This repository has been archived by the owner on May 8, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
sts.js
53 lines (47 loc) · 1.82 KB
/
sts.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
const { sprintf } = require('printj');
const fmt = require('./fmt.js');
module.exports = {
assumeRole: async (config, logger, STS, roleAttributeValue, SAMLAssertion) => {
const rePrincipal = /arn:aws:iam:[^:]*:[0-9]+:saml-provider\/[^,]+/i;
const reRole = /arn:aws:iam:[^:]*:([0-9]+):role\/([^,]+)/i;
const principalMatches = roleAttributeValue.match(rePrincipal);
const roleMatches = roleAttributeValue.match(reRole);
const accountNumber = roleMatches[1];
const roleName = roleMatches[2];
const params = {
PrincipalArn: principalMatches[0],
RoleArn: roleMatches[0],
SAMLAssertion,
};
// Get the alias of the account if it exists.
// Otherwise, use the account number.
// TODO: It may make sense to extract this into a function.
const roleAccount = (
config.AccountAliases
&& config.AccountAliases
.filter(
x => x.AccountNumber
=== accountNumber,
)
.reduce((acc, alias) => alias.Alias, null)
)
|| accountNumber;
try
{
logger.info(sprintf(fmt.ASSUME_ROLE_BEGIN, roleName, roleAccount));
const response = await STS.assumeRoleWithSAML(params).promise();
logger.info(sprintf(fmt.ASSUME_ROLE_SUCCESS, roleName, roleAccount));
return {
accountNumber,
roleName,
credentials: response.Credentials,
};
}
catch (e)
{
logger.error(e.message);
logger.debug(e.stack);
return null;
}
},
};