chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,242 @@
|
||||
import {
|
||||
AssumeRoleCommand,
|
||||
AssumeRoleWithSAMLCommand,
|
||||
AssumeRoleWithWebIdentityCommand,
|
||||
GetAccessKeyInfoCommand,
|
||||
GetCallerIdentityCommand,
|
||||
GetSessionTokenCommand,
|
||||
type PolicyDescriptorType,
|
||||
STSClient,
|
||||
type Tag,
|
||||
} from '@aws-sdk/client-sts'
|
||||
import type { STSConnectionConfig } from '@/tools/sts/types'
|
||||
|
||||
export function createSTSClient(config: STSConnectionConfig): STSClient {
|
||||
return new STSClient({
|
||||
region: config.region,
|
||||
credentials: {
|
||||
accessKeyId: config.accessKeyId,
|
||||
secretAccessKey: config.secretAccessKey,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates an STS client for AssumeRoleWithWebIdentity / AssumeRoleWithSAML,
|
||||
* which authenticate the caller via the supplied token/assertion rather than
|
||||
* an IAM access key — AWS does not check the request signature for these two
|
||||
* operations. The SDK's signing middleware still requires a `credentials`
|
||||
* value to be resolvable, though, so static placeholder credentials are
|
||||
* supplied explicitly to skip the default credential provider chain (env
|
||||
* vars, shared config, container/IMDS role). Without this, the client would
|
||||
* throw a CredentialsProviderError before the request is even sent in
|
||||
* environments with no ambient AWS identity, even though a real IAM identity
|
||||
* was never required.
|
||||
*/
|
||||
export function createUnauthenticatedSTSClient(region: string): STSClient {
|
||||
return new STSClient({
|
||||
region,
|
||||
credentials: { accessKeyId: 'anonymous', secretAccessKey: 'anonymous' },
|
||||
})
|
||||
}
|
||||
|
||||
function parsePolicyArns(policyArns?: string | null): PolicyDescriptorType[] | undefined {
|
||||
if (!policyArns) return undefined
|
||||
const arns = policyArns
|
||||
.split(',')
|
||||
.map((arn) => arn.trim())
|
||||
.filter((arn) => arn.length > 0)
|
||||
return arns.length > 0 ? arns.map((arn) => ({ arn })) : undefined
|
||||
}
|
||||
|
||||
function parseTags(tags?: string | null): Tag[] | undefined {
|
||||
if (!tags) return undefined
|
||||
const parsed = JSON.parse(tags) as Record<string, string>
|
||||
const entries = Object.entries(parsed)
|
||||
return entries.length > 0
|
||||
? entries.map(([Key, Value]) => ({ Key, Value: String(Value) }))
|
||||
: undefined
|
||||
}
|
||||
|
||||
function parseTransitiveTagKeys(transitiveTagKeys?: string | null): string[] | undefined {
|
||||
if (!transitiveTagKeys) return undefined
|
||||
const keys = transitiveTagKeys
|
||||
.split(',')
|
||||
.map((key) => key.trim())
|
||||
.filter((key) => key.length > 0)
|
||||
return keys.length > 0 ? keys : undefined
|
||||
}
|
||||
|
||||
export async function assumeRole(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
roleSessionName: string,
|
||||
durationSeconds?: number | null,
|
||||
policy?: string | null,
|
||||
externalId?: string | null,
|
||||
serialNumber?: string | null,
|
||||
tokenCode?: string | null,
|
||||
policyArns?: string | null,
|
||||
tags?: string | null,
|
||||
transitiveTagKeys?: string | null
|
||||
) {
|
||||
const command = new AssumeRoleCommand({
|
||||
RoleArn: roleArn,
|
||||
RoleSessionName: roleSessionName,
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(externalId ? { ExternalId: externalId } : {}),
|
||||
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
||||
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
...(() => {
|
||||
const sessionTags = parseTags(tags)
|
||||
return sessionTags ? { Tags: sessionTags } : {}
|
||||
})(),
|
||||
...(() => {
|
||||
const keys = parseTransitiveTagKeys(transitiveTagKeys)
|
||||
return keys ? { TransitiveTagKeys: keys } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function assumeRoleWithWebIdentity(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
roleSessionName: string,
|
||||
webIdentityToken: string,
|
||||
providerId?: string | null,
|
||||
policyArns?: string | null,
|
||||
policy?: string | null,
|
||||
durationSeconds?: number | null
|
||||
) {
|
||||
const command = new AssumeRoleWithWebIdentityCommand({
|
||||
RoleArn: roleArn,
|
||||
RoleSessionName: roleSessionName,
|
||||
WebIdentityToken: webIdentityToken,
|
||||
...(providerId ? { ProviderId: providerId } : {}),
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
subjectFromWebIdentityToken: response.SubjectFromWebIdentityToken ?? '',
|
||||
audience: response.Audience ?? null,
|
||||
provider: response.Provider ?? null,
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function assumeRoleWithSAML(
|
||||
client: STSClient,
|
||||
roleArn: string,
|
||||
principalArn: string,
|
||||
samlAssertion: string,
|
||||
policyArns?: string | null,
|
||||
policy?: string | null,
|
||||
durationSeconds?: number | null
|
||||
) {
|
||||
const command = new AssumeRoleWithSAMLCommand({
|
||||
RoleArn: roleArn,
|
||||
PrincipalArn: principalArn,
|
||||
SAMLAssertion: samlAssertion,
|
||||
...(policy ? { Policy: policy } : {}),
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(() => {
|
||||
const arns = parsePolicyArns(policyArns)
|
||||
return arns ? { PolicyArns: arns } : {}
|
||||
})(),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
||||
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
||||
subject: response.Subject ?? null,
|
||||
subjectType: response.SubjectType ?? null,
|
||||
issuer: response.Issuer ?? null,
|
||||
audience: response.Audience ?? null,
|
||||
nameQualifier: response.NameQualifier ?? null,
|
||||
packedPolicySize: response.PackedPolicySize ?? null,
|
||||
sourceIdentity: response.SourceIdentity ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function getCallerIdentity(client: STSClient) {
|
||||
const command = new GetCallerIdentityCommand({})
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
account: response.Account ?? '',
|
||||
arn: response.Arn ?? '',
|
||||
userId: response.UserId ?? '',
|
||||
}
|
||||
}
|
||||
|
||||
export async function getSessionToken(
|
||||
client: STSClient,
|
||||
durationSeconds?: number | null,
|
||||
serialNumber?: string | null,
|
||||
tokenCode?: string | null
|
||||
) {
|
||||
const command = new GetSessionTokenCommand({
|
||||
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
||||
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
||||
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
||||
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
||||
sessionToken: response.Credentials?.SessionToken ?? '',
|
||||
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
||||
}
|
||||
}
|
||||
|
||||
export async function getAccessKeyInfo(client: STSClient, accessKeyId: string) {
|
||||
const command = new GetAccessKeyInfoCommand({
|
||||
AccessKeyId: accessKeyId,
|
||||
})
|
||||
|
||||
const response = await client.send(command)
|
||||
|
||||
return {
|
||||
account: response.Account ?? '',
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user