feat: use custom aws config in fle

Author: durran

src/client-side-encryption/auto_encrypter.ts

@@ -6,6 +6,7 @@ import {
 import * as net from 'net';
 
 import { deserialize, type Document, serialize } from '../bson';
+import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
 import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
 import { kDecorateResult } from '../constants';
 import { getMongoDBClientEncryption } from '../deps';
@@ -153,6 +154,7 @@ export class AutoEncrypter {
   _kmsProviders: KMSProviders;
   _bypassMongocryptdAndCryptShared: boolean;
   _contextCounter: number;
+  _awsCredentialProvider?: AWSCredentialProvider;
 
   _mongocryptdManager?: MongocryptdManager;
   _mongocryptdClient?: MongoClient;
@@ -237,6 +239,8 @@ export class AutoEncrypter {
     this._proxyOptions = options.proxyOptions || {};
     this._tlsOptions = options.tlsOptions || {};
     this._kmsProviders = options.kmsProviders || {};
+    this._awsCredentialProvider =
+      client.options.credentials?.mechanismProperties.AWS_CREDENTIAL_PROVIDER;
 
     const mongoCryptOptions: MongoCryptOptions = {
       cryptoCallbacks
@@ -438,7 +442,7 @@ export class AutoEncrypter {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return await refreshKMSCredentials(this._kmsProviders);
+    return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
   }
 
   /**

src/client-side-encryption/client_encryption.ts

@@ -15,6 +15,7 @@ import {
   type UUID
 } from '../bson';
 import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
+import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
 import { type ProxyOptions } from '../cmap/connection';
 import { type Collection } from '../collection';
 import { type FindCursor } from '../cursor/find_cursor';
@@ -81,6 +82,9 @@ export class ClientEncryption {
   /** @internal */
   _mongoCrypt: MongoCrypt;
 
+  /** @internal */
+  _awsCredentialProvider?: AWSCredentialProvider;
+
   /** @internal */
   static getMongoCrypt(): MongoCryptConstructor {
     const encryption = getMongoDBClientEncryption();
@@ -125,6 +129,8 @@ export class ClientEncryption {
     this._kmsProviders = options.kmsProviders || {};
     const { timeoutMS } = resolveTimeoutOptions(client, options);
     this._timeoutMS = timeoutMS;
+    this._awsCredentialProvider =
+      client.options.credentials?.mechanismProperties.AWS_CREDENTIAL_PROVIDER;
 
     if (options.keyVaultNamespace == null) {
       throw new MongoCryptInvalidArgumentError('Missing required option `keyVaultNamespace`');
@@ -712,7 +718,7 @@ export class ClientEncryption {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return await refreshKMSCredentials(this._kmsProviders);
+    return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
   }
 
   static get libmongocryptVersion() {

src/client-side-encryption/providers/aws.ts

@@ -1,11 +1,17 @@
-import { AWSSDKCredentialProvider } from '../../cmap/auth/aws_temporary_credentials';
+import {
+  type AWSCredentialProvider,
+  AWSSDKCredentialProvider
+} from '../../cmap/auth/aws_temporary_credentials';
 import { type KMSProviders } from '.';
 
 /**
  * @internal
  */
-export async function loadAWSCredentials(kmsProviders: KMSProviders): Promise<KMSProviders> {
-  const credentialProvider = new AWSSDKCredentialProvider();
+export async function loadAWSCredentials(
+  kmsProviders: KMSProviders,
+  provider?: AWSCredentialProvider
+): Promise<KMSProviders> {
+  const credentialProvider = new AWSSDKCredentialProvider(provider);
 
   // We shouldn't ever receive a response from the AWS SDK that doesn't have a `SecretAccessKey`
   // or `AccessKeyId`.  However, TS says these fields are optional.  We provide empty strings

src/client-side-encryption/providers/index.ts

@@ -1,4 +1,5 @@
 import type { Binary } from '../../bson';
+import { type AWSCredentialProvider } from '../../cmap/auth/aws_temporary_credentials';
 import { loadAWSCredentials } from './aws';
 import { loadAzureCredentials } from './azure';
 import { loadGCPCredentials } from './gcp';
@@ -176,11 +177,14 @@ export function isEmptyCredentials(
  *
  * @internal
  */
-export async function refreshKMSCredentials(kmsProviders: KMSProviders): Promise<KMSProviders> {
+export async function refreshKMSCredentials(
+  kmsProviders: KMSProviders,
+  awsProvider?: AWSCredentialProvider
+): Promise<KMSProviders> {
   let finalKMSProviders = kmsProviders;
 
   if (isEmptyCredentials('aws', kmsProviders)) {
-    finalKMSProviders = await loadAWSCredentials(finalKMSProviders);
+    finalKMSProviders = await loadAWSCredentials(finalKMSProviders, awsProvider);
   }
 
   if (isEmptyCredentials('gcp', kmsProviders)) {

src/cmap/auth/aws_temporary_credentials.ts

@@ -21,7 +21,7 @@ export interface AWSTempCredentials {
   Expiration?: Date;
 }
 
-/** @internal */
+/** @public **/
 export type AWSCredentialProvider = () => Promise<AWSCredentials>;
 
 /**

src/deps.ts

@@ -78,7 +78,7 @@ export function getZstdLibrary(): ZStandardLib | { kModuleError: MongoMissingDep
 }
 
 /**
- * @internal
+ * @public
  * Copy of the AwsCredentialIdentityProvider interface from [`smithy/types`](https://socket.dev/npm/package/\@smithy/types/files/1.1.1/dist-types/identity/awsCredentialIdentity.d.ts),
  * the return type of the aws-sdk's `fromNodeProviderChain().provider()`.
  */

src/index.ts

@@ -127,10 +127,11 @@ export { ReadPreferenceMode } from './read_preference';
 export { ServerType, TopologyType } from './sdam/common';
 
 // Helper classes
+export type { AWSCredentialProvider } from './cmap/auth/aws_temporary_credentials';
+export type { AWSCredentials } from './deps';
 export { ReadConcern } from './read_concern';
 export { ReadPreference } from './read_preference';
 export { WriteConcern } from './write_concern';
-
 // events
 export {
   CommandFailedEvent,