in src/lib/awsConnectionParameters.ts [179:231]
async function attemptAssumeRoleFromOIDC(
awsParams: AWSConnectionParameters,
endpointName: string | undefined
): Promise<AWS.Credentials | undefined> {
if (!endpointName) {
return undefined
}
try {
const authInfo = getEndpointAuthInfo(awsParams, endpointName)
if (!authInfo.useOIDC) {
console.log('Skipping OIDC: not enabled in service connections')
return undefined
}
// Getting STS credentials with the OIDC token
if (!authInfo.accessKey && !authInfo.secretKey && authInfo.assumeRoleArn) {
console.log('Getting OIDC Token...')
const idToken = await getOIDCToken(endpointName)
// We are most probably outside of AWS, so let's use the region defined by the user
const region = await getRegion()
const stsClientConfig: STS.ClientConfiguration = {}
if (region !== '') {
stsClientConfig.region = region
stsClientConfig.stsRegionalEndpoints = 'regional'
}
const sts = new STS(stsClientConfig)
console.log('Assuming role via OIDC Token...')
authInfo.roleSessionName = authInfo.roleSessionName ? authInfo.roleSessionName : defaultRoleSessionName
const duration = getSessionDuration()
const params = {
RoleArn: authInfo.assumeRoleArn,
RoleSessionName: authInfo.roleSessionName,
WebIdentityToken: idToken,
DurationSeconds: duration
}
const data = await sts.assumeRoleWithWebIdentity(params).promise()
console.log('...role assumed via OIDC Token: %s', data.AssumedRoleUser?.Arn)
return new AWS.Credentials({
accessKeyId: data.Credentials!.AccessKeyId,
secretAccessKey: data.Credentials!.SecretAccessKey,
sessionToken: data.Credentials!.SessionToken
})
} else {
return undefined
}
} catch (err) {
console.error('Failed to assume role with OIDC: %s', err)
return undefined
}
}