We announced the upcoming end-of-support for AWS SDK for JavaScript v2.
We recommend that you migrate to AWS SDK for JavaScript v3. For dates, additional details, and information on how to migrate, please refer to the linked announcement.

Class: AWS.TokenFileWebIdentityCredentials

AWS.Credentials show all
Defined in:



This feature is not supported in the browser environment of the SDK.

Represents OIDC credentials from a file on disk If the credentials expire, the SDK can refresh() the credentials from the file.

Using the web identity token file

This provider is checked by default in the Node.js environment. To use the provider simply add your OIDC token to a file (ASCII encoding) and share the filename in either AWS_WEB_IDENTITY_TOKEN_FILE environment variable or web_identity_token_file shared config variable

The file contains encoded OIDC token and the characters are ASCII encoded. OIDC tokens are JSON Web Tokens (JWT). JWT's are 3 base64 encoded strings joined by the '.' character.

This class will read filename from AWS_WEB_IDENTITY_TOKEN_FILE environment variable or web_identity_token_file shared config variable, and get the OIDC token from filename. It will also read IAM role to be assumed from AWS_ROLE_ARN environment variable or role_arn shared config variable. This provider gets credetials using the AWS.STS.assumeRoleWithWebIdentity() service operation

Constructor Summary collapse

Property Summary

Properties inherited from AWS.Credentials

expired, expireTime, accessKeyId, secretAccessKey, sessionToken, expiryWindow

Method Summary collapse

Methods inherited from AWS.Credentials

needsRefresh, get, getPromise, refreshPromise

Constructor Details

new AWS.TokenFileWebIdentityCredentials(clientConfig) ⇒ void


Creating a new credentials object

AWS.config.credentials = new AWS.TokenFileWebIdentityCredentials(
 // optionally provide configuration to apply to the underlying AWS.STS service client
 // if configuration is not provided, then configuration will be pulled from AWS.config
   // specify timeout options
   httpOptions: {
     timeout: 100

See Also:

Method Details

refresh(callback) ⇒ void

Refreshes credentials using AWS.STS.assumeRoleWithWebIdentity()

Callback (callback):

  • function(err) { ... }

    Called when the STS service responds (or fails). When this callback is called with no error, it means that the credentials information has been loaded into the object (as the accessKeyId, secretAccessKey, and sessionToken properties).


    • err (Error)

      if an error occurred, this value will be filled

See Also: