Rationale

It has been brought to our attention that the library didn't cater to some of its users use-case, as it doesn't allow them to use session tokens-based authentication just yet.

Context

This authentication method would be rather common in contexts where our users log into AWS via SSO. The request for this feature has popped up from a support forum topic.

Feasibility and Scope

We believe this would imply some additions and modifications to this library's authentication and signature code. The feasibility is rather on the 👍🏻 side, but the scope is unclear.

Definition of done

The definition of done for session tokens-based authentication would be that users be able to pass an AWS_SESSION_TOKEN option to our client classes, such as S3Client, and successfully use the SDK with this authentication method onward:

const awsConfig = new AWSConfig(
  __ENV.AWS_REGION,
  __ENV.AWS_ACCESS_KEY_ID,
  __ENV.AWS_SECRET_ACCESS_KEY,
  __ENV.AWS_SESSION_TOKEN
);

const s3 = new S3Client(awsConfig);

After doing some research, and validating some of the scope of this with our support user, I believe addressing this feature should have a limited scope.

Based on my understanding of the AWS signature's documentation, and the assumption that it would "just work" as described there, this would be as small as adding an HTTP header with the user's token to our request before signing it.

As we only support signing headers currently, this would not apply to query strings for now.

Based on this outcome, I would assume that to implement support AWS security tokens in the library, we would need to:

• Update the AWSConfig to also accept a securityToken (name to be decided) field, meant to hold the user's AWS security token.
• Update the signHeaders function to add the AWSConfig.securityToken to the request headers (X-Amz-Security-Token: {AWSConfig.securityToken) before actually proceeding with signing the headers.

jslib-aws v0.5.0 now supports this option 🎉