@aws-sdk/credential-providers
A collection of all credential providers, with default clients.
Table of Contents
- From Cognito Identity
- From Cognito Identity Pool
- From Temporary Credentials
- From Web Token
- Examples
- From Token File
- From Instance and Container Metadata Service
- From HTTP(S)
- From Shared INI files
- Sample Files
- From Environmental Variables
- From Credential Process
- Sample files
- From Single Sign-On Service
- Supported Configuration
- SSO login with AWS CLI
- Sample Files
- From Node.js default credentials provider chain
fromCognitoIdentity()
- Uses
@aws-sdk/client-cognito-identity
- Available in browsers & native apps
The function fromCognitoIdentity()
returns CredentialsProvider
that retrieves credentials for
the provided identity ID. See GetCredentialsForIdentity API
for more information.
import { fromCognitoIdentity } from "@aws-sdk/credential-providers";
const client = new FooClient({
region,
credentials: fromCognitoIdentity({
identityId: "us-east-1:128d0a74-c82f-4553-916d-90053example",
customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity",
logins: {
"graph.facebook.com": "FBTOKEN",
"www.amazon.com": "AMAZONTOKEN",
"accounts.google.com": "GOOGLETOKEN",
"api.twitter.com": "TWITTERTOKEN'",
"www.digits.com": "DIGITSTOKEN",
},
clientConfig: { region },
}),
});
fromCognitoIdentityPool()
- Uses
@aws-sdk/client-cognito-identity
- Available in browsers & native apps
The function fromCognitoIdentityPool()
returns AwsCredentialIdentityProvider
that calls GetId API
to obtain an identityId
, then generates temporary AWS credentials with
GetCredentialsForIdentity API, see
fromCognitoIdentity()
.
Results from GetId
are cached internally, but results from GetCredentialsForIdentity
are not.
import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers";
const client = new FooClient({
region,
credentials: fromCognitoIdentityPool({
identityPoolId: "us-east-1:1699ebc0-7900-4099-b910-2df94f52a030",
accountId: "123456789",
cache: custom_storage,
userIdentifier: "user_0",
customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity",
logins: {
"graph.facebook.com": "FBTOKEN",
"www.amazon.com": "AMAZONTOKEN",
"accounts.google.com": "GOOGLETOKEN",
"api.twitter.com": "TWITTERTOKEN",
"www.digits.com": "DIGITSTOKEN",
},
clientConfig: { region },
}),
});
fromTemporaryCredentials()
- Uses
@aws-sdk/client-sts
- Available in browsers & native apps
The function fromTemporaryCredentials
returns AwsCredentialIdentityProvider
that retrieves temporary
credentials from STS AssumeRole API.
import { fromTemporaryCredentials } from "@aws-sdk/credential-providers";
const client = new FooClient({
region,
credentials: fromTemporaryCredentials({
masterCredentials: fromTemporaryCredentials({
params: { RoleArn: "arn:aws:iam::1234567890:role/RoleA" },
}),
params: {
RoleArn: "arn:aws:iam::1234567890:role/RoleB",
RoleSessionName: "aws-sdk-js-123",
DurationSeconds: 3600,
},
clientConfig: { region },
mfaCodeProvider: async (mfaSerial) => {
return "token";
},
}),
});
fromWebToken()
- Uses
@aws-sdk/client-sts
- Available in browsers & native apps
The function fromWebToken
returns AwsCredentialIdentityProvider
that gets credentials calling
STS AssumeRoleWithWebIdentity API
import { fromWebToken } from "@aws-sdk/credential-providers";
const client = new FooClient({
region,
credentials: fromWebToken({
roleArn: "arn:aws:iam::1234567890:role/RoleA",
webIdentityToken: await openIdProvider(),
clientConfig: { region },
roleAssumerWithWebIdentity,
roleSessionName: "session_123",
providerId: "graph.facebook.com",
policyArns: [{ arn: "arn:aws:iam::1234567890:policy/SomePolicy" }],
policy: "JSON_STRING",
durationSeconds: 7200,
}),
});
Examples
You can directly configure individual identity providers to access AWS resources using web identity
federation. AWS currently supports authenticating users using web identity federation through
several identity providers:
You must first register your application with the providers that your application supports. Next,
create an IAM role and set up permissions for it. The IAM role you create is then used to grant the
permissions you configured for it through the respective identity provider. For example, you can set
up a role that allows users who logged in through Facebook to have read access to a specific Amazon
S3 bucket you control.
After you have both an IAM role with configured privileges and an application registered with your
chosen identity providers, you can set up the SDK to get credentials for the IAM role using helper
code, as follows:
The value in the ProviderId parameter depends on the specified identity provider. The value in the
WebIdentityToken parameter is the access token retrieved from a successful login with the identity
provider. For more information on how to configure and retrieve access tokens for each identity
provider, see the documentation for the identity provider.
fromContainerMetadata()
and fromInstanceMetadata()
- Not available in browsers & native apps
fromContainerMetadata
and fromInstanceMetadata
will create AwsCredentialIdentityProvider
functions that
read from the ECS container metadata service and the EC2 instance metadata service, respectively.
import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromInstanceMetadata({
timeout: 1000,
maxRetries: 0,
}),
});
import { fromContainerMetadata } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromContainerMetadata({
timeout: 1000,
maxRetries: 0,
}),
});
A AwsCredentialIdentityProvider
function created with fromContainerMetadata
will return a promise that will
resolve with credentials for the IAM role associated with containers in an Amazon ECS task. Please
see IAM Roles for Tasks for more information on using IAM roles with Amazon
ECS.
A AwsCredentialIdentityProvider
function created with fromInstanceMetadata
will return a promise that will
resolve with credentials for the IAM role associated with an EC2 instance.
Please see IAM Roles for Amazon EC2 for more information on using IAM roles
with Amazon EC2. Both IMDSv1 (a request/response method) and IMDSv2 (a session-oriented method) are
supported.
Please see Configure the instance metadata service for more information.
fromHttp()
- Available in browsers & native apps, without the EC2 and Container metadata components.
This creates a provider function that makes a GET
request to
any provided HTTPS URL. A limited set of HTTP destinations are also accepted.
This is a general form of the fromContainerMetadata
function.
The server is expected to respond with the following format in JSON:
type HttpProviderResponse = {
AccessKeyId: string;
SecretAccessKey: string;
Token: string;
AccountId?: string;
Expiration: string;
};
The acceptable non-HTTPS destinations are described in the validation error if encountered:
URL not accepted. It must either be HTTPS or match one of the following:
- loopback CIDR 127.0.0.0/8 or [::1/128]
- ECS container host 169.254.170.2
- EKS container host 169.254.170.23 or [fd00:ec2::23]
Node.js:
import { fromHttp } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromHttp({
awsContainerCredentialsFullUri: "...",
awsContainerCredentialsRelativeUri: "...",
awsContainerAuthorizationTokenFile: "...",
awsContainerAuthorizationToken: "...",
}),
});
If not provided in the JavaScript code, the following process envrionment variables will
be read:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
AWS_CONTAINER_CREDENTIALS_FULL_URI
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
AWS_CONTAINER_AUTHORIZATION_TOKEN
Browsers:
import { fromHttp } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromHttp({
credentialsFullUri: "...",
authorizationToken: "...",
}),
});
fromIni()
- May use
@aws-sdk/client-sso
or @aws-sdk/client-sts
depending
on how the file is configured. - Not available in browsers & native apps.
fromIni
creates AwsCredentialIdentityProvider
functions that read from a shared credentials file at
~/.aws/credentials
and a shared configuration file at ~/.aws/config
. Both files are expected to
be INI formatted with section names corresponding to profiles. Sections in the credentials file are
treated as profile names, whereas profile sections in the config file must have the format of
[profile profile-name]
, except for the default profile. Please see the
sample files below for examples of well-formed configuration and credentials files.
Profiles that appear in both files will not be merged, and the version that appears in the
credentials file will be given precedence over the profile found in the config file.
import { fromIni } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromIni({
profile: "profile",
filepath: "~/.aws/credentials",
configFilepath: "~/.aws/config",
mfaCodeProvider: async (mfaSerial) => {
return "token";
},
clientConfig: { region },
}),
});
Sample files
~/.aws/credentials
[default]
aws_access_key_id=foo
aws_secret_access_key=bar
[dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2
~/.aws/config
[default]
aws_access_key_id=foo
aws_secret_access_key=bar
[profile dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2
profile with source profile
[second]
aws_access_key_id=foo
aws_secret_access_key=bar
[first]
source_profile=second
role_arn=arn:aws:iam::123456789012:role/example-role-arn
profile with source provider
You can supply credential_source
options to tell the SDK where to source credentials for the call
to AssumeRole
. The supported credential providers are listed below:
[default]
role_arn=arn:aws:iam::123456789012:role/example-role-arn
credential_source = Ec2InstanceMetadata
[default]
role_arn=arn:aws:iam::123456789012:role/example-role-arn
credential_source = Environment
[default]
role_arn=arn:aws:iam::123456789012:role/example-role-arn
credential_source = EcsContainer
profile with web_identity_token_file
[default]
web_identity_token_file=/temp/token
role_arn=arn:aws:iam::123456789012:role/example-role-arn
You can specify another profile(second
) whose credentials are used to assume the role by the
role_arn
setting in this profile(first
).
[second]
web_identity_token_file=/temp/token
role_arn=arn:aws:iam::123456789012:role/example-role-2
[first]
source_profile=second
role_arn=arn:aws:iam::123456789012:role/example-role
profile with sso credentials
See fromSSO()
for more information
fromEnv()
- Not available in browser & native apps
import { fromEnv } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromEnv(),
});
fromEnv
returns a AwsCredentialIdentityProvider
function, that reads credentials from the following
environment variables:
AWS_ACCESS_KEY_ID
- The access key for your AWS account.AWS_SECRET_ACCESS_KEY
- The secret key for your AWS account.AWS_SESSION_TOKEN
- The session key for your AWS account. This is only needed when you are using
temporary credentials.AWS_CREDENTIAL_EXPIRATION
- The expiration time of the credentials contained in the environment
variables described above. This value must be in a format compatible with the
ISO-8601 standard and is only needed when you are using temporary credentials.
If either the AWS_ACCESS_KEY_ID
or AWS_SECRET_ACCESS_KEY
environment variable is not set or
contains a falsy value, the promise returned by the fromEnv
function will be rejected.
fromProcess()
- Not available in browsers & native apps
import { fromProcess } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromProcess({
profile: "profile",
filepath: "~/.aws/credentials",
configFilepath: "~/.aws/config",
}),
});
fromSharedConfigFiles
creates a AwsCredentialIdentityProvider
functions that executes a given process and
attempt to read its standard output to receive a JSON payload containing the credentials. The
process command is read from a shared credentials file at ~/.aws/credentials
and a shared
configuration file at ~/.aws/config
. Both files are expected to be INI formatted with section
names corresponding to profiles. Sections in the credentials file are treated as profile names,
whereas profile sections in the config file must have the format of[profile profile-name]
, except
for the default profile. Please see the sample files below for examples of
well-formed configuration and credentials files.
Profiles that appear in both files will not be merged, and the version that appears in the
credentials file will be given precedence over the profile found in the config file.
Sample files
~/.aws/credentials
[default]
credential_process = /usr/local/bin/awscreds
[dev]
credential_process = /usr/local/bin/awscreds dev
~/.aws/config
[default]
credential_process = /usr/local/bin/awscreds
[profile dev]
credential_process = /usr/local/bin/awscreds dev
fromTokenFile()
- Uses
@aws-sdk/client-sts
- Not available in browsers & native apps
The function fromTokenFile
returns AwsCredentialIdentityProvider
that reads credentials as follows:
- Reads file location of where the OIDC token is stored from either provided option
webIdentityTokenFile
or environment variable AWS_WEB_IDENTITY_TOKEN_FILE
. - Reads IAM role wanting to be assumed from either provided option
roleArn
or environment
variable AWS_ROLE_ARN
. - Reads optional role session name to be used to distinguish sessions from provided option
roleSessionName
or environment variable AWS_ROLE_SESSION_NAME
. If session name is not defined,
it comes up with a role session name. - Reads OIDC token from file on disk.
- Calls sts:AssumeRoleWithWebIdentity via
roleAssumerWithWebIdentity
option to get credentials.
Configuration Key | Environment Variable | Required | Description |
---|
webIdentityTokenFile | AWS_WEB_IDENTITY_TOKEN_FILE | true | File location of where the OIDC token is stored |
roleArn | AWS_ROLE_ARN | true | The IAM role wanting to be assumed |
roleSessionName | AWS_ROLE_SESSION_NAME | false | The IAM session name used to distinguish sessions |
import { fromTokenFile } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromTokenFile({
clientConfig: { region }
});
});
fromSSO()
- Uses
@aws-sdk/client-sso
& @aws-sdk/client-sso-oidc
- Not available in browsers & native apps
This credential provider ONLY supports profiles using the SSO credential. If you have a
profile that assumes a role which derived from the SSO credential, you should use the
fromIni()
, or @aws-sdk/credential-provider-node
package.
fromSSO
, that creates AwsCredentialIdentityProvider
functions that read from the resolved access token
from local disk then requests temporary AWS credentials. For guidance on the AWS Single Sign-On
service, please refer to AWS's Single Sign-On documentation.
You can create the AwsCredentialIdentityProvider
functions using the inline SSO parameters(ssoStartUrl
,
ssoAccountId
, ssoRegion
, ssoRoleName
) or load them from
AWS SDKs and Tools shared configuration and credentials files.
Profiles in the credentials
file are given precedence over profiles in the config
file.
This credential provider is intended for use with the AWS SDK for Node.js.
Supported configuration
You may customize how credentials are resolved by providing an options hash to the fromSSO
factory
function. You can either load the SSO config from shared INI credential files, or specify the
ssoStartUrl
, ssoAccountId
, ssoRegion
, and ssoRoleName
directly from the code.
import { fromSSO } from "@aws-sdk/credential-providers";
const client = new FooClient({
credentials: fromSSO({
profile: "my-sso-profile",
filepath: "~/.aws/credentials",
configFilepath: "~/.aws/config",
ssoStartUrl: "https://d-abc123.awsapps.com/start",
ssoAccountId: "1234567890",
ssoRegion: "us-east-1",
ssoRoleName: "SampleRole",
clientConfig: { region },
}),
});
SSO Login with the AWS CLI
This credential provider relies on the AWS CLI to log into an AWS SSO session. Here's a
brief walk-through:
- Create a new AWS SSO enabled profile using the AWS CLI. It will ask you to login to your AWS SSO
account and prompt for the name of the profile:
$ aws configure sso
...
...
CLI profile name [123456789011_ReadOnly]: my-sso-profile<ENTER>
- Configure your SDK client with the SSO credential provider:
const client = new FooClient({ credentials: fromSSO({ profile: "my-sso-profile" })});
Alternatively, the SSO credential provider is supported in shared INI credentials provider
const client = new FooClient({ credentials: fromIni({ profile: "my-sso-profile" })});
- To log out from the current SSO session, use the AWS CLI:
$ aws sso logout
Successfully signed out of all SSO profiles.
Sample files
This credential provider is only applicable if the profile specified in shared configuration and
credentials files contain ALL of the following entries.
~/.aws/credentials
[sample-profile]
sso_account_id = 012345678901
sso_region = us-east-1
sso_role_name = SampleRole
sso_start_url = https://d-abc123.awsapps.com/start
~/.aws/config
[profile sample-profile]
sso_account_id = 012345678901
sso_region = us-east-1
sso_role_name = SampleRole
sso_start_url = https://d-abc123.awsapps.com/start
fromNodeProviderChain()
- May use
@aws-sdk/client-sts
, @aws-sdk/client-sso
, etc. depending on
which link in the chain finally resolves credentials. - Not available in browsers & native apps
The credential provider used as default in the Node.js clients, but with default role assumers so
you don't need to import them from STS client and supply them manually. You normally don't need
to use this explicitly in the client constructor. It is useful for utility functions requiring
credentials like S3 presigner, or RDS signer.
This credential provider will attempt to find credentials from the following sources (listed in
order of precedence):
This credential provider will invoke one provider at a time and only
continue to the next if no credentials have been located. For example, if
the process finds values defined via the AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
environment variables, the files at
~/.aws/credentials
and ~/.aws/config
will not be read, nor will any
messages be sent to the Instance Metadata Service
import { fromNodeProviderChain } from "@aws-sdk/credential-providers";
const credentialProvider = fromNodeProviderChain({
clientConfig: { region },
});
You can specify the plugins--groups of middleware, to inject to the STS client.
For example, you can inject custom headers to each STS assume-role calls. It's
available in fromTemporaryCredentials()
,
fromWebToken()
, fromTokenFile()
, fromIni()
.
Code example:
const addConfusedDeputyMiddleware = (next) => (args) => {
args.request.headers["x-amz-source-account"] = account;
args.request.headers["x-amz-source-arn"] = sourceArn;
return next(args);
};
const confusedDeputyPlugin = {
applyToStack: (stack) => {
stack.add(addConfusedDeputyMiddleware, { step: "finalizeRequest" });
},
};
const provider = fromTemporaryCredentials({
params: {
RoleArn: "arn:aws:iam::1234567890:role/Role",
},
clientPlugins: [confusedDeputyPlugin],
});