@aws-sdk/credential-provider-imds
AWS credential provider that sources credentials from the EC2 instance metadata service and ECS container metadata service
6
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mattsb42-awskuheamzn-ossaws-sdk-bottrivikr-aws
Keywords
awscredentials
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist-es/remoteProvider/httpRequest.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-cjs/fromContainerMetadata.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-es/fromContainerMetadata.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-cjs/fromInstanceMetadata.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-es/fromInstanceMetadata.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-cjs/utils/getInstanceMetadataEndpoint.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-es/utils/getInstanceMetadataEndpoint.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist-cjs/remoteProvider/httpRequest.js | AI (source-diff): Long lines caused by inline base64 source maps in AWS SDK TypeScript build output, not actual obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/utils/getInstanceMetadataEndpoint.js | AI (source-diff): False positive: the long lines are TypeScript-compiled JS with tslib __awaiter/__generator helpers, not obfuscation. Code is clearly readable and implements IMDS endpoint resolution. | ai | |
| source-diff | obfuscated-file:dist/es/utils/getInstanceMetadataEndpoint.js | AI (source-diff): False positive: ES module output with tslib generator helpers produces long single-line state machines. Code is readable and implements legitimate IMDS endpoint resolution logic. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Diff is against v3.6.1; 64 new files reflect organic growth over ~180 versions, not injected code. Package structure is clean AWS SDK monorepo output. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): AWS SDK team rotation; all maintainers are AWS-affiliated. Publisher remains aws-sdk-bot. Normal for a large AWS monorepo package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are first-party @aws-sdk packages pinned to the same version (3.186.0), consistent with AWS SDK monorepo release pattern. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): AWS SDK team rotation; removals paired with additions are consistent with normal team changes at AWS, not a takeover. | ai | |
| provenance | no-provenance | AI (provenance): aws-sdk-bot is a well-established AWS publisher; lack of Sigstore provenance is expected for this package family and not a security concern. | ai |