search

googleapis / google-auth-library-nodejs

🔑 Google Auth Library for Node.js
Apache License 2.0
1.71k stars 376 forks source link

Feature Request: AWS SDK v3 credentials support #1320

Closed LumaKernel closed 2 years ago

LumaKernel commented 2 years ago

Is your feature request related to a problem? Please describe. The AWS's new version of SDK @aws-sdk/* has new feature about credentials, @aws-sdk/credentials-provider .

This is providing credentials in consistent interface (Credentials | CredentialsProvider) for any authentication method. For example, if we want to use Workload Identity Federation in AWS Container (like ECS) environment, we cannot use AwsClient because there is no metadata endpoint. It's also the case for AWS Lambda.

Definition of Credentials:

https://github.com/aws/aws-sdk-js-v3/blob/main/packages/types/src/credentials.ts#L3-L27

Definition of CredentialProvider:

https://github.com/aws/aws-sdk-js-v3/blob/842e39638d994b518d6580dd979031c8be738017/packages/types/src/credentials.ts#L29

Definition of Provider<T>:

https://github.com/aws/aws-sdk-js-v3/blob/842e39638d994b518d6580dd979031c8be738017/packages/types/src/util.ts#L34-L43

Describe the solution you'd like I made a patch to support Credentials | CredentialsProvider. #1321 This is a refined version of our quick implementation (open source) for connecting from container credentials to firebase-admin through google-auth-library. It's working code in our preview environment. (It's open, if you need more detailed information about this, we can provide. )

Describe alternatives you've considered N/A

Additional context N/A

bojeil-google commented 2 years ago

He @LumaKernel, the library supports AWS environment variables for environments where the metadata server is not available: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, etc. https://github.com/googleapis/google-auth-library-nodejs/blob/main/src/auth/awsclient.ts#L128-L138

bcoe commented 2 years ago

@LumaKernel please let us know if @bojeil-google's suggestion doesn't work for you :ok_hand:

clhuang commented 1 year ago

I'd like to reopen this -- the suggestion to use AWS environment variables works in lambda, but it does not work in ECS or EKS environments.

From the comments on #1321:

We also have plans to support pluggable auth where you can have an external plugin provide AWS credentials for the libraries

is there any timeline on when this might be implemented?