/** * AWS credential resolution for the Bedrock provider. * * Chain (first hit wins): * 1. Static credentials from the environment * (`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` [+ `AWS_SESSION_TOKEN`]). * 2. Profile in `~/.aws/credentials` (and `~/.aws/config` for SSO): * - static `aws_access_key_id` / `aws_secret_access_key` / `aws_session_token` * - SSO profile referencing a cached token in `~/.aws/sso/cache/*.json`, * which we exchange for short-lived role credentials via * `https://portal.sso.{region}.amazonaws.com/federation/credentials`. * - `credential_process` — an external command emitting the AWS SDK * `Version: 1` JSON envelope on stdout. Used by `aws-vault`, `granted`, * in-house brokers, etc. * 3. EC2 IMDSv2 (only when `AWS_EC2_METADATA_DISABLED` is unset / falsey and * `169.254.169.254` is reachable within a 1 s timeout). * * Resolved credentials are cached process-wide per profile and refreshed * 60 s before `Expiration` to absorb clock skew. */ import type { FetchImpl } from "../types"; import type { AwsCredentials } from "./aws-sigv4"; export interface ResolvedCredentials extends AwsCredentials { /** Absolute expiration timestamp in ms. `undefined` for non-expiring static creds. */ expiresAt?: number; } export interface CredentialResolveOptions { /** Named profile from `~/.aws/credentials` / `~/.aws/config`. */ profile?: string; /** Falls back to env (`AWS_REGION` / `AWS_DEFAULT_REGION`) and finally `us-east-1`. */ region?: string; signal?: AbortSignal; fetch?: FetchImpl; } export declare function resolveAwsCredentials(opts?: CredentialResolveOptions): Promise; /** POSIX-shell-style tokenizer used by the AWS CLI for `credential_process`. * * Outside quotes a backslash escapes the next character. Inside single quotes * everything is literal (no escapes, cannot contain `'`). Inside double quotes * a backslash only escapes `$`, `` ` ``, `"`, and `\` — every other backslash * is preserved verbatim, which is what makes Windows paths like * `"C:\Program Files\tool\auth.exe"` survive tokenization. */ export declare function tokenizeCredentialProcessCommand(cmd: string): string[]; /** Test/diagnostic helper — drops cached credentials. */ export declare function clearAwsCredentialCache(): void; /** * Drop the cache entry for one profile/region. Called by the Bedrock provider on * 401/403 responses so stale credentials are re-resolved instead of served until restart. */ export declare function invalidateAwsCredentialCache(opts?: { profile?: string; region?: string; }): void;