chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,55 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsAssumeRoleWithSAMLContract } from '@/lib/api/contracts/tools/aws/sts-assume-role-with-saml'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { assumeRoleWithSAML, createUnauthenticatedSTSClient } from '../utils'
|
||||
|
||||
const logger = createLogger('STSAssumeRoleWithSAMLAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsAssumeRoleWithSAMLContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info(`Assuming role ${params.roleArn} with SAML`)
|
||||
|
||||
const client = createUnauthenticatedSTSClient(params.region)
|
||||
|
||||
try {
|
||||
const result = await assumeRoleWithSAML(
|
||||
client,
|
||||
params.roleArn,
|
||||
params.principalArn,
|
||||
params.samlAssertion,
|
||||
params.policyArns,
|
||||
params.policy,
|
||||
params.durationSeconds
|
||||
)
|
||||
|
||||
logger.info('Role assumed successfully with SAML')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to assume role with SAML', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to assume role with SAML: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,56 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsAssumeRoleWithWebIdentityContract } from '@/lib/api/contracts/tools/aws/sts-assume-role-with-web-identity'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { assumeRoleWithWebIdentity, createUnauthenticatedSTSClient } from '../utils'
|
||||
|
||||
const logger = createLogger('STSAssumeRoleWithWebIdentityAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsAssumeRoleWithWebIdentityContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info(`Assuming role ${params.roleArn} with web identity`)
|
||||
|
||||
const client = createUnauthenticatedSTSClient(params.region)
|
||||
|
||||
try {
|
||||
const result = await assumeRoleWithWebIdentity(
|
||||
client,
|
||||
params.roleArn,
|
||||
params.roleSessionName,
|
||||
params.webIdentityToken,
|
||||
params.providerId,
|
||||
params.policyArns,
|
||||
params.policy,
|
||||
params.durationSeconds
|
||||
)
|
||||
|
||||
logger.info('Role assumed successfully with web identity')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to assume role with web identity', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to assume role with web identity: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,63 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsAssumeRoleContract } from '@/lib/api/contracts/tools/aws/sts-assume-role'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { assumeRole, createSTSClient } from '../utils'
|
||||
|
||||
const logger = createLogger('STSAssumeRoleAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsAssumeRoleContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info(`Assuming role ${params.roleArn}`)
|
||||
|
||||
const client = createSTSClient({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
})
|
||||
|
||||
try {
|
||||
const result = await assumeRole(
|
||||
client,
|
||||
params.roleArn,
|
||||
params.roleSessionName,
|
||||
params.durationSeconds,
|
||||
params.policy,
|
||||
params.externalId,
|
||||
params.serialNumber,
|
||||
params.tokenCode,
|
||||
params.policyArns,
|
||||
params.tags,
|
||||
params.transitiveTagKeys
|
||||
)
|
||||
|
||||
logger.info('Role assumed successfully')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to assume role', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to assume role: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,51 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsGetAccessKeyInfoContract } from '@/lib/api/contracts/tools/aws/sts-get-access-key-info'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { createSTSClient, getAccessKeyInfo } from '../utils'
|
||||
|
||||
const logger = createLogger('STSGetAccessKeyInfoAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsGetAccessKeyInfoContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info(`Getting access key info for ${params.targetAccessKeyId}`)
|
||||
|
||||
const client = createSTSClient({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
})
|
||||
|
||||
try {
|
||||
const result = await getAccessKeyInfo(client, params.targetAccessKeyId)
|
||||
|
||||
logger.info('Access key info retrieved successfully')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to get access key info', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to get access key info: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,51 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsGetCallerIdentityContract } from '@/lib/api/contracts/tools/aws/sts-get-caller-identity'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { createSTSClient, getCallerIdentity } from '../utils'
|
||||
|
||||
const logger = createLogger('STSGetCallerIdentityAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsGetCallerIdentityContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info('Getting caller identity')
|
||||
|
||||
const client = createSTSClient({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
})
|
||||
|
||||
try {
|
||||
const result = await getCallerIdentity(client)
|
||||
|
||||
logger.info('Caller identity retrieved successfully')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to get caller identity', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to get caller identity: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,56 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { awsStsGetSessionTokenContract } from '@/lib/api/contracts/tools/aws/sts-get-session-token'
|
||||
import { parseToolRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { createSTSClient, getSessionToken } from '../utils'
|
||||
|
||||
const logger = createLogger('STSGetSessionTokenAPI')
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const auth = await checkInternalAuth(request)
|
||||
if (!auth.success || !auth.userId) {
|
||||
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseToolRequest(awsStsGetSessionTokenContract, request, {
|
||||
errorFormat: 'details',
|
||||
logger,
|
||||
})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
logger.info('Getting session token')
|
||||
|
||||
const client = createSTSClient({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
})
|
||||
|
||||
try {
|
||||
const result = await getSessionToken(
|
||||
client,
|
||||
params.durationSeconds,
|
||||
params.serialNumber,
|
||||
params.tokenCode
|
||||
)
|
||||
|
||||
logger.info('Session token retrieved successfully')
|
||||
|
||||
return NextResponse.json(result)
|
||||
} finally {
|
||||
client.destroy()
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error('Failed to get session token', { error: toError(error).message })
|
||||
|
||||
return NextResponse.json(
|
||||
{ error: `Failed to get session token: ${toError(error).message}` },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,242 @@
|
||||
import {
|
||||
AssumeRoleCommand,
|
||||
AssumeRoleWithSAMLCommand,
|
||||
AssumeRoleWithWebIdentityCommand,
|
||||
GetAccessKeyInfoCommand,
|
||||
GetCallerIdentityCommand,
|
||||
GetSessionTokenCommand,
|
||||
type PolicyDescriptorType,
|
||||
STSClient,
|
||||
type Tag,
|
||||
} from '@aws-sdk/client-sts'
|
||||
import type { STSConnectionConfig } from '@/tools/sts/types'
|
||||
|
||||
export function createSTSClient(config: STSConnectionConfig): STSClient {
|
||||
return new STSClient({
|
||||
region: config.region,
|
||||
credentials: {
|
||||
accessKeyId: config.accessKeyId,
|
||||
secretAccessKey: config.secretAccessKey,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates an STS client for AssumeRoleWithWebIdentity / AssumeRoleWithSAML,
|
||||
* which authenticate the caller via the supplied token/assertion rather than
|
||||
* an IAM access key — AWS does not check the request signature for these two
|
||||
* operations. The SDK's signing middleware still requires a `credentials`
|
||||
* value to be resolvable, though, so static placeholder credentials are
|
||||
* supplied explicitly to skip the default credential provider chain (env
|
||||
* vars, shared config, container/IMDS role). Without this, the client would
|
||||
* throw a CredentialsProviderError before the request is even sent in
|
||||
* environments with no ambient AWS identity, even though a real IAM identity
|
||||
* was never required.
|
||||
*/
|
||||
export function createUnauthenticatedSTSClient(region: string): STSClient {
|
||||
return new STSClient({
|
||||
region,
|
||||
credentials: { accessKeyId: 'anonymous', secretAccessKey: 'anonymous' },
|
||||
})
|
||||
}
|
||||
|
||||
function parsePolicyArns(policyArns?: string | null): PolicyDescriptorType[] | undefined {
|
||||
if (!policyArns) return undefined
|
||||
const arns = policyArns
|
||||
.split(',')
|
||||
.map((arn) => arn.trim())
|
||||
.filter((arn) => arn.length > 0)
|
||||
return arns.length > 0 ? arns.map((arn) => ({ arn })) : undefined
|
||||
}
|
||||
|
||||
function parseTags(tags?: string | null): Tag[] | undefined {
|
||||
if (!tags) return undefined
|
||||
const parsed = JSON.parse(tags) as Record<string, string>
|
||||
const entries = Object.entries(parsed)
|
||||
return entries.length > 0
|
||||
? entries.map(([Key, Value]) => ({ Key, Value: String(Value) }))
|
||||
: undefined
|
||||
}
|
||||
|
||||
function parseTransitiveTagKeys(transitiveTagKeys?: string | null): string[] | undefined {
|
||||
if (!transitiveTagKeys) return undefined
|
||||
const keys = transitiveTagKeys
|
||||
.split(',')
|
||||
.map((key) => key.trim())
|
||||
.filter((key) => key.length > 0)
|
||||
return keys.length > 0 ? keys : undefined
|
||||
}
|
||||
|
||||
export async function assumeRole(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
roleSessionName: string,
|
||||
durationSeconds?: number | null,
|
||||
policy?: string | null,
|
||||
externalId?: string | null,
|
||||
serialNumber?: string | null,
|
||||
tokenCode?: string | null,
|
||||
policyArns?: string | null,
|
||||
tags?: string | null,
|
||||
transitiveTagKeys?: string | null
|
||||
) {
|
||||
const command = new AssumeRoleCommand({
|
||||
RoleArn: roleArn,
|
||||
RoleSessionName: roleSessionName,
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(externalId ? { ExternalId: externalId } : {}),
|
||||
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
||||
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
...(() => {
|
||||
const sessionTags = parseTags(tags)
|
||||
return sessionTags ? { Tags: sessionTags } : {}
|
||||
})(),
|
||||
...(() => {
|
||||
const keys = parseTransitiveTagKeys(transitiveTagKeys)
|
||||
return keys ? { TransitiveTagKeys: keys } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function assumeRoleWithWebIdentity(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
roleSessionName: string,
|
||||
webIdentityToken: string,
|
||||
providerId?: string | null,
|
||||
policyArns?: string | null,
|
||||
policy?: string | null,
|
||||
durationSeconds?: number | null
|
||||
) {
|
||||
const command = new AssumeRoleWithWebIdentityCommand({
|
||||
RoleArn: roleArn,
|
||||
RoleSessionName: roleSessionName,
|
||||
WebIdentityToken: webIdentityToken,
|
||||
...(providerId ? { ProviderId: providerId } : {}),
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
subjectFromWebIdentityToken: response.SubjectFromWebIdentityToken ?? '',
|
||||
audience: response.Audience ?? null,
|
||||
provider: response.Provider ?? null,
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function assumeRoleWithSAML(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
principalArn: string,
|
||||
samlAssertion: string,
|
||||
policyArns?: string | null,
|
||||
policy?: string | null,
|
||||
durationSeconds?: number | null
|
||||
) {
|
||||
const command = new AssumeRoleWithSAMLCommand({
|
||||
RoleArn: roleArn,
|
||||
PrincipalArn: principalArn,
|
||||
SAMLAssertion: samlAssertion,
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
subject: response.Subject ?? null,
|
||||
subjectType: response.SubjectType ?? null,
|
||||
issuer: response.Issuer ?? null,
|
||||
audience: response.Audience ?? null,
|
||||
nameQualifier: response.NameQualifier ?? null,
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function getCallerIdentity(client: STSClient) {
|
||||
const command = new GetCallerIdentityCommand({})
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
account: response.Account ?? '',
|
||||
arn: response.Arn ?? '',
|
||||
userId: response.UserId ?? '',
|
||||
}
|
||||
}
|
||||
|
||||
export async function getSessionToken(
|
||||
client: STSClient,
|
||||
durationSeconds?: number | null,
|
||||
serialNumber?: string | null,
|
||||
tokenCode?: string | null
|
||||
) {
|
||||
const command = new GetSessionTokenCommand({
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
||||
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function getAccessKeyInfo(client: STSClient, accessKeyId: string) {
|
||||
const command = new GetAccessKeyInfoCommand({
|
||||
AccessKeyId: accessKeyId,
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
account: response.Account ?? '',
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user