fix: simplify configuration of secrets rather than a bunch of if statements

also remove some extraneous comments

Signed-off-by: Jennifer Davis <sigje@google.com>

Author: iennae

auth/customcredentials/aws/Dockerfile

@@ -1,25 +1,15 @@
-# Use the official Node.js image.
-# https://hub.docker.com/_/node
 FROM node:20-slim
 
-# Create and change to the app directory.
 WORKDIR /app
 
-# Copy application dependency manifests to the container image.
-# A wildcard is used to ensure both package.json AND package-lock.json are copied.
 COPY package*.json ./
 
-# Install production dependencies.
 RUN npm install --omit=dev
 
-# Create a non-root user for security
 RUN useradd -m appuser
 
-# Copy local code to the container image.
 COPY --chown=appuser:appuser . .
 
-# Switch to non-root user
 USER appuser
 
-# Run the web service on container startup.
 CMD [ "node", "customCredentialSupplierAws.js" ]

auth/customcredentials/aws/README.md

@@ -119,4 +119,3 @@ eksctl delete cluster --name your-cluster-name
 ## Testing
 
 This sample is not continuously tested. It is provided for instructional purposes and may require modifications to work in your environment.
-```

auth/customcredentials/aws/customCredentialSupplierAws.js

@@ -30,11 +30,8 @@ const {Storage} = require('@google-cloud/storage');
  */
 class CustomAwsSupplier {
   constructor() {
-    // Will be cached upon first resolution.
     this.region = null;
 
-    // Initialize the AWS credential provider.
-    // The AWS SDK handles memoization (caching) and proactive refreshing internally.
     this.awsCredentialsProvider = fromNodeProviderChain();
   }
 
@@ -65,7 +62,6 @@ class CustomAwsSupplier {
    * Retrieves AWS security credentials using the AWS SDK's default provider chain.
    */
   async getAwsSecurityCredentials(_context) {
-    // Call the initialized provider. It will return cached creds or refresh if needed.
     const awsCredentials = await this.awsCredentialsProvider();
 
     if (!awsCredentials.accessKeyId || !awsCredentials.secretAccessKey) {
@@ -75,7 +71,6 @@ class CustomAwsSupplier {
       );
     }
 
-    // Map the AWS SDK format to the google-auth-library format.
     return {
       accessKeyId: awsCredentials.accessKeyId,
       secretAccessKey: awsCredentials.secretAccessKey,
@@ -131,40 +126,25 @@ function loadConfigFromFile() {
 
   try {
     const secrets = JSON.parse(fs.readFileSync(secretsPath, 'utf8'));
-
     if (!secrets) {
       return;
     }
 
-    // AWS SDK for Node.js looks for environment variables with specific names.
-    if (secrets.aws_access_key_id) {
-      process.env.AWS_ACCESS_KEY_ID = secrets.aws_access_key_id;
-    }
-    if (secrets.aws_secret_access_key) {
-      process.env.AWS_SECRET_ACCESS_KEY = secrets.aws_secret_access_key;
-    }
-    if (secrets.aws_region) {
-      process.env.AWS_REGION = secrets.aws_region;
-    }
-
-    // Set custom GCP variables so they can be retrieved from process.env.
-    if (secrets.gcp_workload_audience) {
-      process.env.GCP_WORKLOAD_AUDIENCE = secrets.gcp_workload_audience;
-    }
-    if (secrets.gcs_bucket_name) {
-      process.env.GCS_BUCKET_NAME = secrets.gcs_bucket_name;
-    }
-    if (secrets.gcp_service_account_impersonation_url) {
-      process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL =
-        secrets.gcp_service_account_impersonation_url;
-    }
+    const configMapping = {
+      aws_access_key_id: 'AWS_ACCESS_KEY_ID',
+      aws_secret_access_key: 'AWS_SECRET_ACCESS_KEY',
+      aws_region: 'AWS_REGION',
+      gcp_workload_audience: 'GCP_WORKLOAD_AUDIENCE',
+      gcs_bucket_name: 'GCS_BUCKET_NAME',
+      gcp_service_account_impersonation_url:
+        'GCP_SERVICE_ACCOUNT_IMPERSONATION_URL',
+    };
   } catch (error) {
     console.error(`Error reading secrets file: ${error.message}`);
   }
 }
 
 async function main() {
-  // Reads the secrets.json if running locally.
   loadConfigFromFile();
 
   const gcpAudience = process.env.GCP_WORKLOAD_AUDIENCE;

auth/customcredentials/okta/customCredentialSupplierOkta.js

@@ -25,7 +25,6 @@ const path = require('path');
  */
 class OktaClientCredentialsSupplier {
   constructor(domain, clientId, clientSecret) {
-    // Ensure domain URL is clean
     const cleanDomain = domain.endsWith('/') ? domain.slice(0, -1) : domain;
     this.oktaTokenUrl = `${cleanDomain}/oauth2/default/v1/token`;
 
@@ -42,7 +41,6 @@ class OktaClientCredentialsSupplier {
    * @returns {Promise<string>} A promise that resolves with the Okta Access token.
    */
   async getSubjectToken() {
-    // Check if the current token is still valid (with a 60-second buffer).
     const isTokenValid =
       this.accessToken && Date.now() < this.expiryTime - 60 * 1000;
 
@@ -151,37 +149,24 @@ function loadConfigFromFile() {
 
   try {
     const secrets = JSON.parse(fs.readFileSync(secretsPath, 'utf8'));
-
     if (!secrets) {
       return;
     }
 
-    // Map JSON keys (snake_case) to Environment Variables (UPPER_CASE)
-    if (secrets.gcp_workload_audience) {
-      process.env.GCP_WORKLOAD_AUDIENCE = secrets.gcp_workload_audience;
-    }
-    if (secrets.gcs_bucket_name) {
-      process.env.GCS_BUCKET_NAME = secrets.gcs_bucket_name;
-    }
-    if (secrets.gcp_service_account_impersonation_url) {
-      process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL =
-        secrets.gcp_service_account_impersonation_url;
-    }
-    if (secrets.okta_domain) {
-      process.env.OKTA_DOMAIN = secrets.okta_domain;
-    }
-    if (secrets.okta_client_id) {
-      process.env.OKTA_CLIENT_ID = secrets.okta_client_id;
-    }
-    if (secrets.okta_client_secret) {
-      process.env.OKTA_CLIENT_SECRET = secrets.okta_client_secret;
-    }
+    const configMapping = {
+      gcp_workload_audience: 'GCP_WORKLOAD_AUDIENCE',
+      gcs_bucket_name: 'GCS_BUCKET_NAME',
+      gcp_service_account_impersonation_url:
+        'GCP_SERVICE_ACCOUNT_IMPERSONATION_URL',
+      okta_domain: 'OKTA_DOMAIN',
+      okta_client_id: 'OKTA_CLIENT_ID',
+      okta_client_secret: 'OKTA_CLIENT_SECRET',
+    };
   } catch (error) {
     console.error(`Error reading secrets file: ${error.message}`);
   }
 }
 
-// Load the configuration from the file when the module is loaded.
 loadConfigFromFile();
 
 async function main() {