From 743b2f6595e16678bb642df0f473bdf32e0725cd Mon Sep 17 00:00:00 2001
From: George Fu <kuhe@users.noreply.github.com>
Date: Wed, 20 Dec 2023 16:52:34 +0000
Subject: [PATCH] feat(credential-providers): add credentialScope field

---
 .../client-sts/src/defaultStsRoleAssumers.ts  | 20 ++++++++++-----
 .../sts-client-defaultStsRoleAssumers.ts      | 25 +++++++++++++------
 .../credential-provider-env/src/fromEnv.ts    |  6 +++++
 .../src/resolveStaticCredentials.ts           |  2 ++
 .../src/ProcessCredentials.ts                 |  1 +
 .../src/getValidatedProcessCredentials.ts     |  1 +
 .../src/resolveSSOCredentials.ts              |  8 ++++--
 .../src/fromTemporaryCredentials.ts           |  2 ++
 8 files changed, 50 insertions(+), 15 deletions(-)

diff --git a/clients/client-sts/src/defaultStsRoleAssumers.ts b/clients/client-sts/src/defaultStsRoleAssumers.ts
index fe4886f2d39c2..cdee4e2df7522 100644
--- a/clients/client-sts/src/defaultStsRoleAssumers.ts
+++ b/clients/client-sts/src/defaultStsRoleAssumers.ts
@@ -1,8 +1,7 @@
 // smithy-typescript generated code
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
-import { Credentials } from "@aws-sdk/types";
-import { Provider } from "@smithy/types";
+import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
 import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
 import {
@@ -14,7 +13,10 @@ import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSC
 /**
  * @internal
  */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+export type RoleAssumer = (
+  sourceCreds: AwsCredentialIdentity,
+  params: AssumeRoleCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 
@@ -43,7 +45,7 @@ export const getDefaultRoleAssumer = (
   stsClientCtor: new (options: STSClientConfig) => STSClient
 ): RoleAssumer => {
   let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
+  let closureSourceCreds: AwsCredentialIdentity;
   return async (sourceCreds, params) => {
     closureSourceCreds = sourceCreds;
     if (!stsClient) {
@@ -65,6 +67,8 @@ export const getDefaultRoleAssumer = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
@@ -72,7 +76,9 @@ export const getDefaultRoleAssumer = (
 /**
  * @internal
  */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+export type RoleAssumerWithWebIdentity = (
+  params: AssumeRoleWithWebIdentityCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 /**
  * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
@@ -101,6 +107,8 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
@@ -108,7 +116,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 /**
  * @internal
  */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+export type DefaultCredentialProvider = (input: any) => Provider<AwsCredentialIdentity>;
 
 /**
  * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
diff --git a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
index 40a68f0d9da53..fb22ebccb7bc2 100644
--- a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
+++ b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
@@ -1,5 +1,4 @@
-import { Credentials } from "@aws-sdk/types";
-import { Provider } from "@smithy/types";
+import { AwsCredentialIdentity, Provider } from "@smithy/types";
 
 import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
 import {
@@ -11,7 +10,10 @@ import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSC
 /**
  * @internal
  */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
+export type RoleAssumer = (
+  sourceCreds: AwsCredentialIdentity,
+  params: AssumeRoleCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 
@@ -40,7 +42,7 @@ export const getDefaultRoleAssumer = (
   stsClientCtor: new (options: STSClientConfig) => STSClient
 ): RoleAssumer => {
   let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
+  let closureSourceCreds: AwsCredentialIdentity;
   return async (sourceCreds, params) => {
     closureSourceCreds = sourceCreds;
     if (!stsClient) {
@@ -62,6 +64,8 @@ export const getDefaultRoleAssumer = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
@@ -69,7 +73,9 @@ export const getDefaultRoleAssumer = (
 /**
  * @internal
  */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
+export type RoleAssumerWithWebIdentity = (
+  params: AssumeRoleWithWebIdentityCommandInput
+) => Promise<AwsCredentialIdentity>;
 
 /**
  * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
@@ -98,6 +104,8 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };
@@ -105,7 +113,7 @@ export const getDefaultRoleAssumerWithWebIdentity = (
 /**
  * @internal
  */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
+export type DefaultCredentialProvider = (input: any) => Provider<AwsCredentialIdentity>;
 
 /**
  * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
@@ -120,6 +128,9 @@ export const decorateDefaultCredentialProvider =
   (input: STSClientResolvedConfig) =>
     provider({
       roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor as new (options: STSClientConfig) => STSClient),
-      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor as new (options: STSClientConfig) => STSClient),
+      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(
+        input,
+        input.stsClientCtor as new (options: STSClientConfig) => STSClient
+      ),
       ...input,
     });
diff --git a/packages/credential-provider-env/src/fromEnv.ts b/packages/credential-provider-env/src/fromEnv.ts
index aac045ff2b3bf..4618bab05e9d0 100644
--- a/packages/credential-provider-env/src/fromEnv.ts
+++ b/packages/credential-provider-env/src/fromEnv.ts
@@ -17,6 +17,10 @@ export const ENV_SESSION = "AWS_SESSION_TOKEN";
  * @internal
  */
 export const ENV_EXPIRATION = "AWS_CREDENTIAL_EXPIRATION";
+/**
+ * @internal
+ */
+export const ENV_CREDENTIAL_SCOPE = "AWS_CREDENTIAL_SCOPE";
 
 /**
  * @internal
@@ -30,6 +34,7 @@ export const fromEnv = (): AwsCredentialIdentityProvider => async () => {
   const secretAccessKey: string | undefined = process.env[ENV_SECRET];
   const sessionToken: string | undefined = process.env[ENV_SESSION];
   const expiry: string | undefined = process.env[ENV_EXPIRATION];
+  const credentialScope: string | undefined = process.env[ENV_CREDENTIAL_SCOPE];
 
   if (accessKeyId && secretAccessKey) {
     return {
@@ -37,6 +42,7 @@ export const fromEnv = (): AwsCredentialIdentityProvider => async () => {
       secretAccessKey,
       ...(sessionToken && { sessionToken }),
       ...(expiry && { expiration: new Date(expiry) }),
+      ...(credentialScope && { credentialScope }),
     };
   }
 
diff --git a/packages/credential-provider-ini/src/resolveStaticCredentials.ts b/packages/credential-provider-ini/src/resolveStaticCredentials.ts
index 663ea2e799a84..934d377a7f1e0 100644
--- a/packages/credential-provider-ini/src/resolveStaticCredentials.ts
+++ b/packages/credential-provider-ini/src/resolveStaticCredentials.ts
@@ -7,6 +7,7 @@ export interface StaticCredsProfile extends Profile {
   aws_access_key_id: string;
   aws_secret_access_key: string;
   aws_session_token?: string;
+  aws_credential_scope?: string;
 }
 
 /**
@@ -27,4 +28,5 @@ export const resolveStaticCredentials = (profile: StaticCredsProfile): Promise<A
     accessKeyId: profile.aws_access_key_id,
     secretAccessKey: profile.aws_secret_access_key,
     sessionToken: profile.aws_session_token,
+    credentialScope: profile.aws_credential_scope,
   });
diff --git a/packages/credential-provider-process/src/ProcessCredentials.ts b/packages/credential-provider-process/src/ProcessCredentials.ts
index f09f25fb2701e..0580e63897bf0 100644
--- a/packages/credential-provider-process/src/ProcessCredentials.ts
+++ b/packages/credential-provider-process/src/ProcessCredentials.ts
@@ -7,4 +7,5 @@ export type ProcessCredentials = {
   SecretAccessKey: string;
   SessionToken?: string;
   Expiration?: number;
+  CredentialScope?: string;
 };
diff --git a/packages/credential-provider-process/src/getValidatedProcessCredentials.ts b/packages/credential-provider-process/src/getValidatedProcessCredentials.ts
index a0760daa78ba0..c8ba5a59fc476 100644
--- a/packages/credential-provider-process/src/getValidatedProcessCredentials.ts
+++ b/packages/credential-provider-process/src/getValidatedProcessCredentials.ts
@@ -30,5 +30,6 @@ export const getValidatedProcessCredentials = (
     secretAccessKey: data.SecretAccessKey,
     ...(data.SessionToken && { sessionToken: data.SessionToken }),
     ...(data.Expiration && { expiration: new Date(data.Expiration) }),
+    ...(data.CredentialScope && { credentialScope: data.CredentialScope }),
   };
 };
diff --git a/packages/credential-provider-sso/src/resolveSSOCredentials.ts b/packages/credential-provider-sso/src/resolveSSOCredentials.ts
index 8f451ea884a40..db218bae8cd13 100644
--- a/packages/credential-provider-sso/src/resolveSSOCredentials.ts
+++ b/packages/credential-provider-sso/src/resolveSSOCredentials.ts
@@ -9,7 +9,7 @@ import { FromSSOInit, SsoCredentialsParameters } from "./fromSSO";
 const SHOULD_FAIL_CREDENTIAL_CHAIN = false;
 
 /**
- * @private
+ * @internal
  */
 export const resolveSSOCredentials = async ({
   ssoStartUrl,
@@ -67,9 +67,13 @@ export const resolveSSOCredentials = async ({
   }
 
   const { roleCredentials: { accessKeyId, secretAccessKey, sessionToken, expiration } = {} } = ssoResp;
+  // TODO(credentialScope): Extract from ssoResp object with other credential fields
+  // TODO(credentialScope): when this field becomes defined on the shape.
+  const credentialScope = (ssoResp?.roleCredentials as any)?.credentialScope;
+
   if (!accessKeyId || !secretAccessKey || !sessionToken || !expiration) {
     throw new CredentialsProviderError("SSO returns an invalid temporary credential.", SHOULD_FAIL_CREDENTIAL_CHAIN);
   }
 
-  return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration) };
+  return { accessKeyId, secretAccessKey, sessionToken, expiration: new Date(expiration), credentialScope };
 };
diff --git a/packages/credential-providers/src/fromTemporaryCredentials.ts b/packages/credential-providers/src/fromTemporaryCredentials.ts
index b1aa8dd6d2d1f..6e70696de8c0f 100644
--- a/packages/credential-providers/src/fromTemporaryCredentials.ts
+++ b/packages/credential-providers/src/fromTemporaryCredentials.ts
@@ -78,6 +78,8 @@ export const fromTemporaryCredentials = (options: FromTemporaryCredentialsOption
       secretAccessKey: Credentials.SecretAccessKey,
       sessionToken: Credentials.SessionToken,
       expiration: Credentials.Expiration,
+      // TODO(credentialScope): access normally when shape is updated.
+      credentialScope: (Credentials as any).CredentialScope,
     };
   };
 };