d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
243 lines
7.9 KiB
TypeScript
243 lines
7.9 KiB
TypeScript
import {
|
|
AssumeRoleCommand,
|
|
AssumeRoleWithSAMLCommand,
|
|
AssumeRoleWithWebIdentityCommand,
|
|
GetAccessKeyInfoCommand,
|
|
GetCallerIdentityCommand,
|
|
GetSessionTokenCommand,
|
|
type PolicyDescriptorType,
|
|
STSClient,
|
|
type Tag,
|
|
} from '@aws-sdk/client-sts'
|
|
import type { STSConnectionConfig } from '@/tools/sts/types'
|
|
|
|
export function createSTSClient(config: STSConnectionConfig): STSClient {
|
|
return new STSClient({
|
|
region: config.region,
|
|
credentials: {
|
|
accessKeyId: config.accessKeyId,
|
|
secretAccessKey: config.secretAccessKey,
|
|
},
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Creates an STS client for AssumeRoleWithWebIdentity / AssumeRoleWithSAML,
|
|
* which authenticate the caller via the supplied token/assertion rather than
|
|
* an IAM access key — AWS does not check the request signature for these two
|
|
* operations. The SDK's signing middleware still requires a `credentials`
|
|
* value to be resolvable, though, so static placeholder credentials are
|
|
* supplied explicitly to skip the default credential provider chain (env
|
|
* vars, shared config, container/IMDS role). Without this, the client would
|
|
* throw a CredentialsProviderError before the request is even sent in
|
|
* environments with no ambient AWS identity, even though a real IAM identity
|
|
* was never required.
|
|
*/
|
|
export function createUnauthenticatedSTSClient(region: string): STSClient {
|
|
return new STSClient({
|
|
region,
|
|
credentials: { accessKeyId: 'anonymous', secretAccessKey: 'anonymous' },
|
|
})
|
|
}
|
|
|
|
function parsePolicyArns(policyArns?: string | null): PolicyDescriptorType[] | undefined {
|
|
if (!policyArns) return undefined
|
|
const arns = policyArns
|
|
.split(',')
|
|
.map((arn) => arn.trim())
|
|
.filter((arn) => arn.length > 0)
|
|
return arns.length > 0 ? arns.map((arn) => ({ arn })) : undefined
|
|
}
|
|
|
|
function parseTags(tags?: string | null): Tag[] | undefined {
|
|
if (!tags) return undefined
|
|
const parsed = JSON.parse(tags) as Record<string, string>
|
|
const entries = Object.entries(parsed)
|
|
return entries.length > 0
|
|
? entries.map(([Key, Value]) => ({ Key, Value: String(Value) }))
|
|
: undefined
|
|
}
|
|
|
|
function parseTransitiveTagKeys(transitiveTagKeys?: string | null): string[] | undefined {
|
|
if (!transitiveTagKeys) return undefined
|
|
const keys = transitiveTagKeys
|
|
.split(',')
|
|
.map((key) => key.trim())
|
|
.filter((key) => key.length > 0)
|
|
return keys.length > 0 ? keys : undefined
|
|
}
|
|
|
|
export async function assumeRole(
|
|
client: STSClient,
|
|
roleArn: string,
|
|
roleSessionName: string,
|
|
durationSeconds?: number | null,
|
|
policy?: string | null,
|
|
externalId?: string | null,
|
|
serialNumber?: string | null,
|
|
tokenCode?: string | null,
|
|
policyArns?: string | null,
|
|
tags?: string | null,
|
|
transitiveTagKeys?: string | null
|
|
) {
|
|
const command = new AssumeRoleCommand({
|
|
RoleArn: roleArn,
|
|
RoleSessionName: roleSessionName,
|
|
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
|
...(policy ? { Policy: policy } : {}),
|
|
...(externalId ? { ExternalId: externalId } : {}),
|
|
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
|
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
|
...(() => {
|
|
const arns = parsePolicyArns(policyArns)
|
|
return arns ? { PolicyArns: arns } : {}
|
|
})(),
|
|
...(() => {
|
|
const sessionTags = parseTags(tags)
|
|
return sessionTags ? { Tags: sessionTags } : {}
|
|
})(),
|
|
...(() => {
|
|
const keys = parseTransitiveTagKeys(transitiveTagKeys)
|
|
return keys ? { TransitiveTagKeys: keys } : {}
|
|
})(),
|
|
})
|
|
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
|
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
|
sessionToken: response.Credentials?.SessionToken ?? '',
|
|
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
|
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
|
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
|
packedPolicySize: response.PackedPolicySize ?? null,
|
|
sourceIdentity: response.SourceIdentity ?? null,
|
|
}
|
|
}
|
|
|
|
export async function assumeRoleWithWebIdentity(
|
|
client: STSClient,
|
|
roleArn: string,
|
|
roleSessionName: string,
|
|
webIdentityToken: string,
|
|
providerId?: string | null,
|
|
policyArns?: string | null,
|
|
policy?: string | null,
|
|
durationSeconds?: number | null
|
|
) {
|
|
const command = new AssumeRoleWithWebIdentityCommand({
|
|
RoleArn: roleArn,
|
|
RoleSessionName: roleSessionName,
|
|
WebIdentityToken: webIdentityToken,
|
|
...(providerId ? { ProviderId: providerId } : {}),
|
|
...(policy ? { Policy: policy } : {}),
|
|
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
|
...(() => {
|
|
const arns = parsePolicyArns(policyArns)
|
|
return arns ? { PolicyArns: arns } : {}
|
|
})(),
|
|
})
|
|
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
|
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
|
sessionToken: response.Credentials?.SessionToken ?? '',
|
|
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
|
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
|
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
|
subjectFromWebIdentityToken: response.SubjectFromWebIdentityToken ?? '',
|
|
audience: response.Audience ?? null,
|
|
provider: response.Provider ?? null,
|
|
packedPolicySize: response.PackedPolicySize ?? null,
|
|
sourceIdentity: response.SourceIdentity ?? null,
|
|
}
|
|
}
|
|
|
|
export async function assumeRoleWithSAML(
|
|
client: STSClient,
|
|
roleArn: string,
|
|
principalArn: string,
|
|
samlAssertion: string,
|
|
policyArns?: string | null,
|
|
policy?: string | null,
|
|
durationSeconds?: number | null
|
|
) {
|
|
const command = new AssumeRoleWithSAMLCommand({
|
|
RoleArn: roleArn,
|
|
PrincipalArn: principalArn,
|
|
SAMLAssertion: samlAssertion,
|
|
...(policy ? { Policy: policy } : {}),
|
|
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
|
...(() => {
|
|
const arns = parsePolicyArns(policyArns)
|
|
return arns ? { PolicyArns: arns } : {}
|
|
})(),
|
|
})
|
|
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
|
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
|
sessionToken: response.Credentials?.SessionToken ?? '',
|
|
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
|
assumedRoleArn: response.AssumedRoleUser?.Arn ?? '',
|
|
assumedRoleId: response.AssumedRoleUser?.AssumedRoleId ?? '',
|
|
subject: response.Subject ?? null,
|
|
subjectType: response.SubjectType ?? null,
|
|
issuer: response.Issuer ?? null,
|
|
audience: response.Audience ?? null,
|
|
nameQualifier: response.NameQualifier ?? null,
|
|
packedPolicySize: response.PackedPolicySize ?? null,
|
|
sourceIdentity: response.SourceIdentity ?? null,
|
|
}
|
|
}
|
|
|
|
export async function getCallerIdentity(client: STSClient) {
|
|
const command = new GetCallerIdentityCommand({})
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
account: response.Account ?? '',
|
|
arn: response.Arn ?? '',
|
|
userId: response.UserId ?? '',
|
|
}
|
|
}
|
|
|
|
export async function getSessionToken(
|
|
client: STSClient,
|
|
durationSeconds?: number | null,
|
|
serialNumber?: string | null,
|
|
tokenCode?: string | null
|
|
) {
|
|
const command = new GetSessionTokenCommand({
|
|
...(durationSeconds ? { DurationSeconds: durationSeconds } : {}),
|
|
...(serialNumber ? { SerialNumber: serialNumber } : {}),
|
|
...(tokenCode ? { TokenCode: tokenCode } : {}),
|
|
})
|
|
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
accessKeyId: response.Credentials?.AccessKeyId ?? '',
|
|
secretAccessKey: response.Credentials?.SecretAccessKey ?? '',
|
|
sessionToken: response.Credentials?.SessionToken ?? '',
|
|
expiration: response.Credentials?.Expiration?.toISOString() ?? null,
|
|
}
|
|
}
|
|
|
|
export async function getAccessKeyInfo(client: STSClient, accessKeyId: string) {
|
|
const command = new GetAccessKeyInfoCommand({
|
|
AccessKeyId: accessKeyId,
|
|
})
|
|
|
|
const response = await client.send(command)
|
|
|
|
return {
|
|
account: response.Account ?? '',
|
|
}
|
|
}
|