grafana / k6-jslib-aws

Javascript Library allowing to interact with AWS resources from k6 scripts
Apache License 2.0
18 stars 29 forks source link

Support AWS_SESSION_TOKEN authentication #5

Closed oleiade closed 2 years ago

oleiade commented 2 years ago

Rationale

It has been brought to our attention that the library didn't cater to some of its users use-case, as it doesn't allow them to use session tokens-based authentication just yet.

Context

This authentication method would be rather common in contexts where our users log into AWS via SSO. The request for this feature has popped up from a support forum topic.

Feasibility and Scope

We believe this would imply some additions and modifications to this library's authentication and signature code. The feasibility is rather on the 👍🏻 side, but the scope is unclear.

Definition of done

The definition of done for session tokens-based authentication would be that users be able to pass an AWS_SESSION_TOKEN option to our client classes, such as S3Client, and successfully use the SDK with this authentication method onward:

const awsConfig = new AWSConfig(
  __ENV.AWS_REGION,
  __ENV.AWS_ACCESS_KEY_ID,
  __ENV.AWS_SECRET_ACCESS_KEY,
  __ENV.AWS_SESSION_TOKEN
);

const s3 = new S3Client(awsConfig);
oleiade commented 2 years ago

After doing some research, and validating some of the scope of this with our support user, I believe addressing this feature should have a limited scope.

Based on my understanding of the AWS signature's documentation, and the assumption that it would "just work" as described there, this would be as small as adding an HTTP header with the user's token to our request before signing it.

As we only support signing headers currently, this would not apply to query strings for now.

Based on this outcome, I would assume that to implement support AWS security tokens in the library, we would need to:

oleiade commented 2 years ago

jslib-aws v0.5.0 now supports this option 🎉