feat(credential-providers): lazy load STS client in credential providers

Makefile

@@ -23,6 +23,18 @@ unlink-smithy:
 copy-smithy:
 	node ./scripts/copy-smithy-dist-files
 
+gen-auth:
+	node ./scripts/cli-dispatcher client sso - gen;
+	node ./scripts/cli-dispatcher client sts - gen;
+	node ./scripts/cli-dispatcher client sso-oidc - gen;
+	node ./scripts/cli-dispatcher client cognito identity - gen;
+
+b-auth:
+	node ./scripts/cli-dispatcher client sso - deps;
+	node ./scripts/cli-dispatcher client sts - b;
+	node ./scripts/cli-dispatcher client sso-oidc - b;
+	node ./scripts/cli-dispatcher client cognito identity - b;
+
 # Runs build for all packages using Turborepo
 turbo-build:
 	(cd scripts/remote-cache && yarn)
@@ -31,17 +43,10 @@ turbo-build:
 	npx turbo run build --api="http://localhost:3000" --team="aws-sdk-js" --token="xyz"
 	node scripts/remote-cache/ stop
 
-protocols:
-	yarn generate-clients -g codegen/sdk-codegen/aws-models/rekognitionstreaming.json
-	git checkout HEAD clients/client-rekognitionstreaming
-	yarn test:protocols
+# run turbo build for packages only.
+tpk:
+	npx turbo run build --filter='./packages/*'
 
 server-protocols:
 	yarn generate-clients -s
-	yarn test:server-protocols
-
-bytes-cjs:
-	make turbo-build
-	node scripts/remote-cache/ start&
-	npx turbo run build:cjs --api="http://localhost:3000" --team="aws-sdk-js" --token="xyz"
-	node scripts/remote-cache/ stop
+	yarn test:server-protocols

clients/client-s3/src/runtimeConfig.ts

@@ -2,7 +2,6 @@
 // @ts-ignore: package.json will be imported from dist folders
 import packageInfo from "../package.json"; // eslint-disable-line
 
-import { decorateDefaultCredentialProvider } from "@aws-sdk/client-sts";
 import { emitWarningIfUnsupportedVersion as awsCheckVersion } from "@aws-sdk/core";
 import { defaultProvider as credentialDefaultProvider } from "@aws-sdk/credential-provider-node";
 import { NODE_USE_ARN_REGION_CONFIG_OPTIONS } from "@aws-sdk/middleware-bucket-endpoint";
@@ -44,8 +43,7 @@ export const getRuntimeConfig = (config: S3ClientConfig) => {
     runtime: "node",
     defaultsMode,
     bodyLengthChecker: config?.bodyLengthChecker ?? calculateBodyLength,
-    credentialDefaultProvider:
-      config?.credentialDefaultProvider ?? decorateDefaultCredentialProvider(credentialDefaultProvider),
+    credentialDefaultProvider: config?.credentialDefaultProvider ?? credentialDefaultProvider,
     defaultUserAgentProvider:
       config?.defaultUserAgentProvider ??
       defaultUserAgent({ serviceId: clientSharedValues.serviceId, clientVersion: packageInfo.version }),

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/AddAwsAuthPlugin.java

@@ -207,19 +207,22 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
             case NODE:
                 return MapUtils.of(
                     "credentialDefaultProvider", writer -> {
-                        if (!testServiceId(service, "STS")) {
-                            writer.addDependency(AwsDependency.STS_CLIENT);
-                            writer.addImport("decorateDefaultCredentialProvider", "decorateDefaultCredentialProvider",
-                                    AwsDependency.STS_CLIENT);
+                        if (testServiceId(service, "STS")) {
+                            writer
+                                .addRelativeImport("decorateDefaultCredentialProvider", null,
+                                    Paths.get(".", CodegenUtils.SOURCE_FOLDER, STS_ROLE_ASSUMERS_FILE))
+                                .addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE)
+                                .addImport("defaultProvider", "credentialDefaultProvider",
+                                    AwsDependency.CREDENTIAL_PROVIDER_NODE)
+                                .write("decorateDefaultCredentialProvider(credentialDefaultProvider)");
                         } else {
-                            writer.addRelativeImport("decorateDefaultCredentialProvider",
-                                "decorateDefaultCredentialProvider", Paths.get(".", CodegenUtils.SOURCE_FOLDER,
-                                STS_ROLE_ASSUMERS_FILE));
+                            writer
+                                .addDependency(AwsDependency.STS_CLIENT)
+                                .addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE)
+                                .addImport("defaultProvider", "credentialDefaultProvider",
+                                    AwsDependency.CREDENTIAL_PROVIDER_NODE)
+                                .write("credentialDefaultProvider");
                         }
-                        writer.addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE);
-                        writer.addImport("defaultProvider", "credentialDefaultProvider",
-                                AwsDependency.CREDENTIAL_PROVIDER_NODE);
-                        writer.write("decorateDefaultCredentialProvider(credentialDefaultProvider)");
                     }
                 );
             default:

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/auth/http/integration/AddAwsDefaultSigningName.java

@@ -11,7 +11,6 @@
 import java.util.logging.Logger;
 import software.amazon.smithy.aws.traits.ServiceTrait;
 import software.amazon.smithy.aws.traits.auth.SigV4Trait;
-import software.amazon.smithy.aws.typescript.codegen.AddAwsAuthPlugin;
 import software.amazon.smithy.codegen.core.SymbolProvider;
 import software.amazon.smithy.model.Model;
 import software.amazon.smithy.model.shapes.ServiceShape;
@@ -27,7 +26,7 @@
  */
 @SmithyInternalApi
 public final class AddAwsDefaultSigningName implements TypeScriptIntegration {
-    private static final Logger LOGGER = Logger.getLogger(AddAwsAuthPlugin.class.getName());
+    private static final Logger LOGGER = Logger.getLogger(AddAwsDefaultSigningName.class.getName());
 
     /**
      * Integration should only be used if `experimentalIdentityAndAuth` flag is true.

codegen/smithy-aws-typescript-codegen/src/main/java/software/amazon/smithy/aws/typescript/codegen/auth/http/integration/AwsSdkCustomizeSigV4Auth.java

@@ -112,12 +112,10 @@ public Map<String, Consumer<TypeScriptWriter>> getRuntimeConfigWriters(
                         "credentialDefaultProvider", writer -> {
                             writer
                                 .addDependency(AwsDependency.STS_CLIENT)
-                                .addImport("decorateDefaultCredentialProvider", "decorateDefaultCredentialProvider",
-                                        AwsDependency.STS_CLIENT)
                                 .addDependency(AwsDependency.CREDENTIAL_PROVIDER_NODE)
                                 .addImport("defaultProvider", "credentialDefaultProvider",
                                     AwsDependency.CREDENTIAL_PROVIDER_NODE)
-                                .write("decorateDefaultCredentialProvider(credentialDefaultProvider)");
+                                .write("credentialDefaultProvider");
                         }
                     );
                 }

codegen/smithy-aws-typescript-codegen/src/test/java/software/amazon/smithy/aws/typescript/codegen/AddAwsAuthPluginTest.java

@@ -42,8 +42,6 @@ public void awsClient() {
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/NotSameClient.ts").get(), not(containsString("signingName")));
 
         // Check config files
-        assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.ts").get(),
-                containsString("decorateDefaultCredentialProvider"));
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.browser.ts").get(), containsString("Credential is missing"));
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.shared.ts").get(), not(containsString("signingName:")));
 
@@ -81,8 +79,6 @@ public void sigV4GenericClient() {
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/SsdkExampleSigV4Client.ts").get(), containsString("signingName?"));
 
         // Check config files
-        assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.ts").get(),
-                containsString("decorateDefaultCredentialProvider"));
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.browser.ts").get(), containsString("Credential is missing"));
         assertThat(manifest.getFileString(CodegenUtils.SOURCE_FOLDER + "/runtimeConfig.shared.ts").get(), containsString("signingName:"));
 

package.json

@@ -117,7 +117,7 @@
     "ts-loader": "9.4.2",
     "ts-mocha": "10.0.0",
     "ts-node": "10.9.1",
-    "turbo": "^1.6.3",
+    "turbo": "^1.11.3",
     "typescript": "~4.9.5",
     "verdaccio": "5.25.0",
     "webpack": "5.73.0",

packages/credential-provider-cognito-identity/src/CognitoProviderParameters.ts

@@ -1,4 +1,4 @@
-import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
+import type { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
 
 import { Logins } from "./Logins";
 

packages/credential-provider-cognito-identity/src/fromCognitoIdentity.ts

@@ -1,4 +1,3 @@
-import { GetCredentialsForIdentityCommand } from "@aws-sdk/client-cognito-identity";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
@@ -30,6 +29,8 @@ export type CognitoIdentityCredentialProvider = Provider<CognitoIdentityCredenti
  */
 export function fromCognitoIdentity(parameters: FromCognitoIdentityParameters): CognitoIdentityCredentialProvider {
   return async (): Promise<CognitoIdentityCredentials> => {
+    const { GetCredentialsForIdentityCommand } = await import("./loadCognitoIdentity");
+
     const {
       Credentials: {
         AccessKeyId = throwOnMissingAccessKeyId(),

packages/credential-provider-cognito-identity/src/fromCognitoIdentityPool.ts

@@ -1,4 +1,3 @@
-import { GetIdCommand } from "@aws-sdk/client-cognito-identity";
 import { CredentialsProviderError } from "@smithy/property-provider";
 
 import { CognitoProviderParameters } from "./CognitoProviderParameters";
@@ -26,11 +25,15 @@ export function fromCognitoIdentityPool({
   logins,
   userIdentifier = !logins || Object.keys(logins).length === 0 ? "ANONYMOUS" : undefined,
 }: FromCognitoIdentityPoolParameters): CognitoIdentityCredentialProvider {
-  const cacheKey = userIdentifier ? `aws:cognito-identity-credentials:${identityPoolId}:${userIdentifier}` : undefined;
+  const cacheKey: string | undefined = userIdentifier
+    ? `aws:cognito-identity-credentials:${identityPoolId}:${userIdentifier}`
+    : undefined;
 
   let provider: CognitoIdentityCredentialProvider = async () => {
     let identityId = cacheKey && (await cache.getItem(cacheKey));
     if (!identityId) {
+      const { GetIdCommand } = await import("./loadCognitoIdentity");
+
       const { IdentityId = throwOnMissingId() } = await client.send(
         new GetIdCommand({
           AccountId: accountId,

packages/credential-provider-cognito-identity/src/loadCognitoIdentity.ts

@@ -0,0 +1,4 @@
+import { GetCredentialsForIdentityCommand, GetIdCommand } from "@aws-sdk/client-cognito-identity";
+
+// This file must be loaded dynamically.
+export { GetCredentialsForIdentityCommand, GetIdCommand };

packages/credential-provider-ini/package.json

@@ -35,6 +35,9 @@
     "@smithy/types": "^2.9.1",
     "tslib": "^2.5.0"
   },
+  "peerDependencies": {
+    "@aws-sdk/client-sts": "*"
+  },
   "devDependencies": {
     "@tsconfig/recommended": "1.0.1",
     "@types/node": "^14.14.31",

packages/credential-provider-ini/src/fromIni.ts

@@ -1,12 +1,13 @@
+import type { STSClientConfig } from "@aws-sdk/client-sts";
 import { AssumeRoleWithWebIdentityParams } from "@aws-sdk/credential-provider-web-identity";
 import { getProfileName, parseKnownFiles, SourceProfileInit } from "@smithy/shared-ini-file-loader";
-import { AwsCredentialIdentity, AwsCredentialIdentityProvider } from "@smithy/types";
+import type { AwsCredentialIdentity, AwsCredentialIdentityProvider, Pluggable } from "@smithy/types";
 
 import { AssumeRoleParams } from "./resolveAssumeRoleCredentials";
 import { resolveProfileData } from "./resolveProfileData";
 
 /**
- * @internal
+ * @public
  */
 export interface FromIniInit extends SourceProfileInit {
   /**
@@ -36,6 +37,9 @@ export interface FromIniInit extends SourceProfileInit {
    * @param params
    */
   roleAssumerWithWebIdentity?: (params: AssumeRoleWithWebIdentityParams) => Promise<AwsCredentialIdentity>;
+
+  clientConfig?: STSClientConfig;
+  clientPlugins?: Pluggable<any, any>[];
 }
 
 /**

packages/credential-provider-ini/src/loadSts.ts

@@ -0,0 +1,4 @@
+import { getDefaultRoleAssumer } from "@aws-sdk/client-sts";
+
+// This file must be loaded dynamically.
+export { getDefaultRoleAssumer };

packages/credential-provider-ini/src/resolveAssumeRoleCredentials.ts

@@ -86,10 +86,8 @@ export const resolveAssumeRoleCredentials = async (
   const data = profiles[profileName];
 
   if (!options.roleAssumer) {
-    throw new CredentialsProviderError(
-      `Profile ${profileName} requires a role to be assumed, but no role assumption callback was provided.`,
-      false
-    );
+    const { getDefaultRoleAssumer } = await import("./loadSts");
+    options.roleAssumer = getDefaultRoleAssumer(options.clientConfig, options.clientPlugins);
   }
 
   const { source_profile } = data;

packages/credential-provider-node/src/defaultProvider.ts

@@ -9,6 +9,9 @@ import { AwsCredentialIdentity, MemoizedProvider } from "@smithy/types";
 
 import { remoteProvider } from "./remoteProvider";
 
+/**
+ * @public
+ */
 export type DefaultProviderInit = FromIniInit & RemoteProviderInit & FromProcessInit & FromSSOInit & FromTokenFileInit;
 
 /**
@@ -30,20 +33,20 @@ export type DefaultProviderInit = FromIniInit & RemoteProviderInit & FromProcess
  * @param init                  Configuration that is passed to each individual
  *                              provider
  *
- * @see {@link fromEnv}                 The function used to source credentials from
- *                              environment variables
- * @see {@link fromSSO}                 The function used to source credentials from
- *                              resolved SSO token cache
- * @see {@link fromTokenFile}           The function used to source credentials from
- *                              token file
- * @see {@link fromIni}                The function used to source credentials from INI
- *                              files
- * @see {@link fromProcess}             The function used to sources credentials from
- *                              credential_process in INI files
+ * @see {@link fromEnv}         The function used to source credentials from
+ *                              environment variables.
+ * @see {@link fromSSO}         The function used to source credentials from
+ *                              resolved SSO token cache.
+ * @see {@link fromTokenFile}   The function used to source credentials from
+ *                              token file.
+ * @see {@link fromIni}         The function used to source credentials from INI
+ *                              files.
+ * @see {@link fromProcess}     The function used to sources credentials from
+ *                              credential_process in INI files.
  * @see {@link fromInstanceMetadata}    The function used to source credentials from the
- *                              EC2 Instance Metadata Service
+ *                                      EC2 Instance Metadata Service.
  * @see {@link fromContainerMetadata}   The function used to source credentials from the
- *                              ECS Container Metadata Service
+ *                                      ECS Container Metadata Service.
  */
 export const defaultProvider = (init: DefaultProviderInit = {}): MemoizedProvider<AwsCredentialIdentity> =>
   memoize(

packages/credential-provider-sso/src/fromSSO.ts

@@ -1,4 +1,4 @@
-import { SSOClient } from "@aws-sdk/client-sso";
+import type { SSOClient, SSOClientConfig } from "@aws-sdk/client-sso";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { getProfileName, loadSsoSessionData, parseKnownFiles, SourceProfileInit } from "@smithy/shared-ini-file-loader";
 import { AwsCredentialIdentityProvider } from "@smithy/types";
@@ -43,6 +43,7 @@ export interface SsoCredentialsParameters {
  */
 export interface FromSSOInit extends SourceProfileInit {
   ssoClient?: SSOClient;
+  clientConfig?: SSOClientConfig;
 }
 
 /**
@@ -79,7 +80,12 @@ export interface FromSSOInit extends SourceProfileInit {
 export const fromSSO =
   (init: FromSSOInit & Partial<SsoCredentialsParameters> = {}): AwsCredentialIdentityProvider =>
   async () => {
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoClient, ssoSession } = init;
+    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
+    let { ssoClient } = init;
+    if (!ssoClient) {
+      const { SSOClient } = await import("./loadSso");
+      ssoClient = new SSOClient(init.clientConfig ?? {});
+    }
     const profileName = getProfileName(init);
 
     if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {

packages/credential-provider-sso/src/loadSso.ts

@@ -0,0 +1,4 @@
+import { GetRoleCredentialsCommand, SSOClient } from "@aws-sdk/client-sso";
+
+// This file must be loaded dynamically.
+export { GetRoleCredentialsCommand, SSOClient };

packages/credential-provider-sso/src/resolveSSOCredentials.ts

@@ -1,4 +1,4 @@
-import { GetRoleCredentialsCommand, GetRoleCredentialsCommandOutput, SSOClient } from "@aws-sdk/client-sso";
+import type { GetRoleCredentialsCommandOutput } from "@aws-sdk/client-sso";
 import { fromSso as getSsoTokenProvider } from "@aws-sdk/token-providers";
 import { CredentialsProviderError } from "@smithy/property-provider";
 import { getSSOTokenFromFile, SSOToken } from "@smithy/shared-ini-file-loader";
@@ -52,6 +52,9 @@ export const resolveSSOCredentials = async ({
   }
 
   const { accessToken } = token;
+
+  const { SSOClient, GetRoleCredentialsCommand } = await import("./loadSso");
+
   const sso = ssoClient || new SSOClient({ region: ssoRegion });
   let ssoResp: GetRoleCredentialsCommandOutput;
   try {

packages/credential-provider-web-identity/package.json

@@ -37,6 +37,9 @@
     "@smithy/types": "^2.9.1",
     "tslib": "^2.5.0"
   },
+  "peerDependencies": {
+    "@aws-sdk/client-sts": "*"
+  },
   "devDependencies": {
     "@tsconfig/recommended": "1.0.1",
     "@types/node": "^14.14.31",

packages/credential-provider-web-identity/src/fromTokenFile.ts

@@ -9,7 +9,7 @@ const ENV_ROLE_ARN = "AWS_ROLE_ARN";
 const ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME";
 
 /**
- * @internal
+ * @public
  */
 export interface FromTokenFileInit extends Partial<Omit<FromWebTokenInit, "webIdentityToken">> {
   /**