如何在 AWS SDK 中将 AWS SSO 临时凭证用于本地，但将实例角色用于生产？

Question

I understand how to use AWS SSO temporary credentials in my SDK, from this question and this question and this documentation . It's pretty simple, really:

 import { fromSSO } from "@aws-sdk/credential-providers"; const client = new FooClient({ credentials: fromSSO({ profile: "my-sso-profile" }) });

And this code will work perfectly fine in my local computer and in my teammates' computers (so long as they are logged to AWS SSO with AWS CLI). However, it's not at all clear to me how to modify this so that it works both on our local computers with AWS SSO and on an EC2 instance with an Instance Role. It's obvious that the EC2 instance should not have access to AWS SSO, but rather it should get its permissions from the IAM Policies attached to its associated Instance Role. But how would my code look like, to account for both scenarios?

I'm taking a wild stab a this:

 import { fromInstanceMetadata, fromSSO } from "@aws-sdk/credential-providers"; const isEc2Instance = "I HAVE NO IDEA WHAT TO DO HERE"; let credentials; if (isEc2Instance) { credentials = fromInstanceMetadata({ // Optional. The connection timeout (in milliseconds) to apply to any remote requests. // If not specified, a default value of `1000` (one second) is used. timeout: 1000, // Optional. The maximum number of times any HTTP connections should be retried. If not // specified, a default value of `0` will be used. maxRetries: 0, }); } else { credentials = fromSSO({ profile: "my-sso-profile" }); } const client = new FooClient({ credentials: credentials });

The code for getting the credentials from instance metadata is from here so it's probably correct. But as line 2 says, I have no idea how to determine whether I should be using AWS SSO or InstanceMetadata or something else (perhaps for other platforms, like what if this code is deployed in EC2 for dev env and ECS/EKS for prod env?).

Maybe this if statement is not the right approach. I would gladly consider another option.

So, what would be the correct way to write code that gets the AWS credentials from the correct source depending on the platform where it's running?

And yes, since these credentials will be the same for any AWS SDK Client anywhere in the app, the code that gets the credentials should be abstracted away from this, and 5 if statements in a CredentialsHelper doesn't sound so bad, but I didn't want to overcomplicate this question.

The code is JavaScript and I'm looking for something that works in Node.js, but I think the logic would be the same in any language.

Answer 1

You need to have DefaultAWSCredentialsProviderChain added in your code. This will take your credentials in local and will take instance credentials when deployed in EC2 using EKS .
Moreover, add this snippet to your code:

private def getProvider(awsConfig: AWSConfig): Either[Throwable, AWSCredentialsProvider] = {
    def isDefault(key: String): Boolean = key == "default"
    def isIam(key: String): Boolean = key == "iam"
    def isEnv(key: String): Boolean = key == "env"

    ((awsConfig.accessKey, awsConfig.secretKey) match {
      case (a, s) if isDefault(a) && isDefault(s) =>
        new DefaultAWSCredentialsProviderChain().asRight
      case (a, s) if isDefault(a) || isDefault(s) =>
        "accessKey and secretKey must both be set to 'default' or neither".asLeft
      case (a, s) if isIam(a) && isIam(s) =>
        InstanceProfileCredentialsProvider.getInstance().asRight
      case (a, s) if isIam(a) && isIam(s) =>
        "accessKey and secretKey must both be set to 'iam' or neither".asLeft
      case (a, s) if isEnv(a) && isEnv(s) =>
        new EnvironmentVariableCredentialsProvider().asRight
      case (a, s) if isEnv(a) || isEnv(s) =>
        "accessKey and secretKey must both be set to 'env' or neither".asLeft
      case _ =>
        new AWSStaticCredentialsProvider(
          new BasicAWSCredentials(awsConfig.accessKey, awsConfig.secretKey)
        ).asRight
    }).leftMap(new IllegalArgumentException(_))
}