Skip STS calls for AWS account credentials when not needed

Skipping STS calls enables using the credential provider utility for calls to Minio Fixes #15669 Signed-off-by: Clare Liguori <liguori@amazon.com>
2023-01-12 08:59:25 -08:00
parent e4d8420996
commit 89062b8ba0
3 changed files with 19 additions and 11 deletions
@@ -0,0 +1,5 @@
+---
+'@backstage/integration-aws-node': patch
+---
+
+Skip STS API calls where not needed, to support Minio use cases
@@ -252,8 +252,12 @@ describe('DefaultAwsCredentialsManager', () => {
        },
      });
      const provider = DefaultAwsCredentialsManager.fromConfig(minConfig);
-      const awsCredentialProvider1 = await provider.getCredentialProvider({});
-      const awsCredentialProvider2 = await provider.getCredentialProvider({});
+      const awsCredentialProvider1 = await provider.getCredentialProvider({
+        accountId: '123456789012',
+      });
+      const awsCredentialProvider2 = await provider.getCredentialProvider({
+        accountId: '123456789012',
+      });

      expect(awsCredentialProvider1).toBe(awsCredentialProvider2);
      expect(stsMock).toHaveReceivedCommandTimes(GetCallerIdentityCommand, 1);
@@ -374,7 +378,7 @@ describe('DefaultAwsCredentialsManager', () => {
        arn: 'arn:aws:s3:::bucket_name',
      });

-      expect(awsCredentialProvider.accountId).toEqual('123456789012');
+      expect(awsCredentialProvider.accountId).toBeUndefined();

      const creds = await awsCredentialProvider.sdkCredentialProvider();
      expect(creds).toEqual({
@@ -387,7 +391,7 @@ describe('DefaultAwsCredentialsManager', () => {
      const provider = DefaultAwsCredentialsManager.fromConfig(config);
      const awsCredentialProvider = await provider.getCredentialProvider({});

-      expect(awsCredentialProvider.accountId).toEqual('123456789012');
+      expect(awsCredentialProvider.accountId).toBeUndefined();

      const creds = await awsCredentialProvider.sdkCredentialProvider();
      expect(creds).toEqual({
@@ -400,7 +404,7 @@ describe('DefaultAwsCredentialsManager', () => {
      const provider = DefaultAwsCredentialsManager.fromConfig(config);
      const awsCredentialProvider = await provider.getCredentialProvider();

-      expect(awsCredentialProvider.accountId).toEqual('123456789012');
+      expect(awsCredentialProvider.accountId).toBeUndefined();

      const creds = await awsCredentialProvider.sdkCredentialProvider();
      expect(creds).toEqual({
@@ -421,10 +425,11 @@ describe('DefaultAwsCredentialsManager', () => {

    it('rejects main account that has invalid credentials', async () => {
      stsMock.on(GetCallerIdentityCommand).rejects('No credentials found');
-      const provider = DefaultAwsCredentialsManager.fromConfig(config);
-      await expect(provider.getCredentialProvider({})).rejects.toThrow(
-        /No credentials found/,
-      );
+      const minConfig = new ConfigReader({});
+      const provider = DefaultAwsCredentialsManager.fromConfig(minConfig);
+      await expect(
+        provider.getCredentialProvider({ accountId: '123456789012' }),
+      ).rejects.toThrow(/No credentials found/);
    });
  });
 });
@@ -221,7 +221,6 @@ export class DefaultAwsCredentialsManager implements AwsCredentialsManager {
  ): Promise<AwsCredentialProvider> {
    // If no options provided, fall back to the main account
    if (!opts) {
-      await fillInAccountId(this.mainAccountCredentialProvider);
      return this.mainAccountCredentialProvider;
    }

@@ -235,7 +234,6 @@ export class DefaultAwsCredentialsManager implements AwsCredentialsManager {
    // If the account ID was not provided (explicitly or in the ARN),
    // fall back to the main account
    if (!accountId) {
-      await fillInAccountId(this.mainAccountCredentialProvider);
      return this.mainAccountCredentialProvider;
    }