-
Notifications
You must be signed in to change notification settings - Fork 592
/
Copy pathresolveProfileData.ts
63 lines (54 loc) · 2.63 KB
/
resolveProfileData.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import { CredentialsProviderError } from "@smithy/property-provider";
import { AwsCredentialIdentity, ParsedIniData } from "@smithy/types";
import { FromIniInit } from "./fromIni";
import { isAssumeRoleProfile, resolveAssumeRoleCredentials } from "./resolveAssumeRoleCredentials";
import { isProcessProfile, resolveProcessCredentials } from "./resolveProcessCredentials";
import { isSsoProfile, resolveSsoCredentials } from "./resolveSsoCredentials";
import { isStaticCredsProfile, resolveStaticCredentials } from "./resolveStaticCredentials";
import { isWebIdentityProfile, resolveWebIdentityCredentials } from "./resolveWebIdentityCredentials";
/**
* @internal
*/
export const resolveProfileData = async (
profileName: string,
profiles: ParsedIniData,
options: FromIniInit,
visitedProfiles: Record<string, true> = {}
): Promise<AwsCredentialIdentity> => {
const data = profiles[profileName];
// If this is not the first profile visited, static credentials should be
// preferred over role assumption metadata. This special treatment of
// second and subsequent hops is to ensure compatibility with the AWS CLI.
if (Object.keys(visitedProfiles).length > 0 && isStaticCredsProfile(data)) {
return resolveStaticCredentials(data);
}
// If this is the first profile visited, role assumption keys should be
// given precedence over static credentials.
if (isAssumeRoleProfile(data)) {
return resolveAssumeRoleCredentials(profileName, profiles, options, visitedProfiles);
}
// If no role assumption metadata is present, attempt to load static
// credentials from the selected profile.
if (isStaticCredsProfile(data)) {
return resolveStaticCredentials(data);
}
// If no static credentials are present, attempt to assume role with
// web identity if web_identity_token_file and role_arn is available
if (isWebIdentityProfile(data)) {
return resolveWebIdentityCredentials(data, options);
}
// If no web identity is present, attempt to assume role with
// process if credential_process is available
if (isProcessProfile(data)) {
return resolveProcessCredentials(options, profileName);
}
if (isSsoProfile(data)) {
return resolveSsoCredentials(data);
}
// If the profile cannot be parsed or contains neither static credentials
// nor role assumption metadata, throw an error. This should be considered a
// terminal resolution error if a profile has been specified by the user
// (whether via a parameter, an environment variable, or another profile's
// `source_profile` key).
throw new CredentialsProviderError(`Profile ${profileName} could not be found or parsed in shared credentials file.`);
};