Merge pull request #2463 from lostcolony/master

AWS support for session tokens for temporary credentials
request · Nov 18, 2016 · 9f702bf · 9f702bf
2 parents 67c9673 + 7532634
commit 9f702bf
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -755,7 +755,7 @@ The first argument can be either a `url` or an `options` object. The only requir
 - `auth` - A hash containing values `user` || `username`, `pass` || `password`, and `sendImmediately` (optional).  See documentation above.
 - `oauth` - Options for OAuth HMAC-SHA1 signing. See documentation above.
 - `hawk` - Options for [Hawk signing](https://github.com/hueniverse/hawk). The `credentials` key must contain the necessary signing info, [see hawk docs for details](https://github.com/hueniverse/hawk#usage-example).
-- `aws` - `object` containing AWS signing information. Should have the properties `key`, `secret`. Also requires the property `bucket`, unless you’re specifying your `bucket` as part of the path, or the request doesn’t use a bucket (i.e. GET Services). If you want to use AWS sign version 4 use the parameter `sign_version` with value `4` otherwise the default is version 2. **Note:** you need to `npm install aws4` first.
+- `aws` - `object` containing AWS signing information. Should have the properties `key`, `secret`, and optionally `session` (note that this only works for services that require session as part of the canonical string). Also requires the property `bucket`, unless you’re specifying your `bucket` as part of the path, or the request doesn’t use a bucket (i.e. GET Services). If you want to use AWS sign version 4 use the parameter `sign_version` with value `4` otherwise the default is version 2. **Note:** you need to `npm install aws4` first.
 - `httpSignature` - Options for the [HTTP Signature Scheme](https://github.com/joyent/node-http-signature/blob/master/http_signing.md) using [Joyent's library](https://github.com/joyent/node-http-signature). The `keyId` and `key` properties must be specified. See the docs for other options.
 
 ---

diff --git a/request.js b/request.js
@@ -1292,10 +1292,14 @@ Request.prototype.aws = function (opts, now) {
     }
     var signRes = aws4.sign(options, {
       accessKeyId: opts.key,
-      secretAccessKey: opts.secret
+      secretAccessKey: opts.secret,
+      sessionToken: opts.session
     })
     self.setHeader('authorization', signRes.headers.Authorization)
     self.setHeader('x-amz-date', signRes.headers['X-Amz-Date'])
+    if (signRes.headers['X-Amz-Security-Token']) {
+      self.setHeader('x-amz-security-token', signRes.headers['X-Amz-Security-Token'])
+    }
   }
   else {
     // default: use aws-sign2

diff --git a/tests/test-aws.js b/tests/test-aws.js
@@ -50,6 +50,26 @@ tape('aws-sign4 options', function(t) {
   request(options, function(err, res, body) {    
     t.ok(body.authorization)
     t.ok(body['x-amz-date'])
+    t.notok(body['x-amz-security-token'])
+    t.end()
+  })
+})
+
+tape('aws-sign4 options with session token', function(t) {
+  var options = {
+    url: s.url + path,
+    aws: {
+      key: 'my_key',
+      secret: 'my_secret',
+      session: 'session',
+      sign_version: 4
+    },
+    json: true
+  }
+  request(options, function(err, res, body) {    
+    t.ok(body.authorization)
+    t.ok(body['x-amz-date'])
+    t.ok(body['x-amz-security-token'])
     t.end()
   })
 })