1 | import { BaseExternalAccountClient, BaseExternalAccountClientOptions } from './baseexternalclient';
|
2 | import { RefreshOptions } from './oauth2client';
|
3 |
|
4 |
|
5 |
|
6 | export interface AwsClientOptions extends BaseExternalAccountClientOptions {
|
7 | credential_source: {
|
8 | environment_id: string;
|
9 | region_url?: string;
|
10 | url?: string;
|
11 | regional_cred_verification_url: string;
|
12 | };
|
13 | }
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 | export declare class AwsClient extends BaseExternalAccountClient {
|
20 | private readonly environmentId;
|
21 | private readonly regionUrl?;
|
22 | private readonly securityCredentialsUrl?;
|
23 | private readonly regionalCredVerificationUrl;
|
24 | private awsRequestSigner;
|
25 | private region;
|
26 | |
27 |
|
28 |
|
29 |
|
30 |
|
31 |
|
32 |
|
33 |
|
34 |
|
35 |
|
36 | constructor(options: AwsClientOptions, additionalOptions?: RefreshOptions);
|
37 | /**
|
38 | * Triggered when an external subject token is needed to be exchanged for a
|
39 | * GCP access token via GCP STS endpoint.
|
40 | * This uses the `options.credential_source` object to figure out how
|
41 | * to retrieve the token using the current environment. In this case,
|
42 | * this uses a serialized AWS signed request to the STS GetCallerIdentity
|
43 | * endpoint.
|
44 | * The logic is summarized as:
|
45 | * 1. Retrieve AWS region from availability-zone.
|
46 | * 2a. Check AWS credentials in environment variables. If not found, get
|
47 | * from security-credentials endpoint.
|
48 | * 2b. Get AWS credentials from security-credentials endpoint. In order
|
49 | * to retrieve this, the AWS role needs to be determined by calling
|
50 | * security-credentials endpoint without any argument. Then the
|
51 | * credentials can be retrieved via: security-credentials/role_name
|
52 | * 3. Generate the signed request to AWS STS GetCallerIdentity action.
|
53 | * 4. Inject x-goog-cloud-target-resource into header and serialize the
|
54 | * signed request. This will be the subject-token to pass to GCP STS.
|
55 | * @return A promise that resolves with the external subject token.
|
56 | */
|
57 | retrieveSubjectToken(): Promise<string>;
|
58 | /**
|
59 | * @return A promise that resolves with the current AWS region.
|
60 | */
|
61 | private getAwsRegion;
|
62 | /**
|
63 | * @return A promise that resolves with the assigned role to the current
|
64 | * AWS VM. This is needed for calling the security-credentials endpoint.
|
65 | */
|
66 | private getAwsRoleName;
|
67 | /**
|
68 | * Retrieves the temporary AWS credentials by calling the security-credentials
|
69 | * endpoint as specified in the `credential_source` object.
|
70 | * @param roleName The role attached to the current VM.
|
71 | * @return A promise that resolves with the temporary AWS credentials
|
72 | * needed for creating the GetCallerIdentity signed request.
|
73 | */
|
74 | private getAwsSecurityCredentials;
|
75 | }
|