feat: support standard AWS env vars and default credential chain (#401)
* feat: support standard AWS env vars and default credential chain Replace non-standard AWS_ACCESS_KEY / AWS_SECRET_KEY with the AWS-standard AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY. The old names are kept as fallbacks in the runtimeEnv for backward compatibility. Both vars are now optional. When omitted, the credentials object is not passed to SESv2Client, STSClient, or SNSClient — the AWS SDK then falls back to its default provider chain (IAM roles, ECS task roles, instance profiles, etc.), which is the recommended approach for cloud-native deployments. Closes #316 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * refactor: extract shared getAwsCredentialOptions helper and add partial-config guard - Move the credential spread logic into a single credentials.ts helper so SESv2Client, STSClient, and SNSClient all share one implementation - Throw a clear error if only one of AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY is set, preventing silent fallback to the default provider chain with a half-configured environment Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: align AWS env vars in docker and docs * fix: use alias import for AWS credentials helper --------- Co-authored-by: purva <purvahk08@gmail.com> Co-authored-by: Purva Kandalgaonkar <136103488+purva-8@users.noreply.github.com>
This commit is contained in:
KM Koushik
GitHub
@@ -5,8 +5,8 @@ NEXTAUTH_SECRET=test-secret
|
||||
DATABASE_URL=postgresql://usesend:password@127.0.0.1:54329/usesend_test
|
||||
REDIS_URL=redis://127.0.0.1:6380/15
|
||||
|
||||
AWS_ACCESS_KEY=test-access-key
|
||||
AWS_SECRET_KEY=test-secret-key
|
||||
AWS_ACCESS_KEY_ID=test-access-key
|
||||
AWS_SECRET_ACCESS_KEY=test-secret-key
|
||||
AWS_DEFAULT_REGION=us-east-1
|
||||
|
||||
NEXT_PUBLIC_IS_CLOUD=true
|
||||
|
||||
+4
-4
@@ -31,8 +31,8 @@ export const env = createEnv({
|
||||
),
|
||||
GITHUB_ID: z.string().optional(),
|
||||
GITHUB_SECRET: z.string().optional(),
|
||||
AWS_ACCESS_KEY: z.string(),
|
||||
AWS_SECRET_KEY: z.string(),
|
||||
AWS_ACCESS_KEY_ID: z.string().optional(),
|
||||
AWS_SECRET_ACCESS_KEY: z.string().optional(),
|
||||
USESEND_API_KEY: z.string().optional(),
|
||||
UNSEND_API_KEY: z.string().optional(),
|
||||
GOOGLE_CLIENT_ID: z.string().optional(),
|
||||
@@ -99,8 +99,8 @@ export const env = createEnv({
|
||||
NEXTAUTH_URL: process.env.NEXTAUTH_URL,
|
||||
GITHUB_ID: process.env.GITHUB_ID,
|
||||
GITHUB_SECRET: process.env.GITHUB_SECRET,
|
||||
AWS_ACCESS_KEY: process.env.AWS_ACCESS_KEY,
|
||||
AWS_SECRET_KEY: process.env.AWS_SECRET_KEY,
|
||||
AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID || process.env.AWS_ACCESS_KEY,
|
||||
AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY || process.env.AWS_SECRET_KEY,
|
||||
USESEND_API_KEY: process.env.USESEND_API_KEY,
|
||||
UNSEND_API_KEY: process.env.UNSEND_API_KEY,
|
||||
GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
import { env } from "~/env";
|
||||
|
||||
export function getAwsCredentialOptions() {
|
||||
const hasKey = !!env.AWS_ACCESS_KEY_ID;
|
||||
const hasSecret = !!env.AWS_SECRET_ACCESS_KEY;
|
||||
|
||||
if (hasKey !== hasSecret) {
|
||||
throw new Error(
|
||||
"AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must both be set or both be omitted"
|
||||
);
|
||||
}
|
||||
|
||||
if (hasKey) {
|
||||
return {
|
||||
credentials: {
|
||||
accessKeyId: env.AWS_ACCESS_KEY_ID!,
|
||||
secretAccessKey: env.AWS_SECRET_ACCESS_KEY!,
|
||||
},
|
||||
};
|
||||
}
|
||||
return {};
|
||||
}
|
||||
@@ -17,6 +17,7 @@ import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
|
||||
import { generateKeyPairSync } from "crypto";
|
||||
import nodemailer from "nodemailer";
|
||||
import { env } from "~/env";
|
||||
import { getAwsCredentialOptions } from "~/server/aws/credentials";
|
||||
import { EmailContent } from "~/types";
|
||||
import { logger } from "../logger/log";
|
||||
import { buildHeaders } from "~/server/utils/email-headers";
|
||||
@@ -30,10 +31,7 @@ async function getAccountId(region: string) {
|
||||
|
||||
const stsClient = new STSClient({
|
||||
region: region,
|
||||
credentials: {
|
||||
accessKeyId: env.AWS_ACCESS_KEY,
|
||||
secretAccessKey: env.AWS_SECRET_KEY,
|
||||
},
|
||||
...getAwsCredentialOptions(),
|
||||
});
|
||||
const command = new GetCallerIdentityCommand({});
|
||||
const response = await stsClient.send(command);
|
||||
@@ -50,10 +48,7 @@ function getSesClient(region: string) {
|
||||
return new SESv2Client({
|
||||
region: region,
|
||||
endpoint: env.AWS_SES_ENDPOINT,
|
||||
credentials: {
|
||||
accessKeyId: env.AWS_ACCESS_KEY,
|
||||
secretAccessKey: env.AWS_SECRET_KEY,
|
||||
},
|
||||
...getAwsCredentialOptions(),
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -5,15 +5,13 @@ import {
|
||||
DeleteTopicCommand,
|
||||
} from "@aws-sdk/client-sns";
|
||||
import { env } from "~/env";
|
||||
import { getAwsCredentialOptions } from "~/server/aws/credentials";
|
||||
|
||||
function getSnsClient(region: string) {
|
||||
return new SNSClient({
|
||||
endpoint: env.AWS_SNS_ENDPOINT,
|
||||
region: region,
|
||||
credentials: {
|
||||
accessKeyId: env.AWS_ACCESS_KEY,
|
||||
secretAccessKey: env.AWS_SECRET_KEY,
|
||||
},
|
||||
...getAwsCredentialOptions(),
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -4,8 +4,8 @@ const defaultEnv: Record<string, string> = {
|
||||
NEXTAUTH_SECRET: "test-secret",
|
||||
DATABASE_URL: "postgresql://usesend:password@127.0.0.1:54329/usesend_test",
|
||||
REDIS_URL: "redis://127.0.0.1:6380/15",
|
||||
AWS_ACCESS_KEY: "test-access-key",
|
||||
AWS_SECRET_KEY: "test-secret-key",
|
||||
AWS_ACCESS_KEY_ID: "test-access-key",
|
||||
AWS_SECRET_ACCESS_KEY: "test-secret-key",
|
||||
AWS_DEFAULT_REGION: "us-east-1",
|
||||
NEXT_PUBLIC_IS_CLOUD: "true",
|
||||
API_RATE_LIMIT: "2",
|
||||
|
||||
Reference in New Issue
Block a user