Creates a credential provider that will attempt to find credentials from the following sources (listed in order of precedence):
process.envThe default credential provider will invoke one provider at a time and only
continue to the next if no credentials have been located. For example, if
the process finds values defined via the AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY environment variables, the files at
~/.aws/credentials and ~/.aws/config will not be read, nor will any
messages be sent to the Instance Metadata Service.
Configuration that is passed to each individual provider
@aws-sdk/credential-provider-node
AWS Credential Provider for Node.JS
This module provides a factory function,
fromEnv, that will attempt to source AWS credentials from a Node.JS environment. It will attempt to find credentials from the following sources (listed in order of precedence):process.envThe default credential provider will invoke one provider at a time and only continue to the next if no credentials have been located. For example, if the process finds values defined via the
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables, the files at~/.aws/credentialsand~/.aws/configwill not be read, nor will any messages be sent to the Instance Metadata Service.If invalid configuration is encountered (such as a profile in
~/.aws/credentialsspecifying as itssource_profilethe name of a profile that does not exist), then the chained provider will be rejected with an error and will not invoke the next provider in the list.IMPORTANT: if you intend for your code to run using EKS roles at some point (for example in a production environment, but not when working locally) then you must explicitly specify a value for
roleAssumerWithWebIdentity. There is a default function available in@aws-sdk/client-stspackage. An example of using this:const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts"); const { defaultProvider } = require("@aws-sdk/credential-provider-node"); const { S3Client, GetObjectCommand } = require("@aws-sdk/client-s3"); const provider = defaultProvider({ roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity, }); const client = new S3Client({ credentialDefaultProvider: provider });IMPORTANT: We provide a wrapper of this provider in
@aws-sdk/credential-providerspackage to save you from importinggetDefaultRoleAssumerWithWebIdentity()orgetDefaultRoleAssume()from STS package. Similarly, you can do:const { fromNodeProviderChain } = require("@aws-sdk/credential-providers"); const credentials = fromNodeProviderChain(); const client = new S3Client({ credentials });Supported configuration
You may customize how credentials are resolved by providing an options hash to the
defaultProviderfactory function. The following options are supported:profile- The configuration profile to use. If not specified, the provider will use the value in theAWS_PROFILEenvironment variable or a default ofdefault.filepath- The path to the shared credentials file. If not specified, the provider will use the value in theAWS_SHARED_CREDENTIALS_FILEenvironment variable or a default of~/.aws/credentials.configFilepath- The path to the shared config file. If not specified, the provider will use the value in theAWS_CONFIG_FILEenvironment variable or a default of~/.aws/config.mfaCodeProvider- A function that returns a a promise fulfilled with an MFA token code for the provided MFA Serial code. If a profile requires an MFA code andmfaCodeProvideris not a valid function, the credential provider promise will be rejected.roleAssumer- A function that assumes a role and returns a promise fulfilled with credentials for the assumed role. If not specified, the SDK will create an STS client and call itsassumeRolemethod.roleArn- ARN to assume. If not specified, the provider will use the value in theAWS_ROLE_ARNenvironment variable.webIdentityTokenFile- File location of where theOIDCtoken is stored. If not specified, the provider will use the value in theAWS_WEB_IDENTITY_TOKEN_FILEenvironment variable.roleAssumerWithWebIdentity- A function that assumes a role with web identity and returns a promise fulfilled with credentials for the assumed role.timeout- The connection timeout (in milliseconds) to apply to any remote requests. If not specified, a default value of1000(one second) is used.maxRetries- The maximum number of times any HTTP connections should be retried. If not specified, a default value of0will be used.Related packages: