forked from bgshacklett/samlogin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsts.js
65 lines (57 loc) · 2.33 KB
/
sts.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
const { sprintf } = require('printj');
const fmt = require('./fmt.js');
module.exports = {
assumeRole: async (config, logger, STS, roleAttributeValue, SAMLAssertion) => {
const rePrincipal = /arn:aws:iam:[^:]*:[0-9]+:saml-provider\/[^,]+/i;
const reRole = /arn:aws:iam:[^:]*:([0-9]+):role\/([^,]+)/i;
const principalMatches = roleAttributeValue.match(rePrincipal);
const roleMatches = roleAttributeValue.match(reRole);
const accountNumber = roleMatches[1];
const roleName = roleMatches[2];
// Get the alias and duration of the account if it exists.
// Otherwise, use the account number and 3600.
// TODO: It may make sense to extract this into a function.
const durationSeconds = (
config.AccountAliases
&& config.AccountAliases
.filter(
x => x.AccountNumber
=== accountNumber,
)
.reduce((acc, duration) => duration.DurationSeconds, null)
)
|| 3600;
const roleAccount = (
config.AccountAliases
&& config.AccountAliases
.filter(
x => x.AccountNumber
=== accountNumber,
)
.reduce((acc, alias) => alias.Alias, null)
)
|| accountNumber;
const params = {
PrincipalArn: principalMatches[0],
RoleArn: roleMatches[0],
DurationSeconds: durationSeconds,
SAMLAssertion,
};
try
{
const response = await STS.assumeRoleWithSAML(params).promise();
logger.info(sprintf(fmt.ASSUME_ROLE_SUCCESS, roleAccount, roleName));
return {
accountNumber,
roleName,
credentials: response.Credentials,
};
}
catch (e)
{
logger.error(e.message);
logger.debug(e.stack);
return null;
}
},
};