tessl/npm-aws-sdk--credential-providers

A collection of credential providers for AWS SDK, enabling authentication across different AWS environments and services

—

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Pending

The risk profile of this skill

Overview

Eval results

Files

Configuration File Credentials

Name: tessl/npm-aws-sdk--credential-providers
Author: tessl

Configuration file credential provider reads AWS credentials from shared configuration files, supporting profiles, role assumption, and various credential sources configured in INI format.

Capabilities

Configuration File Provider

Creates a credential provider that reads from AWS shared configuration files.

/**
 * Creates a credential provider function that reads from shared credentials files
 * @param init - Configuration options for the provider
 * @returns Runtime-configurable credential provider function
 */
function fromIni(init?: FromIniInit): RuntimeConfigAwsCredentialIdentityProvider;

interface FromIniInit {
  /** Configuration profile name. Defaults to AWS_PROFILE environment variable or 'default' */
  profile?: string;
  /** Path to shared credentials file. Defaults to ~/.aws/credentials */
  filepath?: string;
  /** Path to shared config file. Defaults to ~/.aws/config */
  configFilepath?: string;
  /** Function that returns MFA token code for the provided MFA serial */
  mfaCodeProvider?: (mfaSerial: string) => Promise<string>;
  /** Custom STS client configurations overriding defaults */
  clientConfig?: STSClientConfig;
  /** Custom STS client middleware plugins */
  clientPlugins?: Pluggable<any, any>[];
}

File Locations

The provider reads from these default locations:

Credentials file: ~/.aws/credentials (or AWS_SHARED_CREDENTIALS_FILE environment variable)
Config file: ~/.aws/config (or AWS_CONFIG_FILE environment variable)

Usage Examples:

import { S3Client } from "@aws-sdk/client-s3";
import { fromIni } from "@aws-sdk/credential-providers";

// Use default profile
const client = new S3Client({
  region: "us-west-2",
  credentials: fromIni()
});

// Use specific profile
const devClient = new S3Client({
  region: "us-west-2",
  credentials: fromIni({
    profile: "development"
  })
});

// Custom file paths
const customClient = new S3Client({
  region: "us-west-2",
  credentials: fromIni({
    filepath: "/custom/path/credentials",
    configFilepath: "/custom/path/config"
  })
});

Profile Configuration Examples

Basic Credentials

~/.aws/credentials:

[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[development]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

~/.aws/config:

[default]
region = us-east-1

[profile development]
region = us-west-2

Role Assumption with Source Profile

~/.aws/config:

[profile production]
role_arn = arn:aws:iam::123456789012:role/ProductionRole
source_profile = default
region = us-east-1

[profile cross-account]
role_arn = arn:aws:iam::987654321098:role/CrossAccountRole
source_profile = development
region = us-west-2
session_name = MySessionName

Role Assumption with Credential Source

[profile ec2-role]
role_arn = arn:aws:iam::123456789012:role/EC2Role
credential_source = Ec2InstanceMetadata

[profile ecs-role]
role_arn = arn:aws:iam::123456789012:role/ECSRole
credential_source = EcsContainer

[profile env-role]
role_arn = arn:aws:iam::123456789012:role/EnvRole
credential_source = Environment

Web Identity Token Configuration

[profile web-identity]
role_arn = arn:aws:iam::123456789012:role/WebIdentityRole
web_identity_token_file = /path/to/token
role_session_name = MyWebIdentitySession

[profile kubernetes]
role_arn = arn:aws:iam::123456789012:role/KubernetesRole
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token

MFA Support

For profiles requiring multi-factor authentication:

import { fromIni } from "@aws-sdk/credential-providers";

const clientWithMFA = new S3Client({
  region: "us-east-1",
  credentials: fromIni({
    profile: "mfa-profile",
    mfaCodeProvider: async (mfaSerial) => {
      // Implement your MFA token retrieval logic
      // This could prompt user input, read from a secure store, etc.
      return promptForMFAToken(mfaSerial);
    }
  })
});

async function promptForMFAToken(serialNumber: string): Promise<string> {
  console.log(`Please enter MFA token for device: ${serialNumber}`);
  // Implementation depends on your environment
  // Could use readline, a GUI prompt, or secure storage
  return "123456"; // Example token
}

Configuration with MFA:

[profile with-mfa]
role_arn = arn:aws:iam::123456789012:role/RequiresMFARole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/user@example.com

SSO Profile Configuration

[profile sso-profile]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = DeveloperAccess

Profile Selection Priority

Profile parameter - Explicitly passed to fromIni({ profile: "name" })
Client profile - Set on client as of v3.714.0: new S3Client({ profile: "name" })
AWS_PROFILE environment variable - System-wide profile setting
Default profile - Falls back to "default" profile

Error Handling

Common errors and handling:

import { fromIni } from "@aws-sdk/credential-providers";

try {
  const credentials = await fromIni({ profile: "nonexistent" })();
} catch (error) {
  if (error.message.includes("Profile not found")) {
    console.error("The specified profile does not exist in credentials files");
  } else if (error.message.includes("MFA")) {
    console.error("MFA token required but not provided");
  } else {
    console.error("Failed to load credentials:", error.message);
  }
}