feat(source-aws): add support for easily assuming roles

blacha · blacha · commit 11d7a1ce87a3 · 2021-09-15T13:45:35.000+12:00
diff --git a/packages/source-aws/src/s3.fs.ts b/packages/source-aws/src/s3.fs.ts
@@ -1,14 +1,64 @@
 import { FileInfo, FileSystem, isRecord } from '@chunkd/core';
+import S3 from 'aws-sdk/clients/s3.js';
+import { Credentials } from 'aws-sdk/lib/credentials.js';
+import { ChainableTemporaryCredentials } from 'aws-sdk/lib/credentials/chainable_temporary_credentials.js';
+import { EC2MetadataCredentials } from 'aws-sdk/lib/credentials/ec2_metadata_credentials.js';
+import { SharedIniFileCredentials } from 'aws-sdk/lib/credentials/shared_ini_file_credentials.js';
 import type { Readable } from 'stream';
 import { getCompositeError, SourceAwsS3 } from './s3.source.js';
 import { ListRes, S3Like } from './type.js';
 
+const Ec2 = Symbol();
+const x: typeof Ec2 = Ec2;
+console.log(x);
+
 export class FsAwsS3 implements FileSystem<SourceAwsS3> {
   static protocol = 's3';
   protocol = FsAwsS3.protocol;
   /** Max list requests to run before erroring */
   static MaxListCount = 100;
 
+  static Ec2Credentials = Ec2;
+
+  static credentials: Map<string, Credentials> = new Map();
+  /**
+   * Create a aws credential instance from a role arn
+   *
+   * if the AWS profile is "FsAwsS3.Ec2Credentials" use EC2MetadataCredentials, otherwise load credentials from the shared ini file
+   */
+  static getCredentials(roleArn: string, profile?: string | typeof Ec2, externalId?: string): Credentials {
+    const credKey = `${roleArn}::${roleArn}::${externalId}`;
+    let credentials = FsAwsS3.credentials.get(credKey);
+    if (credentials == null) {
+      const masterCredentials =
+        profile === Ec2 ? new EC2MetadataCredentials() : new SharedIniFileCredentials({ profile });
+      credentials = new ChainableTemporaryCredentials({
+        params: {
+          RoleArn: roleArn,
+          ExternalId: externalId,
+          RoleSessionName: 'fsa-' + Math.random().toString(32) + '-' + Date.now(),
+        },
+        masterCredentials,
+      });
+      FsAwsS3.credentials.set(credKey, credentials);
+    }
+    return credentials;
+  }
+
+  /**
+   * Create a FsS3 instance from a role arn
+   *
+   * if the AWS profile is "ec2" use EC2MetadataCredentials, otherwise load credentials from the shared ini file
+   *
+   * @example
+   * Fs3.fromRoleArn('arn:foo', 'ec2');
+   * FsS3.fromRoleArn('arn:bar', process.env.AWS_PROFILE);
+   */
+  static fromRoleArn(roleArn: string, profile?: string | typeof Ec2, externalId?: string): FsAwsS3 {
+    const credentials = FsAwsS3.getCredentials(roleArn, profile, externalId);
+    return new FsAwsS3(new S3({ credentials }));
+  }
+
   /** AWS-SDK s3 to use */
   s3: S3Like;
 
