support aws instance profile to get key

2025-12-19 03:37:49 +00:00 · 2024-11-30 08:40:26 +07:00
parent a47ef6d7c4
commit 3bf74671c6
1 changed files with 31 additions and 8 deletions
--- a/lib/get-aws-sts-token.js
+++ b/lib/get-aws-sts-token.js
@@ -7,22 +7,23 @@ const CACHE_EXPIRY = process.env.AWS_STS_SESSION_RESET_EXPIRY || (EXPIRY - 600);

 async function getAwsAuthToken(
  logger, createHash, retrieveHash,
-  {accessKeyId, secretAccessKey, region, roleArn}) {
+  {speech_credential_sid, accessKeyId, secretAccessKey, region, roleArn}) {
  logger = logger || noopLogger;
  try {
-    const key = makeAwsKey(roleArn || accessKeyId);
+    // if incase instance profile is used, speech_credential_sid will be used as key to lookup cache
+    const key = makeAwsKey(roleArn || accessKeyId || speech_credential_sid);
    const obj = await retrieveHash(key);
    if (obj) return {...obj, servedFromCache: true};
-
+    /* access token not found in cache, so generate it using STS */
    let data;
+    let expiry = CACHE_EXPIRY;
    if (roleArn) {
      const stsClient = new STSClient({ region });
      const roleToAssume = { RoleArn: roleArn, RoleSessionName: 'Jambonz_Speech', DurationSeconds: EXPIRY};
      const command = new AssumeRoleCommand(roleToAssume);

      data = await stsClient.send(command);
-    } else {
-      /* access token not found in cache, so generate it using STS */
+    } else if (accessKeyId) {
      const stsClient = new STSClient({
        region,
        credentials: {
@@ -32,6 +33,26 @@ async function getAwsAuthToken(
      });
      const command = new GetSessionTokenCommand({DurationSeconds: EXPIRY});
      data = await stsClient.send(command);
+    } else {
+      // instance profile is used.
+      const stsClient = new STSClient({ region });
+      const cred = await stsClient.config.credentials();
+      // method in the AWS SDK automatically fetches credentials using the default credential
+      // provider chain. If the credentials come from an instance profile or an environment
+      // variable, their expiration is controlled by AWS and not explicitly by our code.
+      if (cred && cred.expiration) {
+        const currentTime = new Date();
+        const expiryTime = new Date(cred.expiration);
+        const remainingTimeInSeconds = Math.round((expiryTime - currentTime) / 1000);
+        expiry = remainingTimeInSeconds;
+      }
+      data = {
+        Credentials: {
+          AccessKeyId: cred.accessKeyId,
+          SecretAccessKey: cred.secretAccessKey,
+          SessionToken: cred.sessionToken
+        }
+      };
    }

    const credentials = {
@@ -40,9 +61,11 @@ async function getAwsAuthToken(
      sessionToken: data.Credentials.SessionToken,
      securityToken: data.Credentials.SessionToken
    };
-
-    createHash(key, credentials, CACHE_EXPIRY)
-      .catch((err) => logger.error(err, `Error saving hash for key ${key}`));
+    // Only cache if expiry is good
+    if (expiry > 0) {
+      createHash(key, credentials, expiry)
+        .catch((err) => logger.error(err, `Error saving hash for key ${key}`));
+    }

    return {...credentials, servedFromCache: false};
  } catch (err) {