How to use assume role credential in dynamodb (aws-sdk javascript)?

0
votes

I already have aws assume role credentials in .aws/credetials file. how to use it to creat sts or dynamodb like:

const { DynamoDB } = require('aws-sdk');
const { DocumentClient } = DynamoDB;

 const dynamo = new DynamoDB({
 endpoint: process.env.AWS_ENDPOINT,
 region: process.env.AWS_REGION,
 accessKeyId: process.env.AWS_ACCESS_KEY_ID,
 secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
 secretToken: process.env.aws_security_token
 });

I mean I got error as:

root@myubuntu:~/work/contacts_api# node ./seed/runner.js

```

Checking if 'contacts' table exists { UnrecognizedClientException: The security token included in the request is invalid. at Request.extractError (/root/work/contacts_api/node_modules/aws-sdk/lib/protocol/json.js:51:27) at Request.callListeners (/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:683:14) at Request.transition (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/root/work/contacts_api/node_modules/aws-sdk/lib/state_machine.js:14:12) at /root/work/contacts_api/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request. (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:38:9) at Request. (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:685:12) at Request.callListeners (/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:116:18) message: 'The security token included in the request is invalid.', code: 'UnrecognizedClientException', time: 2019-01-07T05:39:54.907Z, requestId: 'A5CFV62P0TGHJH7VDIBSL0JRC3VV4KQNSO5AEMVJF66Q9ASUAAJG', statusCode: 400, retryable: false, retryDelay: 5.013458338738063 }

```

I want to know the correct way to initial credetials, if I want to use mfa credetials.

2
amazon-web-servicesaws-sdkcredentialsmulti-factor-authentication
You're pulling in DynamoDB and DynamoDB.DocumentClient, but then create a new DynamoDB object, leaving the DocumentClient hanging off. Maybe an oversight in the question? They're built the same way regardless. - John Hoffmeyer

2 Answers

0
votes

I'm guessing that the error here should give you a clue:

"The security token included in the request is invalid"

Did you try printing out the environment value

env | grep aws_security_token

If it's empty you'll have to set the value prior to running your code.

Also, I've noticed that your other aws keys are all caps whereas your aws_security_token is all lowercase.

0
votes

I suspect secretToken isn't a thing. Here are two examples of how it could be done (how I've done it before).

That said I would encourage the construction and use of a Credentials where ever possible (the second example), but if you wanted to do it inline- that should work too.

/** assume a role and build a DocumentClient object to make a single scan **/
;(async () => {
  const sts = new AWS.STS()
  const assumeRole = await sts
    .assumeRole({
      RoleArn: process.env.ROLE_ARN,
      RoleSessionName: process.env.ROLE_SESSION_NAME,
    })
    .promise()

  const dynamodb = new AWS.DynamoDB.DocumentClient({
    region: process.env.REGION,
    credentials: {
      accessKeyId: assumeRole.Credentials?.AccessKeyId,
      secretAccessKey: assumeRole.Credentials?.SecretAccessKey,
      sessionToken: assumeRole.Credentials?.SessionToken,
    },
  })

  const scan = await dynamodb
    .scan({
      TableName: process.env.TABLE_NAME,
    })
    .promise()

  console.log(scan)
})()

/** 
* assume a role and build a Credentials object and use it 
* to build a DocumentClient object to make a single scan 
**/
;(async () => {
  const sts = new AWS.STS()
  const assumeRole = await sts
    .assumeRole({
      RoleArn: process.env.ROLE_ARN,
      RoleSessionName: process.env.ROLE_SESSION_NAME,
    })
    .promise()

  const credentials = new AWS.Credentials({
    accessKeyId: assumeRole.Credentials?.AccessKeyId,
    secretAccessKey: assumeRole.Credentials?.SecretAccessKey,
    sessionToken: assumeRole.Credentials?.SessionToken,
  })

  const dynamodb = new AWS.DynamoDB.DocumentClient({
    region: process.env.REGION,
    credentials: credentials,
  })

  const scan = await dynamodb
    .scan({
      TableName: process.env.TABLE_NAME,
    })
    .promise()

  console.log(scan)
})()