import type { Request } from 'aws4'; import { sign } from 'aws4'; import type { ICredentialDataDecryptedObject, ICredentialTestRequest, ICredentialType, IDataObject, IHttpRequestOptions, INodeProperties, IRequestOptions, } from 'n8n-workflow'; import { isObjectEmpty } from 'n8n-workflow'; export const regions = [ { name: 'af-south-1', displayName: 'Africa', location: 'Cape Town', }, { name: 'ap-east-1', displayName: 'Asia Pacific', location: 'Hong Kong', }, { name: 'ap-south-1', displayName: 'Asia Pacific', location: 'Mumbai', }, { name: 'ap-southeast-1', displayName: 'Asia Pacific', location: 'Singapore', }, { name: 'ap-southeast-2', displayName: 'Asia Pacific', location: 'Sydney', }, { name: 'ap-southeast-3', displayName: 'Asia Pacific', location: 'Jakarta', }, { name: 'ap-northeast-1', displayName: 'Asia Pacific', location: 'Tokyo', }, { name: 'ap-northeast-2', displayName: 'Asia Pacific', location: 'Seoul', }, { name: 'ap-northeast-3', displayName: 'Asia Pacific', location: 'Osaka', }, { name: 'ca-central-1', displayName: 'Canada', location: 'Central', }, { name: 'eu-central-1', displayName: 'Europe', location: 'Frankfurt', }, { name: 'eu-north-1', displayName: 'Europe', location: 'Stockholm', }, { name: 'eu-south-1', displayName: 'Europe', location: 'Milan', }, { name: 'eu-west-1', displayName: 'Europe', location: 'Ireland', }, { name: 'eu-west-2', displayName: 'Europe', location: 'London', }, { name: 'eu-west-3', displayName: 'Europe', location: 'Paris', }, { name: 'me-south-1', displayName: 'Middle East', location: 'Bahrain', }, { name: 'sa-east-1', displayName: 'South America', location: 'São Paulo', }, { name: 'us-east-1', displayName: 'US East', location: 'N. Virginia', }, { name: 'us-east-2', displayName: 'US East', location: 'Ohio', }, { name: 'us-west-1', displayName: 'US West', location: 'N. California', }, { name: 'us-west-2', displayName: 'US West', location: 'Oregon', }, ] as const; export type AWSRegion = (typeof regions)[number]['name']; export type AwsCredentialsType = { region: AWSRegion; accessKeyId: string; secretAccessKey: string; temporaryCredentials: boolean; customEndpoints: boolean; sessionToken?: string; rekognitionEndpoint?: string; lambdaEndpoint?: string; snsEndpoint?: string; sesEndpoint?: string; sqsEndpoint?: string; s3Endpoint?: string; }; // Some AWS services are global and don't have a region // https://docs.aws.amazon.com/general/latest/gr/rande.html#global-endpoints // Example: iam.amazonaws.com (global), s3.us-east-1.amazonaws.com (regional) function parseAwsUrl(url: URL): { region: AWSRegion | null; service: string } { const [service, region] = url.hostname.replace('amazonaws.com', '').split('.'); return { service, region: region as AWSRegion }; } export class Aws implements ICredentialType { name = 'aws'; displayName = 'AWS'; documentationUrl = 'aws'; icon = { light: 'file:icons/AWS.svg', dark: 'file:icons/AWS.dark.svg' } as const; properties: INodeProperties[] = [ { displayName: 'Region', name: 'region', type: 'options', options: regions.map((r) => ({ name: `${r.displayName} (${r.location}) - ${r.name}`, value: r.name, })), default: 'us-east-1', }, { displayName: 'Access Key ID', name: 'accessKeyId', type: 'string', default: '', }, { displayName: 'Secret Access Key', name: 'secretAccessKey', type: 'string', default: '', typeOptions: { password: true, }, }, { displayName: 'Temporary Security Credentials', name: 'temporaryCredentials', description: 'Support for temporary credentials from AWS STS', type: 'boolean', default: false, }, { displayName: 'Session Token', name: 'sessionToken', type: 'string', displayOptions: { show: { temporaryCredentials: [true], }, }, default: '', typeOptions: { password: true, }, }, { displayName: 'Custom Endpoints', name: 'customEndpoints', type: 'boolean', default: false, }, { displayName: 'Rekognition Endpoint', name: 'rekognitionEndpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and Rekognition using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://rekognition.{region}.amazonaws.com', }, { displayName: 'Lambda Endpoint', name: 'lambdaEndpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and Lambda using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://lambda.{region}.amazonaws.com', }, { displayName: 'SNS Endpoint', name: 'snsEndpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and SNS using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://sns.{region}.amazonaws.com', }, { displayName: 'SES Endpoint', name: 'sesEndpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and SES using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://email.{region}.amazonaws.com', }, { displayName: 'SQS Endpoint', name: 'sqsEndpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and SQS using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://sqs.{region}.amazonaws.com', }, { displayName: 'S3 Endpoint', name: 's3Endpoint', description: 'If you use Amazon VPC to host n8n, you can establish a connection between your VPC and S3 using a VPC endpoint. Leave blank to use the default endpoint.', type: 'string', displayOptions: { show: { customEndpoints: [true], }, }, default: '', placeholder: 'https://s3.{region}.amazonaws.com', }, ]; async authenticate( rawCredentials: ICredentialDataDecryptedObject, requestOptions: IHttpRequestOptions, ): Promise { const credentials = rawCredentials as AwsCredentialsType; let endpoint: URL; let service = requestOptions.qs?.service as string; let path = (requestOptions.qs?.path as string) ?? ''; const method = requestOptions.method; let body = requestOptions.body; let region = credentials.region; if (requestOptions.qs?._region) { region = requestOptions.qs._region as AWSRegion; delete requestOptions.qs._region; } let query = requestOptions.qs?.query as IDataObject; // ! Workaround as we still use the IRequestOptions interface which uses uri instead of url // ! To change when we replace the interface with IHttpRequestOptions const requestWithUri = requestOptions as unknown as IRequestOptions; if (requestWithUri.uri) { requestOptions.url = requestWithUri.uri; endpoint = new URL(requestOptions.url); if (service === 'sts') { try { if (requestWithUri.qs?.Action !== 'GetCallerIdentity') { query = requestWithUri.qs as IDataObject; } else { endpoint.searchParams.set('Action', 'GetCallerIdentity'); endpoint.searchParams.set('Version', '2011-06-15'); } } catch (err) { console.error(err); } } const parsed = parseAwsUrl(endpoint); service = parsed.service; if (parsed.region) { region = parsed.region; } } else { if (!requestOptions.baseURL && !requestOptions.url) { let endpointString: string; if (service === 'lambda' && credentials.lambdaEndpoint) { endpointString = credentials.lambdaEndpoint; } else if (service === 'sns' && credentials.snsEndpoint) { endpointString = credentials.snsEndpoint; } else if (service === 'sqs' && credentials.sqsEndpoint) { endpointString = credentials.sqsEndpoint; } else if (service === 's3' && credentials.s3Endpoint) { endpointString = credentials.s3Endpoint; } else if (service === 'ses' && credentials.sesEndpoint) { endpointString = credentials.sesEndpoint; } else if (service === 'rekognition' && credentials.rekognitionEndpoint) { endpointString = credentials.rekognitionEndpoint; } else if (service === 'sqs' && credentials.sqsEndpoint) { endpointString = credentials.sqsEndpoint; } else if (service) { endpointString = `https://${service}.${region}.amazonaws.com`; } endpoint = new URL(endpointString!.replace('{region}', region) + path); } else { // If no endpoint is set, we try to decompose the path and use the default endpoint const customUrl = new URL(`${requestOptions.baseURL!}${requestOptions.url}${path}`); const parsed = parseAwsUrl(customUrl); service = parsed.service; if (parsed.region) { region = parsed.region; } if (service === 'sts') { try { customUrl.searchParams.set('Action', 'GetCallerIdentity'); customUrl.searchParams.set('Version', '2011-06-15'); } catch (err) { console.error(err); } } endpoint = customUrl; } } if (query && Object.keys(query).length !== 0) { Object.keys(query).forEach((key) => { endpoint.searchParams.append(key, query[key] as string); }); } if (body && typeof body === 'object' && isObjectEmpty(body)) { body = ''; } path = endpoint.pathname + endpoint.search; const signOpts = { ...requestOptions, headers: requestOptions.headers ?? {}, host: endpoint.host, method, path, body: body !== '' ? body : undefined, region, } as Request; const securityHeaders = { accessKeyId: `${credentials.accessKeyId}`.trim(), secretAccessKey: `${credentials.secretAccessKey}`.trim(), sessionToken: credentials.temporaryCredentials ? `${credentials.sessionToken}`.trim() : undefined, }; try { sign(signOpts, securityHeaders); } catch (err) { console.error(err); } const options: IHttpRequestOptions = { ...requestOptions, headers: signOpts.headers, method, url: endpoint.origin + path, body: signOpts.body, qs: undefined, // override since it's already in the url }; return options; } test: ICredentialTestRequest = { request: { baseURL: '=https://sts.{{$credentials.region}}.amazonaws.com', url: '?Action=GetCallerIdentity&Version=2011-06-15', method: 'POST', }, }; }