@quarry-systems/pangolin-providers-aws-creds
v0.2.0
Published
CredentialProvider wrapping the AWS SDK default credential chain — lazy resolution, no extra caching.
Readme
-systems/pangolin-providers-aws-creds
A CredentialProvider implementation that wraps the AWS SDK's default credential chain (environment variables, shared credentials file, container IAM role, EC2 instance metadata) and projects the resolved credentials into a ResolvedCredentials discriminated with kind: 'aws'. No caching beyond what the underlying chain itself performs; integrators wanting cross-process caching wire their own resolver via providerOverride. Construction is side-effect-free — the chain is invoked lazily on each resolve() call so any SDK I/O happens at resolution time, not at client construction.
Install
pnpm add -systems/pangolin-providers-aws-credsBasic usage
import { PangolinClient } from '-systems/pangolin-client';
import { AwsCredentialProvider } from '-systems/pangolin-providers-aws-creds';
const client = new PangolinClient({
namespace: 'my-org',
credentials: { aws: new AwsCredentialProvider() },
// ...
});For assume-role flows or other custom credential sources that don't fit the default chain, pass providerOverride::
new AwsCredentialProvider({
providerOverride: async () => assumeRoleAndReturnCreds(),
});Spec
- §5 Pluggable interfaces — the
CredentialProvidercontract this package implements. - §7.5 Storage IAM — the IAM boundary this provider operates within.
Decisions
- ADR-0001 — Package scope: the
@quarry-systems/pangolin-*namespace this package publishes under. - ADR-0007 — Inline secret TTL auto-computed: the secrets lifecycle this credential provider supports for Secrets Manager access.
