aws · trivikr · May 10, 2021 · May 7, 2021 · May 8, 2021 · May 10, 2021
@@ -1,3 +1,5 @@
+// Please do not touch this file. It's generated from template in:
+// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultRoleAssumers.spec.ts
 import { HttpResponse } from "@aws-sdk/protocol-http";
 import { Readable } from "stream";
 const assumeRoleResponse = `<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">

@@ -1,3 +1,5 @@
+// Please do not touch this file. It's generated from template in:
+// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultRoleAssumers.ts
 import {
   DefaultCredentialProvider,
   getDefaultRoleAssumer as StsGetDefaultRoleAssumer,

@@ -1,3 +1,5 @@
+// Please do not touch this file. It's generated from template in:
+// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
 import { Credentials, Provider } from "@aws-sdk/types";
 
 import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";

@@ -53,6 +53,7 @@
 public final class AddAwsAuthPlugin implements TypeScriptIntegration {
     static final String STS_CLIENT_PREFIX = "sts-client-";
     static final String ROLE_ASSUMERS_FILE = "defaultRoleAssumers";
+    static final String ROLE_ASSUMERS_TEST_FILE = "defaultRoleAssumers.spec";
     static final String STS_ROLE_ASSUMERS_FILE = "defaultStsRoleAssumers";
 
     @Override
@@ -155,14 +156,25 @@ public void writeAdditionalFiles(
         if (!testServiceId(service, "STS")) {
             return;
         }
+        String noTouchNoticePrefix = "// Please do not touch this file. It's generated from template in:\n"
+                + "// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/"
+                + "src/main/resources/software/amazon/smithy/aws/typescript/codegen/";
         writerFactory.accept("defaultRoleAssumers.ts", writer -> {
-            String source = IoUtils.readUtf8Resource(getClass(),
-                    String.format("%s%s.ts", STS_CLIENT_PREFIX, ROLE_ASSUMERS_FILE));
+            String resourceName = String.format("%s%s.ts", STS_CLIENT_PREFIX, ROLE_ASSUMERS_FILE);
+            String source = IoUtils.readUtf8Resource(getClass(), resourceName);
+            writer.write("$L$L", noTouchNoticePrefix, resourceName);
             writer.write("$L", source);
         });
         writerFactory.accept("defaultStsRoleAssumers.ts", writer -> {
-            String source = IoUtils.readUtf8Resource(getClass(),
-                    String.format("%s%s.ts", STS_CLIENT_PREFIX, STS_ROLE_ASSUMERS_FILE));
+            String resourceName = String.format("%s%s.ts", STS_CLIENT_PREFIX, STS_ROLE_ASSUMERS_FILE);
+            String source = IoUtils.readUtf8Resource(getClass(), resourceName);
+            writer.write("$L$L", noTouchNoticePrefix, resourceName);
+            writer.write("$L", source);
+        });
+        writerFactory.accept("defaultRoleAssumers.spec.ts", writer -> {
+            String resourceName = String.format("%s%s.ts", STS_CLIENT_PREFIX, ROLE_ASSUMERS_TEST_FILE);
+            String source = IoUtils.readUtf8Resource(getClass(), resourceName);
+            writer.write("$L$L", noTouchNoticePrefix, resourceName);
             writer.write("$L", source);
         });
     }

@@ -0,0 +1,62 @@
+import { HttpResponse } from "@aws-sdk/protocol-http";
+import { Readable } from "stream";
+const assumeRoleResponse = `<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+<AssumeRoleResult>
+  <AssumedRoleUser>
+    <AssumedRoleId>AROAZOX2IL27GNRBJHWC2:session</AssumedRoleId>
+    <Arn>arn:aws:sts::123:assumed-role/assume-role-test/session</Arn>
+  </AssumedRoleUser>
+  <Credentials>
+    <AccessKeyId>key</AccessKeyId>
+    <SecretAccessKey>secrete</SecretAccessKey>
+    <SessionToken>session-token</SessionToken>
+    <Expiration>2021-05-05T23:22:08Z</Expiration>
+  </Credentials>
+</AssumeRoleResult>
+<ResponseMetadata>
+  <RequestId>12345678id</RequestId>
+</ResponseMetadata>
+</AssumeRoleResponse>`;
+const mockHandle = jest.fn().mockResolvedValue({
+  response: new HttpResponse({
+    statusCode: 200,
+    body: Readable.from([""]),
+  }),
+});
+jest.mock("@aws-sdk/node-http-handler", () => ({
+  NodeHttpHandler: jest.fn().mockImplementation(() => ({
+    destroy: () => {},
+    handle: mockHandle,
+  })),
+  streamCollector: async () => Buffer.from(assumeRoleResponse),
+}));
+
+import { getDefaultRoleAssumer } from "./defaultRoleAssumers";
+import type { AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
+
+describe("getDefaultRoleAssumer", () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+  it("should use supplied source credentials", async () => {
+    const roleAssumer = getDefaultRoleAssumer();
+    const params: AssumeRoleCommandInput = {
+      RoleArn: "arn:aws:foo",
+      RoleSessionName: "session",
+    };
+    const sourceCred1 = { accessKeyId: "key1", secretAccessKey: "secrete1" };
+    await roleAssumer(sourceCred1, params);
+    expect(mockHandle).toBeCalledTimes(1);
+    // Validate request is signed by sourceCred1
+    expect(mockHandle.mock.calls[0][0].headers?.authorization).toEqual(
+      expect.stringContaining("AWS4-HMAC-SHA256 Credential=key1/")
+    );
+    const sourceCred2 = { accessKeyId: "key2", secretAccessKey: "secrete1" };
+    await roleAssumer(sourceCred2, params);
+    // Validate request is signed by sourceCred2
+    expect(mockHandle).toBeCalledTimes(2);
+    expect(mockHandle.mock.calls[1][0].headers?.authorization).toEqual(
+      expect.stringContaining("AWS4-HMAC-SHA256 Credential=key2/")
+    );
+  });
+});
@@ -39,12 +39,15 @@ export const getDefaultRoleAssumer = (
   stsClientCtor: new (options: STSClientConfig) => STSClient
 ): RoleAssumer => {
   let stsClient: STSClient;
+  let closureSourceCreds: Credentials;
   return async (sourceCreds, params) => {
+    closureSourceCreds = sourceCreds;
     if (!stsClient) {
       const { logger, region } = stsOptions;
       stsClient = new stsClientCtor({
         logger,
-        credentials: sourceCreds,
+        // A hack to make sts client uses the credential in current closure.
+        credentialDefaultProvider: () => async () => closureSourceCreds,
         region: decorateDefaultRegion(region),
       });
     }

@@ -21,7 +21,7 @@ const getOverwritablePredicate = (packageName) => (pathName) => {
     "README.md",
   ];
   const additionalGeneratedFiles = {
-    "@aws-sdk/client-sts": ["defaultRoleAssumers.ts", "defaultStsRoleAssumers.ts"],
+    "@aws-sdk/client-sts": ["defaultRoleAssumers.ts", "defaultStsRoleAssumers.ts", "defaultRoleAssumers.spec.ts"],
   };
   return (
     pathName