new STSClient({});
const roleAssumerWithWebIdentity = async (params) => {
const { Credentials } = await stsClient.send(
new AssumeRoleWithWebIdentityCommand(params)
);
if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
}
return {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
expiration: Credentials.Expiration,
};
};
const dynamodb = new DynamoDBClient({
region,
credentials: fromWebToken({
roleArn: 'arn:aws:iam::<AWS_ACCOUNT_ID>/:role/<WEB_IDENTITY_ROLE_NAME>',
providerId: 'graph.facebook.com|www.amazon.com', // this is null for Google
webIdentityToken: ACCESS_TOKEN // from OpenID token identity provider
roleAssumerWithWebIdentity,
})
});
The value in the ProviderId parameter depends on the specified identity provider. The value in the WebIdentityToken parameter is the access token retrieved from a successful login with the identity provider. For more information on how to configure and retrieve access tokens for each identity provider, see the documentation for the identity provider.
The function fromTokenFile returns CredentialProvider that reads credentials as follows:
webIdentityTokenFile or environment variable AWS_WEB_IDENTITY_TOKEN_FILE.roleArn or environment variable AWS_ROLE_ARN.roleSessionName or environment variable AWS_ROLE_SESSION_NAME.
If session name is not defined, it comes up with a role session name.roleAssumerWithWebIdentity option to get credentials.| Configuration Key | Environment Variable | Required | Description |
|---|---|---|---|
| webIdentityTokenFile | AWS_WEB_IDENTITY_TOKEN_FILE | true | File location of where the OIDC token is stored |
| roleArn | AWS_IAM_ROLE_ARN | true | The IAM role wanting to be assumed |
| roleSessionName | AWS_IAM_ROLE_SESSION_NAME | false | The IAM session name used to distinguish sessions |
The following options are supported:
roleAssumerWithWebIdentity - A function that assumes a role with web identity
and returns a promise fulfilled with credentials for the assumed role. You may call
sts:assumeRoleWithWebIdentity API within this function.A basic example of using fromTokenFile:
import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
import { fromTokenFile } from "@aws-sdk/credential-provider-web-identity";
const stsClient = new STSClient({});
const roleAssumerWithWebIdentity = async (params) => {
const { Credentials } = await stsClient.send(
new AssumeRoleWithWebIdentityCommand(params)
);
if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
}
return {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
expiration: Credentials.Expiration,
};
};
const client = new FooClient({
credentials: fromTokenFile({
roleAssumerWithWebIdentity
});
});
The values can be defined in environment variables as follows:
$ node
> Object.fromEntries(Object.entries(process.env).filter(([key, value]) => key.startsWith("AWS_")));
{
AWS_WEB_IDENTITY_TOKEN_FILE: '/temp/token',
AWS_ROLE_ARN: 'arn:aws:iam::123456789012:role/example-role-arn'
}
The values can be defined in configuration keys as follows:
...
const client = new FooClient({
credentials: fromTokenFile({
webIdentityTokenFile: "/temp/token",
roleArn: "arn:aws:iam::123456789012:role/example-role-arn",
roleAssumerWithWebIdentity
});
});
FAQs
Unknown package
We found that @aws-sdk/credential-provider-web-identity demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.
Security News
Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.