1 | var AWS = require('../core');
|
2 | var STS = require('../../clients/sts');
|
3 |
|
4 | /**
|
5 | * Represents credentials retrieved from STS SAML support.
|
6 | *
|
7 | * By default this provider gets credentials using the
|
8 | * {AWS.STS.assumeRoleWithSAML} service operation. This operation
|
9 | * requires a `RoleArn` containing the ARN of the IAM trust policy for the
|
10 | * application for which credentials will be given, as well as a `PrincipalArn`
|
11 | * representing the ARN for the SAML identity provider. In addition, the
|
12 | * `SAMLAssertion` must be set to the token provided by the identity
|
13 | * provider. See {constructor} for an example on creating a credentials
|
14 | * object with proper `RoleArn`, `PrincipalArn`, and `SAMLAssertion` values.
|
15 | *
|
16 | * ## Refreshing Credentials from Identity Service
|
17 | *
|
18 | * In addition to AWS credentials expiring after a given amount of time, the
|
19 | * login token from the identity provider will also expire. Once this token
|
20 | * expires, it will not be usable to refresh AWS credentials, and another
|
21 | * token will be needed. The SDK does not manage refreshing of the token value,
|
22 | * but this can be done through a "refresh token" supported by most identity
|
23 | * providers. Consult the documentation for the identity provider for refreshing
|
24 | * tokens. Once the refreshed token is acquired, you should make sure to update
|
25 | * this new token in the credentials object's {params} property. The following
|
26 | * code will update the SAMLAssertion, assuming you have retrieved an updated
|
27 | * token from the identity provider:
|
28 | *
|
29 | * ```javascript
|
30 | * AWS.config.credentials.params.SAMLAssertion = updatedToken;
|
31 | * ```
|
32 | *
|
33 | * Future calls to `credentials.refresh()` will now use the new token.
|
34 | *
|
35 | * @!attribute params
|
36 | * @return [map] the map of params passed to
|
37 | * {AWS.STS.assumeRoleWithSAML}. To update the token, set the
|
38 | * `params.SAMLAssertion` property.
|
39 | */
|
40 | AWS.SAMLCredentials = AWS.util.inherit(AWS.Credentials, {
|
41 | /**
|
42 | * Creates a new credentials object.
|
43 | * @param (see AWS.STS.assumeRoleWithSAML)
|
44 | * @example Creating a new credentials object
|
45 | * AWS.config.credentials = new AWS.SAMLCredentials({
|
46 | * RoleArn: 'arn:aws:iam::1234567890:role/SAMLRole',
|
47 | * PrincipalArn: 'arn:aws:iam::1234567890:role/SAMLPrincipal',
|
48 | * SAMLAssertion: 'base64-token', // base64-encoded token from IdP
|
49 | * });
|
50 | * @see AWS.STS.assumeRoleWithSAML
|
51 | */
|
52 | constructor: function SAMLCredentials(params) {
|
53 | AWS.Credentials.call(this);
|
54 | this.expired = true;
|
55 | this.params = params;
|
56 | },
|
57 |
|
58 | /**
|
59 | * Refreshes credentials using {AWS.STS.assumeRoleWithSAML}
|
60 | *
|
61 | * @callback callback function(err)
|
62 | * Called when the STS service responds (or fails). When
|
63 | * this callback is called with no error, it means that the credentials
|
64 | * information has been loaded into the object (as the `accessKeyId`,
|
65 | * `secretAccessKey`, and `sessionToken` properties).
|
66 | * @param err [Error] if an error occurred, this value will be filled
|
67 | * @see get
|
68 | */
|
69 | refresh: function refresh(callback) {
|
70 | this.coalesceRefresh(callback || AWS.util.fn.callback);
|
71 | },
|
72 |
|
73 | /**
|
74 | * @api private
|
75 | */
|
76 | load: function load(callback) {
|
77 | var self = this;
|
78 | self.createClients();
|
79 | self.service.assumeRoleWithSAML(function (err, data) {
|
80 | if (!err) {
|
81 | self.service.credentialsFrom(data, self);
|
82 | }
|
83 | callback(err);
|
84 | });
|
85 | },
|
86 |
|
87 | /**
|
88 | * @api private
|
89 | */
|
90 | createClients: function() {
|
91 | this.service = this.service || new STS({params: this.params});
|
92 | }
|
93 |
|
94 | });
|