# @aws-sdk/credential-providers
[![NPM version](https://img.shields.io/npm/v/@aws-sdk/credential-providers/latest.svg)](https://www.npmjs.com/package/@aws-sdk/credential-providers)
[![NPM downloads](https://img.shields.io/npm/dm/@aws-sdk/credential-providers.svg)](https://www.npmjs.com/package/@aws-sdk/credential-providers)
A collection of all credential providers, with default clients.
# Table of Contents
1. [From Cognito Identity](#fromcognitoidentity)
1. [From Cognito Identity Pool](#fromcognitoidentitypool)
1. [From Temporary Credentials](#fromtemporarycredentials)
1. [From Web Token](#fromwebtoken)
1. [Examples](#examples)
1. [From Token File](#fromtokenfile)
1. [From Instance and Container Metadata Service](#fromcontainermetadata-and-frominstancemetadata)
1. [From Shared INI files](#fromini)
1. [Sample Files](#sample-files)
1. [From Environmental Variables](#fromenv)
1. [From Credential Process](#fromprocess)
1. [Sample files](#sample-files-1)
1. [From Single Sign-On Service](#fromsso)
1. [Supported Configuration](#supported-configuration)
1. [SSO login with AWS CLI](#sso-login-with-the-aws-cli)
1. [Sample Files](#sample-files-2)
1. [From Node.js default credentials provider chain](#fromNodeProviderChain)
## `fromCognitoIdentity()`
The function `fromCognitoIdentity()` returns `CredentialsProvider` that retrieves credentials for
the provided identity ID. See [GetCredentialsForIdentity API][getcredentialsforidentity_api]
for more information.
```javascript
import { fromCognitoIdentity } from "@aws-sdk/credential-providers"; // ES6 import
// const { fromCognitoIdentity } = require("@aws-sdk/credential-providers"); // CommonJS import
const client = new FooClient({
region,
credentials: fromCognitoIdentity({
// Required. The unique identifier for the identity against which credentials
// will be issued.
identityId: "us-east-1:128d0a74-c82f-4553-916d-90053example",
// Optional. The ARN of the role to be assumed when multiple roles were received in the token
// from the identity provider.
customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity",
// Optional. A set of name-value pairs that map provider names to provider tokens.
// Required when using identities associated with external identity providers such as Facebook.
logins: {
"graph.facebook.com": "FBTOKEN",
"www.amazon.com": "AMAZONTOKEN",
"accounts.google.com": "GOOGLETOKEN",
"api.twitter.com": "TWITTERTOKEN'",
"www.digits.com": "DIGITSTOKEN",
},
// Optional. Custom client config if you need overwrite default Cognito Identity client
// configuration.
clientConfig: { region },
}),
});
```
## `fromCognitoIdentityPool()`
The function `fromCognitoIdentityPool()` returns `AwsCredentialIdentityProvider` that calls [GetId API][getid_api]
to obtain an `identityId`, then generates temporary AWS credentials with
[GetCredentialsForIdentity API][getcredentialsforidentity_api], see
[`fromCognitoIdentity()`](#fromcognitoidentity).
Results from `GetId` are cached internally, but results from `GetCredentialsForIdentity` are not.
```javascript
import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers"; // ES6 import
// const { fromCognitoIdentityPool } = require("@aws-sdk/credential-providers"); // CommonJS import
const client = new FooClient({
region,
credentials: fromCognitoIdentityPool({
// Required. The unique identifier for the identity pool from which an identity should be
// retrieved or generated.
identityPoolId: "us-east-1:1699ebc0-7900-4099-b910-2df94f52a030",
// Optional. A standard AWS account ID (9+ digits)
accountId: "123456789",
// Optional. A cache in which to store resolved Cognito IdentityIds.
cache: custom_storage,
// Optional. A unique identifier for the user used to cache Cognito IdentityIds on a per-user
// basis.
userIdentifier: "user_0",
// Optional. The ARN of the role to be assumed when multiple roles were received in the token
// from the identity provider.
customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity",
// Optional. A set of name-value pairs that map provider names to provider tokens.
// Required when using identities associated with external identity providers such as Facebook.
logins: {
"graph.facebook.com": "FBTOKEN",
"www.amazon.com": "AMAZONTOKEN",
"accounts.google.com": "GOOGLETOKEN",
"api.twitter.com": "TWITTERTOKEN",
"www.digits.com": "DIGITSTOKEN",
},
// Optional. Custom client config if you need overwrite default Cognito Identity client
// configuration.
clientConfig: { region },
}),
});
```
## `fromTemporaryCredentials()`
The function `fromTemporaryCredentials` returns `AwsCredentialIdentityProvider` that retrieves temporary
credentials from [STS AssumeRole API][assumerole_api].
```javascript
import { fromTemporaryCredentials } from "@aws-sdk/credential-providers"; // ES6 import
// const { fromTemporaryCredentials } = require("@aws-sdk/credential-providers"); // CommonJS import
const client = new FooClient({
region,
credentials: fromTemporaryCredentials({
// Optional. The master credentials used to get and refresh temporary credentials from AWS STS.
// If skipped, it uses the default credential resolved by internal STS client.
masterCredentials: fromTemporaryCredentials({
params: { RoleArn: "arn:aws:iam::1234567890:role/RoleA" },
}),
// Required. Options passed to STS AssumeRole operation.
params: {
// Required. ARN of role to assume.
RoleArn: "arn:aws:iam::1234567890:role/RoleB",
// Optional. An identifier for the assumed role session. If skipped, it generates a random
// session name with prefix of 'aws-sdk-js-'.
RoleSessionName: "aws-sdk-js-123",
// Optional. The duration, in seconds, of the role session.
DurationSeconds: 3600,
// ... For more options see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
},
// Optional. Custom STS client configurations overriding the default ones.
clientConfig: { region },
// Optional. A function that returns a promise fulfilled with an MFA token code for the provided
// MFA Serial code. Required if `params` has `SerialNumber` config.
mfaCodeProvider: async (mfaSerial) => {
return "token";
},
}),
});
```
## `fromWebToken()`
The function `fromWebToken` returns `AwsCredentialIdentityProvider` that gets credentials calling
[STS AssumeRoleWithWebIdentity API][assumerolewithwebidentity_api]
```javascript
import { fromWebToken } from "@aws-sdk/credential-providers"; // ES6 import
// const { fromWebToken } = require("@aws-sdk/credential-providers"); // CommonJS import
const client = new FooClient({
region,
credentials: fromWebToken({
// Required. ARN of the role that the caller is assuming.
roleArn: "arn:aws:iam::1234567890:role/RoleA",
// Required. The OAuth 2.0 access token or OpenID Connect ID token that is provided by the
// identity provider.
webIdentityToken: await openIdProvider(),
// Optional. Custom STS client configurations overriding the default ones.
clientConfig: { region },
// Optional. A function that assumes a role with web identity and returns a promise fulfilled
// with credentials for the assumed role.
roleAssumerWithWebIdentity,
// Optional. An identifier for the assumed role session.
roleSessionName: "session_123",
// Optional. The fully qualified host component of the domain name of the identity provider.
providerId: "graph.facebook.com",
// Optional. ARNs of the IAM managed policies that you want to use as managed session.
policyArns: [{ arn: "arn:aws:iam::1234567890:policy/SomePolicy" }],
// Optional. An IAM policy in JSON format that you want to use as an inline session policy.
policy: "JSON_STRING",
// Optional. The dur