Closed oleiade closed 2 years ago
After doing some research, and validating some of the scope of this with our support user, I believe addressing this feature should have a limited scope.
Based on my understanding of the AWS signature's documentation, and the assumption that it would "just work" as described there, this would be as small as adding an HTTP header with the user's token to our request before signing it.
As we only support signing headers currently, this would not apply to query strings for now.
Based on this outcome, I would assume that to implement support AWS security tokens in the library, we would need to:
AWSConfig
to also accept a securityToken
(name to be decided) field, meant to hold the user's AWS security token.signHeaders
function to add the AWSConfig.securityToken
to the request headers (X-Amz-Security-Token: {AWSConfig.securityToken
) before actually proceeding with signing the headers.jslib-aws v0.5.0
now supports this option 🎉
Rationale
It has been brought to our attention that the library didn't cater to some of its users use-case, as it doesn't allow them to use session tokens-based authentication just yet.
Context
This authentication method would be rather common in contexts where our users log into AWS via SSO. The request for this feature has popped up from a support forum topic.
Feasibility and Scope
We believe this would imply some additions and modifications to this library's authentication and signature code. The feasibility is rather on the 👍🏻 side, but the scope is unclear.
Definition of done
The definition of done for session tokens-based authentication would be that users be able to pass an
AWS_SESSION_TOKEN
option to our client classes, such asS3Client
, and successfully use the SDK with this authentication method onward: