node.js后台搭建

# @aws-sdk/credential-providers [](https://www.npmjs.com/package/@aws-sdk/credential-providers) [](https://www.npmjs.com/package/@aws-sdk/credential-providers) A collection of all credential providers, with default clients. # Table of Contents 1. [From Cognito Identity](#fromcognitoidentity) 1. [From Cognito Identity Pool](#fromcognitoidentitypool) 1. [From Temporary Credentials](#fromtemporarycredentials) 1. [From Web Token](#fromwebtoken) 1. [Examples](#examples) 1. [From Token File](#fromtokenfile) 1. [From Instance and Container Metadata Service](#fromcontainermetadata-and-frominstancemetadata) 1. [From Shared INI files](#fromini) 1. [Sample Files](#sample-files) 1. [From Environmental Variables](#fromenv) 1. [From Credential Process](#fromprocess) 1. [Sample files](#sample-files-1) 1. [From Single Sign-On Service](#fromsso) 1. [Supported Configuration](#supported-configuration) 1. [SSO login with AWS CLI](#sso-login-with-the-aws-cli) 1. [Sample Files](#sample-files-2) 1. [From Node.js default credentials provider chain](#fromNodeProviderChain) ## `fromCognitoIdentity()` The function `fromCognitoIdentity()` returns `CredentialsProvider` that retrieves credentials for the provided identity ID. See [GetCredentialsForIdentity API][getcredentialsforidentity_api] for more information. ```javascript import { fromCognitoIdentity } from "@aws-sdk/credential-providers"; // ES6 import // const { fromCognitoIdentity } = require("@aws-sdk/credential-providers"); // CommonJS import const client = new FooClient({ region, credentials: fromCognitoIdentity({ // Required. The unique identifier for the identity against which credentials // will be issued. identityId: "us-east-1:128d0a74-c82f-4553-916d-90053example", // Optional. The ARN of the role to be assumed when multiple roles were received in the token // from the identity provider. customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity", // Optional. A set of name-value pairs that map provider names to provider tokens. // Required when using identities associated with external identity providers such as Facebook. logins: { "graph.facebook.com": "FBTOKEN", "www.amazon.com": "AMAZONTOKEN", "accounts.google.com": "GOOGLETOKEN", "api.twitter.com": "TWITTERTOKEN'", "www.digits.com": "DIGITSTOKEN", }, // Optional. Custom client config if you need overwrite default Cognito Identity client // configuration. clientConfig: { region }, }), }); ``` ## `fromCognitoIdentityPool()` The function `fromCognitoIdentityPool()` returns `AwsCredentialIdentityProvider` that calls [GetId API][getid_api] to obtain an `identityId`, then generates temporary AWS credentials with [GetCredentialsForIdentity API][getcredentialsforidentity_api], see [`fromCognitoIdentity()`](#fromcognitoidentity). Results from `GetId` are cached internally, but results from `GetCredentialsForIdentity` are not. ```javascript import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers"; // ES6 import // const { fromCognitoIdentityPool } = require("@aws-sdk/credential-providers"); // CommonJS import const client = new FooClient({ region, credentials: fromCognitoIdentityPool({ // Required. The unique identifier for the identity pool from which an identity should be // retrieved or generated. identityPoolId: "us-east-1:1699ebc0-7900-4099-b910-2df94f52a030", // Optional. A standard AWS account ID (9+ digits) accountId: "123456789", // Optional. A cache in which to store resolved Cognito IdentityIds. cache: custom_storage, // Optional. A unique identifier for the user used to cache Cognito IdentityIds on a per-user // basis. userIdentifier: "user_0", // Optional. The ARN of the role to be assumed when multiple roles were received in the token // from the identity provider. customRoleArn: "arn:aws:iam::1234567890:role/MYAPP-CognitoIdentity", // Optional. A set of name-value pairs that map provider names to provider tokens. // Required when using identities associated with external identity providers such as Facebook. logins: { "graph.facebook.com": "FBTOKEN", "www.amazon.com": "AMAZONTOKEN", "accounts.google.com": "GOOGLETOKEN", "api.twitter.com": "TWITTERTOKEN", "www.digits.com": "DIGITSTOKEN", }, // Optional. Custom client config if you need overwrite default Cognito Identity client // configuration. clientConfig: { region }, }), }); ``` ## `fromTemporaryCredentials()` The function `fromTemporaryCredentials` returns `AwsCredentialIdentityProvider` that retrieves temporary credentials from [STS AssumeRole API][assumerole_api]. ```javascript import { fromTemporaryCredentials } from "@aws-sdk/credential-providers"; // ES6 import // const { fromTemporaryCredentials } = require("@aws-sdk/credential-providers"); // CommonJS import const client = new FooClient({ region, credentials: fromTemporaryCredentials({ // Optional. The master credentials used to get and refresh temporary credentials from AWS STS. // If skipped, it uses the default credential resolved by internal STS client. masterCredentials: fromTemporaryCredentials({ params: { RoleArn: "arn:aws:iam::1234567890:role/RoleA" }, }), // Required. Options passed to STS AssumeRole operation. params: { // Required. ARN of role to assume. RoleArn: "arn:aws:iam::1234567890:role/RoleB", // Optional. An identifier for the assumed role session. If skipped, it generates a random // session name with prefix of 'aws-sdk-js-'. RoleSessionName: "aws-sdk-js-123", // Optional. The duration, in seconds, of the role session. DurationSeconds: 3600, // ... For more options see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html }, // Optional. Custom STS client configurations overriding the default ones. clientConfig: { region }, // Optional. A function that returns a promise fulfilled with an MFA token code for the provided // MFA Serial code. Required if `params` has `SerialNumber` config. mfaCodeProvider: async (mfaSerial) => { return "token"; }, }), }); ``` ## `fromWebToken()` The function `fromWebToken` returns `AwsCredentialIdentityProvider` that gets credentials calling [STS AssumeRoleWithWebIdentity API][assumerolewithwebidentity_api] ```javascript import { fromWebToken } from "@aws-sdk/credential-providers"; // ES6 import // const { fromWebToken } = require("@aws-sdk/credential-providers"); // CommonJS import const client = new FooClient({ region, credentials: fromWebToken({ // Required. ARN of the role that the caller is assuming. roleArn: "arn:aws:iam::1234567890:role/RoleA", // Required. The OAuth 2.0 access token or OpenID Connect ID token that is provided by the // identity provider. webIdentityToken: await openIdProvider(), // Optional. Custom STS client configurations overriding the default ones. clientConfig: { region }, // Optional. A function that assumes a role with web identity and returns a promise fulfilled // with credentials for the assumed role. roleAssumerWithWebIdentity, // Optional. An identifier for the assumed role session. roleSessionName: "session_123", // Optional. The fully qualified host component of the domain name of the identity provider. providerId: "graph.facebook.com", // Optional. ARNs of the IAM managed policies that you want to use as managed session. policyArns: [{ arn: "arn:aws:iam::1234567890:policy/SomePolicy" }], // Optional. An IAM policy in JSON format that you want to use as an inline session policy. policy: "JSON_STRING", // Optional. The dur