feat: add AWS STS AssumeRole support to AWS credential

[rohan-patil2]

Summary

• Adds Role ARN and External ID fields to the AWS credential form (awsApi), enabling STS AssumeRole authentication across all 9 AWS-integrated nodes
• Introduces a centralized getAWSCredentialConfig() utility that handles static credentials, AssumeRole with explicit keys, and AssumeRole via the SDK default credential chain
• Includes Role ARN format validation (with support for aws, aws-cn, aws-us-gov partitions)

Background

Flowise currently only supports static IAM access keys for AWS authentication. Many organizations require role-based access for cross-account workflows, least-privilege enforcement, and temporary credential rotation. This change adds AssumeRole support so users can enter a Role ARN in the credential form and have Flowise obtain temporary credentials via STS automatically.

Supported Authentication Scenarios

Access Key	Secret Key	Role ARN	External ID	Behavior
Yes	Yes	—	—	Static credentials (existing behavior, unchanged)
Yes	Yes	Yes	—	AssumeRole using static keys as base credentials
Yes	Yes	Yes	Yes	AssumeRole with External ID for cross-account trust
—	—	Yes	—	AssumeRole using SDK default credential chain (EC2/EKS)
—	—	Yes	Yes	AssumeRole with External ID using SDK default chain
—	—	—	—	SDK default chain fallback (Bedrock nodes) or error

Backward Compatibility

• Existing saved credentials work without modification — new fields default to empty
• Credential name (awsApi) is unchanged; no database migration required
• getAWSCredentials() signature and return type are preserved
• Workflows that don't use Role ARN behave identically to before

Security

• Role ARN format is validated with a regex before any STS call is made (prevents confused deputy / injection)
• Temporary credentials are scoped to STS default and are obtained per-execution (no caching)
• External ID field supports the standard AWS confused deputy mitigation
• Session name (FlowiseSession-{timestamp}) provides CloudTrail audit traceability

[gemini-code-assist]

Summary of Changes

Hello @rohan-patil2, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades Flowise's AWS integration by introducing support for AWS STS AssumeRole. This enhancement allows users to configure role-based access, which is crucial for adhering to least-privilege principles and managing temporary credentials in enterprise AWS environments. The changes streamline credential management through a new centralized utility, making AWS authentication more secure, flexible, and aligned with modern cloud security practices, all while maintaining full backward compatibility.

Highlights

• AWS STS AssumeRole Support: Added comprehensive support for AWS Security Token Service (STS) AssumeRole, allowing users to specify a Role ARN and an optional External ID in their AWS credentials for temporary, role-based access.
• Centralized Credential Handling: Introduced a new utility function, getAWSCredentialConfig(), which centralizes the logic for fetching AWS credentials. This utility intelligently handles static credentials, AssumeRole with explicit keys, and AssumeRole via the AWS SDK's default credential chain.
• Enhanced Security and Validation: Implemented robust validation for Role ARN formats, supporting various AWS partitions (aws, aws-cn, aws-us-gov). The integration also includes support for External IDs to mitigate the confused deputy problem, and temporary credentials are scoped and obtained per-execution for improved security.
• Broad Node Compatibility: Updated 9 existing AWS-integrated nodes (including Bedrock Chat, Bedrock LLM, Bedrock Embeddings, S3 Document Loaders, Bedrock Knowledge Base Retriever, and Kendra) to leverage the new AssumeRole functionality, ensuring consistent and secure authentication across the platform.
• Backward Compatibility: Ensured that existing AWS credentials and workflows remain fully functional without any modifications, as the new fields are optional and the credential handling logic gracefully falls back to static credentials or the SDK default chain when AssumeRole is not configured.

Changelog

• packages/components/credentials/AWSCredential.credential.ts
  • Updated the credential version from 1.0 to 2.0.
  • Added new input fields 'Role ARN' and 'External ID' to the AWS credential form, enabling STS AssumeRole configuration.
• packages/components/nodes/chatmodels/AWSBedrock/AWSChatBedrock.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/documentloaders/S3Directory/S3Directory.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/documentloaders/S3File/S3File.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/llms/AWSBedrock/AWSBedrock.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/retrievers/AWSBedrockKBRetriever/AWSBedrockKBRetriever.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole.
• packages/components/nodes/vectorstores/Kendra/Kendra.ts
  • Refactored the credential fetching mechanism to utilize the new getAWSCredentialConfig utility, providing support for STS AssumeRole in Kendra operations.
• packages/components/package.json
  • Added @aws-sdk/client-sts as a new dependency to enable AWS Security Token Service interactions.
• packages/components/src/awsToolsUtils.ts
  • Introduced imports for STSClient, AssumeRoleCommand, and AssumeRoleCommandInput to facilitate STS operations.
  • Defined a new interface AWSCredentialConfig for a more structured return of credential configurations.
  • Added AWS_ROLE_ARN_REGEX for robust validation of IAM Role ARN formats.
  • Implemented getAWSCredentialConfig, a new central utility function that intelligently resolves AWS credentials, supporting static keys, AssumeRole with explicit base credentials, and the SDK's default credential chain.
  • Created an internal assumeRole helper function to encapsulate the logic for performing STS AssumeRole calls, including session naming for CloudTrail traceability and comprehensive error handling.
  • Modified the existing getAWSCredentials function to act as a backward-compatible wrapper, now delegating to getAWSCredentialConfig and transparently supporting AssumeRole.

Activity

• No specific human activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces AWS STS AssumeRole support, which is a significant enhancement for security and authentication flexibility with AWS services. The implementation is robust, featuring a new centralized utility getAWSCredentialConfig that cleanly handles various authentication scenarios. The code is well-documented, and backward compatibility is thoughtfully maintained. The refactoring across multiple AWS nodes greatly simplifies the credential handling logic. I've included a few minor suggestions to enhance type safety, which will improve long-term maintainability. Overall, this is an excellent and well-executed feature.

[gemini-code-assist]

For improved type safety and code clarity, it's better to use the specific KendraClientConfig type from the AWS SDK instead of any. This helps prevent potential runtime errors and improves maintainability.

You'll need to add KendraClientConfig to your imports:
import { KendraClient, ..., KendraClientConfig } from '@aws-sdk/client-kendra'

Suggested change

	let clientConfig: any = { region }
	let clientConfig: KendraClientConfig = { region }

[gemini-code-assist]

For improved type safety and code clarity, it's better to use the specific KendraClientConfig type from the AWS SDK instead of any. This helps prevent potential runtime errors and improves maintainability.

You'll need to ensure KendraClientConfig is imported from @aws-sdk/client-kendra.

Suggested change

	let clientConfig: any = { region }
	let clientConfig: KendraClientConfig = { region }

[gemini-code-assist]

The clientOptions object is typed as any. Since it's passed to the AmazonKendraRetriever, which expects a KendraClientConfig, you can type it explicitly for better type safety. Using Partial<KendraClientConfig> is appropriate here since it's initialized as an empty object.

You'll need to ensure KendraClientConfig is imported from @aws-sdk/client-kendra.

Suggested change

	let clientOptions: any = {}
	let clientOptions: Partial<KendraClientConfig> = {}

[gemini-code-assist]

The stsConfig object is typed as Record<string, any>, which is a bit loose. For better type safety and autocompletion, you can use the STSClientConfig type from the AWS SDK.

You'll need to add STSClientConfig to the existing import from @aws-sdk/client-sts.

Suggested change

	const stsConfig: Record<string, any> = { region }
	const stsConfig: STSClientConfig = { region }

[harshit-flowise]

@rohan-patil2

1. Please review and fix the issues highlighted by gemini-code-assist.
2. Below are few more things to fix -
   --Role ARN in error messages — The Role ARN is included in thrown errors. Ensure these errors are not exposed directly to end-users in API responses, as ARNs reveal account IDs. This is likely fine given Flowise's architecture but worth verifying.

-- Credential version bump (1.0 → 2.0) — The PR description says no migration is needed, but bumping the credential
version to 2.0 may have implications depending on how Flowise handles credential versioning. If the system enforces version checks, older stored credentials could behave unexpectedly. Verify that the version bump is purely cosmetic or that the upgrade path is handled.

--AWS_REGIONS duplication — This regions list likely already exists elsewhere in the codebase (several AWS nodes define their own region lists). Centralizing it here is good, but only if the nodes are updated to import from awsToolsUtils.ts. If they still maintain their own copies, this adds duplication rather than reducing it.

--SDK default chain fallback inconsistency — When getAWSCredentialConfig returns { credentials: undefined }, some nodes check if (credentialConfig.credentials) before assigning, which correctly falls through to the SDK default chain. But in S3Directory.ts the diff shows credentials = credentialConfig.credentials without a guard — if credentials was previously initialized to a non-undefined value, this would overwrite it with undefined. Verify all consumer nodes handle the undefined case consistently.

--getAWSCredentials() breaks SDK default chain — The backward-compat wrapper throws "AWS Access Key ID and Secret Access Key are required" when config.credentials is undefined. This means Pattern A nodes (SNS, DynamoDB) can never use the SDK default credential chain (EC2/EKS instance profiles). This may be intentional but should be documented as a known limitation.

3. Build the image and test it in AWS to make sure it is working fine and not breaking anything.