feat: add AWS STS AssumeRole support to AWS credential (#5731)

* feat: add AWS STS AssumeRole support to AWS credential

* fix: applied reviewer suggestions for code hardening

* fix: minor lint issues

* fix: resolved lint warnings

Author: rohan-patil2

packages/components/credentials/AWSCredential.credential.ts

@@ -11,7 +11,7 @@ class AWSApi implements INodeCredential {
     constructor() {
         this.label = 'AWS security credentials'
         this.name = 'awsApi'
-        this.version = 1.0
+        this.version = 1.1
         this.description =
             'Your <a target="_blank" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html">AWS security credentials</a>. When unspecified, credentials will be sourced from the runtime environment according to the default AWS SDK behavior.'
         this.optional = true
@@ -39,6 +39,24 @@ class AWSApi implements INodeCredential {
                 placeholder: '<AWS_SESSION_TOKEN>',
                 description: 'The session key for your AWS account. This is only needed when you are using temporary credentials.',
                 optional: true
+            },
+            {
+                label: 'Role ARN',
+                name: 'roleArn',
+                type: 'string',
+                placeholder: 'arn:aws:iam::123456789012:role/role-name',
+                description:
+                    'The Amazon Resource Name (ARN) of the IAM role to assume. When provided, Flowise will use AWS STS AssumeRole to obtain temporary credentials. Leave empty to use static credentials directly.',
+                optional: true
+            },
+            {
+                label: 'External ID',
+                name: 'externalId',
+                type: 'string',
+                placeholder: 'unique-external-id',
+                description:
+                    'A unique identifier used for cross-account role assumption. Required when the role trust policy includes an sts:ExternalId condition.',
+                optional: true
             }
         ]
     }

packages/components/nodes/chatmodels/AWSBedrock/AWSChatBedrock.ts

@@ -1,7 +1,8 @@
 import { BaseCache } from '@langchain/core/caches'
 import { ICommonObject, IMultiModalOption, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../src/Interface'
-import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getBaseClasses } from '../../../src/utils'
 import { getModels, getRegions, MODEL_TYPE } from '../../../src/modelLoader'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { ChatBedrockConverseInput, ChatBedrockConverse } from '@langchain/aws'
 import { BedrockChat } from './FlowiseAWSChatBedrock'
 
@@ -163,19 +164,12 @@ class AWSChatBedrock_ChatModels implements INode {
          * Bedrock's credential provider falls back to the AWS SDK to fetch
          * credentials from the running environment.
          * When specified, we override the default provider with configured values.
+         * Supports STS AssumeRole when a Role ARN is configured in the credential.
          * @see https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-provider-node/README.md
          */
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            const credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            const credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            const credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-
-            obj.credentials = {
-                accessKeyId: credentialApiKey,
-                secretAccessKey: credentialApiSecret,
-                sessionToken: credentialApiSession
-            }
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, iRegion)
+        if (credentialConfig.credentials) {
+            obj.credentials = credentialConfig.credentials
         }
         if (cache) obj.cache = cache
 

packages/components/nodes/documentloaders/S3Directory/S3Directory.ts

@@ -1,11 +1,6 @@
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeOutputsValue, INodeParams } from '../../../src/Interface'
-import {
-    getCredentialData,
-    getCredentialParam,
-    handleDocumentLoaderDocuments,
-    handleDocumentLoaderMetadata,
-    handleDocumentLoaderOutput
-} from '../../../src/utils'
+import { handleDocumentLoaderDocuments, handleDocumentLoaderMetadata, handleDocumentLoaderOutput } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { S3Client, GetObjectCommand, S3ClientConfig, ListObjectsV2Command, ListObjectsV2Output } from '@aws-sdk/client-s3'
 import { getRegions, MODEL_TYPE } from '../../../src/modelLoader'
 import { Readable } from 'node:stream'
@@ -158,18 +153,9 @@ class S3_DocumentLoaders implements INode {
         const output = nodeData.outputs?.output as string
 
         let credentials: S3ClientConfig['credentials'] | undefined
-
         if (nodeData.credential) {
-            const credentialData = await getCredentialData(nodeData.credential, options)
-            const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-            const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-
-            if (accessKeyId && secretAccessKey) {
-                credentials = {
-                    accessKeyId,
-                    secretAccessKey
-                }
-            }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            credentials = credentialConfig.credentials
         }
 
         let s3Config: S3ClientConfig = {

packages/components/nodes/documentloaders/S3File/S3File.ts

@@ -7,13 +7,8 @@ import {
     SkipInferTableTypes,
     HiResModelName
 } from '@langchain/community/document_loaders/fs/unstructured'
-import {
-    getCredentialData,
-    getCredentialParam,
-    handleDocumentLoaderDocuments,
-    handleDocumentLoaderMetadata,
-    handleDocumentLoaderOutput
-} from '../../../src/utils'
+import { handleDocumentLoaderDocuments, handleDocumentLoaderMetadata, handleDocumentLoaderOutput } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { S3Client, GetObjectCommand, HeadObjectCommand, S3ClientConfig } from '@aws-sdk/client-s3'
 import { getRegions, MODEL_TYPE } from '../../../src/modelLoader'
 import { Readable } from 'node:stream'
@@ -581,18 +576,9 @@ class S3_DocumentLoaders implements INode {
         }
 
         let credentials: S3ClientConfig['credentials'] | undefined
-
         if (nodeData.credential) {
-            const credentialData = await getCredentialData(nodeData.credential, options)
-            const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-            const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-
-            if (accessKeyId && secretAccessKey) {
-                credentials = {
-                    accessKeyId,
-                    secretAccessKey
-                }
-            }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            credentials = credentialConfig.credentials
         }
 
         const s3Config: S3ClientConfig = {

packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts

@@ -1,7 +1,8 @@
 import { BedrockRuntimeClient, InvokeModelCommand } from '@aws-sdk/client-bedrock-runtime'
 import { BedrockEmbeddings, BedrockEmbeddingsParams } from '@langchain/community/embeddings/bedrock'
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../src/Interface'
-import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getBaseClasses } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { MODEL_TYPE, getModels, getRegions } from '../../../src/modelLoader'
 
 class AWSBedrockEmbedding_Embeddings implements INode {
@@ -129,17 +130,15 @@ class AWSBedrockEmbedding_Embeddings implements INode {
             region: iRegion
         }
 
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            const credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            const credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            const credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-
-            obj.credentials = {
-                accessKeyId: credentialApiKey,
-                secretAccessKey: credentialApiSecret,
-                sessionToken: credentialApiSession
-            }
+        /**
+         * Long-term credentials specified in embedding configuration are optional.
+         * Bedrock's credential provider falls back to the AWS SDK to fetch
+         * credentials from the running environment.
+         * Supports STS AssumeRole when a Role ARN is configured in the credential.
+         */
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, iRegion)
+        if (credentialConfig.credentials) {
+            obj.credentials = credentialConfig.credentials
         }
 
         const client = new BedrockRuntimeClient({

packages/components/nodes/llms/AWSBedrock/AWSBedrock.ts

@@ -2,9 +2,10 @@ import { Bedrock } from '@langchain/community/llms/bedrock'
 import { BaseCache } from '@langchain/core/caches'
 import { BaseLLMParams } from '@langchain/core/language_models/llms'
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../src/Interface'
-import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getBaseClasses } from '../../../src/utils'
 import { BaseBedrockInput } from '@langchain/community/dist/utils/bedrock'
 import { getModels, getRegions, MODEL_TYPE } from '../../../src/modelLoader'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 
 /**
  * @author Michael Connor <mlconnor@yahoo.com>
@@ -116,19 +117,12 @@ class AWSBedrock_LLMs implements INode {
          * Bedrock's credential provider falls back to the AWS SDK to fetch
          * credentials from the running environment.
          * When specified, we override the default provider with configured values.
+         * Supports STS AssumeRole when a Role ARN is configured in the credential.
          * @see https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-provider-node/README.md
          */
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            const credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            const credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            const credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-
-            obj.credentials = {
-                accessKeyId: credentialApiKey,
-                secretAccessKey: credentialApiSecret,
-                sessionToken: credentialApiSession
-            }
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, iRegion)
+        if (credentialConfig.credentials) {
+            obj.credentials = credentialConfig.credentials
         }
         if (cache) obj.cache = cache
 

packages/components/nodes/retrievers/AWSBedrockKBRetriever/AWSBedrockKBRetriever.ts

@@ -1,6 +1,6 @@
 import { AmazonKnowledgeBaseRetriever } from '@langchain/aws'
 import { ICommonObject, INode, INodeData, INodeParams, INodeOptionsValue } from '../../../src/Interface'
-import { getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { RetrievalFilter } from '@aws-sdk/client-bedrock-agent-runtime'
 import { MODEL_TYPE, getRegions } from '../../../src/modelLoader'
 
@@ -108,29 +108,15 @@ class AWSBedrockKBRetriever_Retrievers implements INode {
         const topK = nodeData.inputs?.topK as number
         const overrideSearchType = (nodeData.inputs?.searchType != '' ? nodeData.inputs?.searchType : undefined) as 'HYBRID' | 'SEMANTIC'
         const filter = (nodeData.inputs?.filter != '' ? JSON.parse(nodeData.inputs?.filter) : undefined) as RetrievalFilter
-        let credentialApiKey = ''
-        let credentialApiSecret = ''
-        let credentialApiSession = ''
-
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-        }
-
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
         const retriever = new AmazonKnowledgeBaseRetriever({
-            topK: topK,
+            topK,
             knowledgeBaseId: knoledgeBaseID,
-            region: region,
+            region,
             filter,
             overrideSearchType,
             clientOptions: {
-                credentials: {
-                    accessKeyId: credentialApiKey,
-                    secretAccessKey: credentialApiSecret,
-                    sessionToken: credentialApiSession
-                }
+                ...(credentialConfig.credentials && { credentials: credentialConfig.credentials })
             }
         })
 

packages/components/nodes/tools/AWSDynamoDBKVStorage/AWSDynamoDBKVStorage.ts

@@ -17,15 +17,18 @@ const KEY_SEPARATOR = '#'
 const MAX_KEY_LENGTH = 2048 // DynamoDB limit for partition key
 
 // Helper function to create DynamoDB client
-function createDynamoDBClient(credentials: AWSCredentials, region: string): DynamoDBClient {
-    return new DynamoDBClient({
-        region,
-        credentials: {
+function createDynamoDBClient(credentials: AWSCredentials | undefined, region: string): DynamoDBClient {
+    const config: { region: string; credentials?: { accessKeyId: string; secretAccessKey: string; sessionToken?: string } } = { region }
+
+    if (credentials) {
+        config.credentials = {
             accessKeyId: credentials.accessKeyId,
             secretAccessKey: credentials.secretAccessKey,
             ...(credentials.sessionToken && { sessionToken: credentials.sessionToken })
         }
-    })
+    }
+
+    return new DynamoDBClient(config)
 }
 
 // Helper function to build full key with optional prefix
@@ -246,11 +249,11 @@ class AWSDynamoDBKVStorage_Tools implements INode {
         ]
     }
 
-    loadMethods: Record<string, (nodeData: INodeData, options?: ICommonObject) => Promise<INodeOptionsValue[]>> = {
-        listTables: async (nodeData: INodeData, options?: ICommonObject): Promise<INodeOptionsValue[]> => {
+    loadMethods: Record<string, (_nodeData: INodeData, _options?: ICommonObject) => Promise<INodeOptionsValue[]>> = {
+        listTables: async (_nodeData: INodeData, _options?: ICommonObject): Promise<INodeOptionsValue[]> => {
             try {
-                const credentials = await getAWSCredentials(nodeData, options ?? {})
-                const region = (nodeData.inputs?.region as string) || DEFAULT_AWS_REGION
+                const credentials = await getAWSCredentials(_nodeData, _options ?? {})
+                const region = (_nodeData.inputs?.region as string) || DEFAULT_AWS_REGION
                 const dynamoClient = createDynamoDBClient(credentials, region)
 
                 const listCommand = new ListTablesCommand({})

packages/components/nodes/vectorstores/Kendra/Kendra.ts

@@ -1,9 +1,10 @@
 import { flatten } from 'lodash'
 import { AmazonKendraRetriever } from '@langchain/aws'
-import { KendraClient, BatchPutDocumentCommand, BatchDeleteDocumentCommand } from '@aws-sdk/client-kendra'
+import { KendraClient, BatchPutDocumentCommand, BatchDeleteDocumentCommand, KendraClientConfig } from '@aws-sdk/client-kendra'
 import { Document } from '@langchain/core/documents'
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeOutputsValue, INodeParams, IndexingResult } from '../../../src/Interface'
-import { FLOWISE_CHATID, getCredentialData, getCredentialParam, parseJsonBody } from '../../../src/utils'
+import { FLOWISE_CHATID, parseJsonBody } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { howToUseFileUpload } from '../VectorStoreUtils'
 import { MODEL_TYPE, getRegions } from '../../../src/modelLoader'
 
@@ -119,23 +120,11 @@ class Kendra_VectorStores implements INode {
             const docs = nodeData.inputs?.document as Document[]
             const isFileUploadEnabled = nodeData.inputs?.fileUpload as boolean
 
-            const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-            let clientConfig: any = { region }
-
-            if (credentialData && Object.keys(credentialData).length !== 0) {
-                const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-                const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-                const sessionToken = getCredentialParam('awsSession', credentialData, nodeData)
-
-                if (accessKeyId && secretAccessKey) {
-                    clientConfig.credentials = {
-                        accessKeyId,
-                        secretAccessKey,
-                        ...(sessionToken && { sessionToken })
-                    }
-                }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            let clientConfig: KendraClientConfig = { region }
+            if (credentialConfig.credentials) {
+                clientConfig.credentials = credentialConfig.credentials
             }
-
             const client = new KendraClient(clientConfig)
 
             const flattenDocs = docs && docs.length ? flatten(docs) : []
@@ -192,23 +181,11 @@ class Kendra_VectorStores implements INode {
             const indexId = nodeData.inputs?.indexId as string
             const region = nodeData.inputs?.region as string
 
-            const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-            let clientConfig: any = { region }
-
-            if (credentialData && Object.keys(credentialData).length !== 0) {
-                const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-                const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-                const sessionToken = getCredentialParam('awsSession', credentialData, nodeData)
-
-                if (accessKeyId && secretAccessKey) {
-                    clientConfig.credentials = {
-                        accessKeyId,
-                        secretAccessKey,
-                        ...(sessionToken && { sessionToken })
-                    }
-                }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            let clientConfig: KendraClientConfig = { region }
+            if (credentialConfig.credentials) {
+                clientConfig.credentials = credentialConfig.credentials
             }
-
             const client = new KendraClient(clientConfig)
 
             try {
@@ -235,15 +212,11 @@ class Kendra_VectorStores implements INode {
         const attributeFilter = nodeData.inputs?.attributeFilter
         const isFileUploadEnabled = nodeData.inputs?.fileUpload as boolean
 
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        let clientOptions: any = {}
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+        let clientOptions: Partial<KendraClientConfig> = {}
 
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            clientOptions.credentials = {
-                accessKeyId: getCredentialParam('awsKey', credentialData, nodeData),
-                secretAccessKey: getCredentialParam('awsSecret', credentialData, nodeData),
-                sessionToken: getCredentialParam('awsSession', credentialData, nodeData)
-            }
+        if (credentialConfig.credentials) {
+            clientOptions.credentials = credentialConfig.credentials
         }
 
         let filter = undefined