Support AWS_SESSION_TOKEN authentication
oleiade opened this issue · comments
Rationale
It has been brought to our attention that the library didn't cater to some of its users use-case, as it doesn't allow them to use session tokens-based authentication just yet.
Context
This authentication method would be rather common in contexts where our users log into AWS via SSO. The request for this feature has popped up from a support forum topic.
Feasibility and Scope
We believe this would imply some additions and modifications to this library's authentication and signature code. The feasibility is rather on the 👍🏻 side, but the scope is unclear.
Definition of done
The definition of done for session tokens-based authentication would be that users be able to pass an AWS_SESSION_TOKEN
option to our client classes, such as S3Client
, and successfully use the SDK with this authentication method onward:
const awsConfig = new AWSConfig(
__ENV.AWS_REGION,
__ENV.AWS_ACCESS_KEY_ID,
__ENV.AWS_SECRET_ACCESS_KEY,
__ENV.AWS_SESSION_TOKEN
);
const s3 = new S3Client(awsConfig);
After doing some research, and validating some of the scope of this with our support user, I believe addressing this feature should have a limited scope.
Based on my understanding of the AWS signature's documentation, and the assumption that it would "just work" as described there, this would be as small as adding an HTTP header with the user's token to our request before signing it.
As we only support signing headers currently, this would not apply to query strings for now.
Based on this outcome, I would assume that to implement support AWS security tokens in the library, we would need to:
- Update the
AWSConfig
to also accept asecurityToken
(name to be decided) field, meant to hold the user's AWS security token. - Update the
signHeaders
function to add theAWSConfig.securityToken
to the request headers (X-Amz-Security-Token: {AWSConfig.securityToken
) before actually proceeding with signing the headers.
jslib-aws v0.5.0
now supports this option 🎉