/// <summary>
/// Create the role if it's not there already.
/// Return true if it already existed.
/// </summary>
/// <returns></returns>
private static async Task <bool> ValidateAndSetIamRoleArn(AmazonIdentityManagementServiceClient iamClient)
{
var getRoleRequest = new GetRoleRequest
{
RoleName = ExecutionRoleName
};
try
{
ExecutionRoleArn = (await iamClient.GetRoleAsync(getRoleRequest)).Role.Arn;
return(true);
}
catch (NoSuchEntityException)
{
// create the role
var createRoleRequest = new CreateRoleRequest
{
RoleName = ExecutionRoleName,
Description = "Test role for CustomRuntimeTests.",
AssumeRolePolicyDocument = LAMBDA_ASSUME_ROLE_POLICY
};
ExecutionRoleArn = (await iamClient.CreateRoleAsync(createRoleRequest)).Role.Arn;
// Wait for role to propagate.
await Task.Delay(10000);
return(false);
}
}
private static async Task SetupVmimportRole(string accessKey, string secretKey)
{
var credentials = new BasicAWSCredentials(accessKey, secretKey);
var iamClient = new AmazonIdentityManagementServiceClient(credentials, RegionEndpoint.EUCentral1);
Console.WriteLine("Creating role...");
var createRole = await iamClient.CreateRoleAsync(new CreateRoleRequest
{
RoleName = "vmimport",
AssumeRolePolicyDocument = ReadEmbeddedFile("AwsSetupTool.trust-policy.json")
});
Console.WriteLine($"HTTP {createRole.HttpStatusCode}: {createRole}");
Console.WriteLine("Creating role policy...");
var putRolePolicy =
await
iamClient.PutRolePolicyAsync(new PutRolePolicyRequest
{
RoleName = "vmimport",
PolicyName = "vmimport",
PolicyDocument = ReadEmbeddedFile("AwsSetupTool.role-policy.json")
});
Console.WriteLine($"HTTP {putRolePolicy.HttpStatusCode}: {putRolePolicy}");
}
public JObject FunctionHandler(JObject input)
{
JObject createAccountResponseObject = JObject.FromObject(input.SelectToken("CreateAccountResponse"));
string accountId = createAccountResponseObject.SelectToken("CreateAccountStatus.AccountId").ToString();
var credentials = AssumeIdentity.AssumeRole(accountId).Credentials;
string accessKey = credentials.AccessKeyId;
string secretkey = credentials.SecretAccessKey;
string sessionToken = credentials.SessionToken;
AmazonIdentityManagementServiceClient client = new AmazonIdentityManagementServiceClient(accessKey, secretkey, sessionToken);
CreateRoleRequest request = new CreateRoleRequest()
{
RoleName = input.SelectToken("EventData.roleName").ToString(),
MaxSessionDuration = 43200,
AssumeRolePolicyDocument = "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"sts:AssumeRoleWithSAML\", \"Principal\": {\"Federated\": \"arn:aws:iam::" + accountId + ":saml-provider/ADFS\"}, \"Condition\": {\"StringEquals\": {\"SAML:aud\": \"https://signin.aws.amazon.com/saml\"}} } }"
};
CreateRoleResponse response = client.CreateRoleAsync(request).Result;
JObject outputObject = new JObject();
outputObject.Add("CreateAccountResponse", createAccountResponseObject);
outputObject.Add("CreateRoleResponse", JObject.FromObject(response));
outputObject.Add("EventData", input.SelectToken("EventData"));
return(outputObject);
}
public static async Task SetupFargateRoleAsync()
{
#region setup_ecs_frontend_role
using (var iamClient = new AmazonIdentityManagementServiceClient())
{
var createRequest = new CreateRoleRequest
{
RoleName = "ECS-ServerlessTODOList.Frontend",
AssumeRolePolicyDocument = @"
{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Sid"": """",
""Effect"": ""Allow"",
""Principal"": {
""Service"": ""ecs-tasks.amazonaws.com""
},
""Action"": ""sts:AssumeRole""
}
]
}
".Trim()
};
try
{
var createResponse = await iamClient.CreateRoleAsync(createRequest);
Console.WriteLine($"Role {createResponse.Role.RoleName}");
var policies = new string[]
{
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
"arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
"arn:aws:iam::aws:policy/AmazonSSMFullAccess",
"arn:aws:iam::aws:policy/AmazonCognitoPowerUser"
};
foreach (var policy in policies)
{
await iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
RoleName = createRequest.RoleName,
PolicyArn = policy
});
Console.WriteLine($"Policy {policy} attached to {createRequest.RoleName}");
}
}
catch (EntityAlreadyExistsException)
{
Console.Error.WriteLine($"Role with the name {createRequest.RoleName} alreaedy exists.");
}
}
#endregion
}
public static async Task SetupStreamProcessorRoleAsync()
{
#region setup_streamprocessor_role
using (var iamClient = new AmazonIdentityManagementServiceClient())
{
var createRequest = new CreateRoleRequest
{
RoleName = "ServerlessTODOList.StreamProcessor",
AssumeRolePolicyDocument = @"
{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Sid"": """",
""Effect"": ""Allow"",
""Principal"": {
""Service"": ""lambda.amazonaws.com""
},
""Action"": ""sts:AssumeRole""
}
]
}
".Trim()
};
try
{
var createResponse = await iamClient.CreateRoleAsync(createRequest);
Console.WriteLine($"Role {createResponse.Role.RoleName}");
var policies = new string[]
{
"arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole",
"arn:aws:iam::aws:policy/AmazonSESFullAccess"
};
foreach (var policy in policies)
{
await iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
RoleName = createRequest.RoleName,
PolicyArn = policy
});
Console.WriteLine($"Policy {policy} attached to {createRequest.RoleName}");
}
}
catch (EntityAlreadyExistsException)
{
Console.Error.WriteLine($"Role with the name {createRequest.RoleName} alreaedy exists.");
}
}
#endregion
}
private async Task CreateRoleAsync()
{
var response = await _iamClient.CreateRoleAsync(new CreateRoleRequest
{
RoleName = _executionRoleName,
Description = $"Test role for {TestIdentifier}.",
AssumeRolePolicyDocument = LambdaAssumeRolePolicy
});
_executionRoleArn = response.Role.Arn;
// Wait 5 seconds to let execution role propagate
await Task.Delay(5000);
}
// snippet-end:[IAM.dotnetv3.AttachPolicy]
// snippet-start:[IAM.dotnetv3.CreateRoleAsync]
/// <summary>
/// Create a new IAM role which we can attach to a user.
/// </summary>
/// <param name="client">The initialized IAM client object.</param>
/// <param name="roleName">The name of the IAM role to create.</param>
/// <param name="rolePermissions">The permissions which the role will have.</param>
/// <returns>A Role object representing the newly created role.</returns>
public static async Task <Role> CreateRoleAsync(
AmazonIdentityManagementServiceClient client,
string roleName,
string rolePermissions)
{
var request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = rolePermissions,
};
var response = await client.CreateRoleAsync(request);
return(response.Role);
}
public Task <CreateRoleResponse> CreateRoleAsync(
string roleName,
string description,
string assumeRolePolicyDocument,
string path = null,
int maxSessionDuration = 12 *3600,
CancellationToken cancellationToken = default(CancellationToken))
=> _IAMClient.CreateRoleAsync(
new CreateRoleRequest()
{
Description = description,
RoleName = roleName,
MaxSessionDuration = maxSessionDuration,
AssumeRolePolicyDocument = assumeRolePolicyDocument, Path = path
},
cancellationToken).EnsureSuccessAsync();
static async Task <string> CreateRole(string roleName, string service, string policy)
{
try
{
var config = new AmazonIdentityManagementServiceConfig();
config.RegionEndpoint = region;
using (var aimsc = new AmazonIdentityManagementServiceClient(config))
{
string assumeRole = @"{""Version"":""2012-10-17"",""Statement"":[{""Effect"":""Allow"",""Principal"":{""Service"": """ + service + @".amazonaws.com""},""Action"":""sts:AssumeRole""}]}";
var crres = await aimsc.CreateRoleAsync(new CreateRoleRequest
{
AssumeRolePolicyDocument = assumeRole,
Path = "/",
RoleName = roleName
});
Role role = crres.Role;
bucket = "buildbucket-" + region.SystemName + "-" + GetAWSNum(role.Arn);
var cpres = await aimsc.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyName = roleName + "Policy",
Description = "This allows " + service + " to access services",
PolicyDocument = policy,
Path = "/"
});
var policyArn = cpres.Policy.Arn;
var response = await aimsc.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName
});
return(role.Arn);
}
}
catch (AmazonIdentityManagementServiceException imsException)
{
Console.WriteLine(imsException.Message, imsException.InnerException);
throw;
}
}
/// <summary>
/// Defines the policy for the IAM role and then creates the role.
/// </summary>
static async Task Main()
{
// Policy that allows reading and writing to a specific Amazon S3
// Bucket. This policy will allow managing the bucket as well as
// working with the objects in that bucket.
string s3ManagementPolicy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\" : [{" +
" \"Sid\": \"ListObjectsInBucket\"," +
" \"Effect\" : \"Allow\"," +
" \"Action\" : [\"s3: ListBucket\"]," +
" \"Resource\" :[\"arn:aws:s3:::doc-example-bucket/*\"]" +
"}," +
" \"Sid\": \"AllObjectActions\"," +
" \"Effect\" : \"Allow\"," +
" \"Action\" : [\"s3:*Object*\"]," +
" \"Resource\" :[\"arn:aws:s3:::doc-example-bucket/*\"]" +
"}]" +
"}";
string roleName = "S3ManagementRole";
// Create the IAM client object.
var client = new AmazonIdentityManagementServiceClient();
var request = new CreateRoleRequest
{
AssumeRolePolicyDocument = s3ManagementPolicy,
RoleName = roleName,
};
var response = await client.CreateRoleAsync(request);
if (response.Role is not null)
{
var r = response.Role;
Console.WriteLine($"{r.RoleName} created on: {r.CreateDate}");
}
else
{
Console.WriteLine("Could not create role.");
}
}
/// <summary>
/// Create the instance profile that will give permission for the EC2 instance to make request to Amazon S3.
/// </summary>
/// <returns></returns>
string CreateInstanceProfile()
{
var roleName = "magicec2" + RESOURCDE_POSTFIX;
// AmazonIdentityManagementServiceClient
var client = new AmazonIdentityManagementServiceClient(accessKeyId, secretAccessKey, region);
client.CreateRoleAsync(new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = @"{""Statement"":[{""Principal"":{""Service"":[""ec2.amazonaws.com""]},""Effect"":""Allow"",""Action"":[""sts:AssumeRole""]}]}"
});
var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow);
statement.Actions.Add(S3ActionIdentifiers.AllS3Actions);
statement.Resources.Add(new Resource("*"));
var policy = new Policy();
policy.Statements.Add(statement);
client.PutRolePolicyAsync(new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = "S3Access",
PolicyDocument = policy.ToJson()
});
var response = client.CreateInstanceProfileAsync(new CreateInstanceProfileRequest
{
InstanceProfileName = roleName
});
client.AddRoleToInstanceProfileAsync(new AddRoleToInstanceProfileRequest
{
InstanceProfileName = roleName,
RoleName = roleName
});
return(response.Result.InstanceProfile.Arn);
}
private async Task CreateRoleAsync()
{
var response = await _iamClient.CreateRoleAsync(new CreateRoleRequest
{
RoleName = _executionRoleName,
Description = $"Test role for {TestIdentifier}.",
AssumeRolePolicyDocument = LambdaAssumeRolePolicy
});
_executionRoleArn = response.Role.Arn;
// Wait 10 seconds to let execution role propagate
await Task.Delay(10000);
await _iamClient.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
RoleName = _executionRoleName,
PolicyArn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
});
// Wait 10 seconds to let execution role propagate
await Task.Delay(10000);
}
//Tests GetCognitoAWSCredentials
public async void TestGetCognitoAWSCredentials()
{
string password = "******";
string poolRegion = user.UserPool.PoolID.Substring(0, user.UserPool.PoolID.IndexOf("_"));
string providerName = "cognito-idp." + poolRegion + ".amazonaws.com/" + user.UserPool.PoolID;
AuthFlowResponse context =
await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = password
}).ConfigureAwait(false);
//Create identity pool
identityClient = new AmazonCognitoIdentityClient(clientCredentials, clientRegion);
CreateIdentityPoolResponse poolResponse =
await identityClient.CreateIdentityPoolAsync(new CreateIdentityPoolRequest()
{
AllowUnauthenticatedIdentities = false,
CognitoIdentityProviders = new List <CognitoIdentityProviderInfo>()
{
new CognitoIdentityProviderInfo()
{
ProviderName = providerName, ClientId = user.ClientID
}
},
IdentityPoolName = "TestIdentityPool" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).ConfigureAwait(false);
identityPoolId = poolResponse.IdentityPoolId;
//Create role for identity pool
managementClient = new AmazonIdentityManagementServiceClient(clientCredentials, clientRegion);
CreateRoleResponse roleResponse = managementClient.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = "_TestRole_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
AssumeRolePolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect" +
"\": \"Allow\",\"Principal\": {\"Federated\": \"cognito-identity.amazonaws.com\"}," +
"\"Action\": \"sts:AssumeRoleWithWebIdentity\"}]}"
}).Result;
roleName = roleResponse.Role.RoleName;
//Create and attach policy for role
CreatePolicyResponse policyResponse = managementClient.CreatePolicyAsync(new CreatePolicyRequest()
{
PolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": " +
"[{\"Effect\": \"Allow\",\"Action\": [\"mobileanalytics:PutEvents\",\"cog" +
"nito-sync:*\",\"cognito-identity:*\",\"s3:*\"],\"Resource\": [\"*\"]}]}",
PolicyName = "_Cognito_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).Result;
policyArn = policyResponse.Policy.Arn;
AttachRolePolicyRequest attachRequest = new AttachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
};
AttachRolePolicyResponse attachRolePolicyResponse = managementClient.AttachRolePolicyAsync(attachRequest).Result;
//Set the role for the identity pool
await identityClient.SetIdentityPoolRolesAsync(new SetIdentityPoolRolesRequest()
{
IdentityPoolId = identityPoolId,
Roles = new Dictionary <string, string>()
{
{ "authenticated", roleResponse.Role.Arn },
{ "unauthenticated", roleResponse.Role.Arn }
},
}).ConfigureAwait(false);
//Create and test credentials
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials(identityPoolId, clientRegion);
using (var client = new AmazonS3Client(credentials, Amazon.RegionEndpoint.USEast1))
{
int tries = 0;
ListBucketsResponse bucketsResponse = null;
var retryLimit = 5;
Exception lastException = null;
for (; tries < retryLimit; tries++)
{
try
{
bucketsResponse = await client.ListBucketsAsync(new ListBucketsRequest()).ConfigureAwait(false);
Assert.Equal(bucketsResponse.HttpStatusCode, System.Net.HttpStatusCode.OK);
break;
}
catch (Exception ex)
{
lastException = ex;
System.Threading.Thread.Sleep(3000);
}
}
if (tries == retryLimit && lastException != null)
{
throw lastException;
}
}
}
/// <summary>
/// Internal constructor to initialize a provider, user pool, and user for testing
/// Created user info: Username = User 5, Password = PassWord1!, Email = [email protected]
/// </summary>
public MfaAuthenticationTests()
{
//Delete pool created by BaseAuthenticationTestClass
if (pool != null)
{
provider.DeleteUserPoolAsync(new DeleteUserPoolRequest()
{
UserPoolId = pool.PoolID
}).Wait();
}
UserPoolPolicyType passwordPolicy = new UserPoolPolicyType();
List <SchemaAttributeType> requiredAttributes = new List <SchemaAttributeType>();
List <string> verifiedAttributes = new List <string>();
var creds = FallbackCredentialsFactory.GetCredentials();
var region = FallbackRegionFactory.GetRegionEndpoint();
provider = new AmazonCognitoIdentityProviderClient(creds, region);
AdminCreateUserConfigType adminCreateUser = new AdminCreateUserConfigType()
{
UnusedAccountValidityDays = 8,
AllowAdminCreateUserOnly = false
};
passwordPolicy.PasswordPolicy = new PasswordPolicyType()
{
MinimumLength = 8,
RequireNumbers = true,
RequireSymbols = true,
RequireUppercase = true,
RequireLowercase = true
};
SchemaAttributeType emailSchema = new SchemaAttributeType()
{
Required = true,
Name = CognitoConstants.UserAttrEmail,
AttributeDataType = AttributeDataType.String
};
SchemaAttributeType phoneSchema = new SchemaAttributeType()
{
Required = true,
Name = CognitoConstants.UserAttrPhoneNumber,
AttributeDataType = AttributeDataType.String
};
requiredAttributes.Add(emailSchema);
requiredAttributes.Add(phoneSchema);
verifiedAttributes.Add(CognitoConstants.UserAttrEmail);
verifiedAttributes.Add(CognitoConstants.UserAttrPhoneNumber);
//Create Role for MFA
using (var managementClient = new AmazonIdentityManagementServiceClient())
{
CreateRoleResponse roleResponse = managementClient.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = "TestRole_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
AssumeRolePolicyDocument = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow" +
"\",\"Principal\":{\"Service\":\"cognito-idp.amazonaws.com\"},\"Action\":\"sts:AssumeRole\",\"Condition" +
"\":{\"StringEquals\":{\"sts:ExternalId\":\"8327d096-57c0-4fb7-ad24-62ea8fc692c0\"}}}]}"
}).Result;
roleName = roleResponse.Role.RoleName;
roleArn = roleResponse.Role.Arn;
//Create and attach policy for role
CreatePolicyResponse createPolicyResponse = managementClient.CreatePolicyAsync(new CreatePolicyRequest()
{
PolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Action" +
"\": [\"sns:publish\"],\"Resource\": [\"*\"]}]}",
PolicyName = "Cognito_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).Result;
policyName = createPolicyResponse.Policy.PolicyName;
policyArn = createPolicyResponse.Policy.Arn;
managementClient.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
}).Wait();
}
//Create user pool and client
CreateUserPoolRequest createPoolRequest = new CreateUserPoolRequest
{
PoolName = "mfaTestPool_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
Policies = passwordPolicy,
Schema = requiredAttributes,
AdminCreateUserConfig = adminCreateUser,
MfaConfiguration = "ON",
AutoVerifiedAttributes = verifiedAttributes,
SmsConfiguration = new SmsConfigurationType
{
SnsCallerArn = roleArn,
ExternalId = "8327d096-57c0-4fb7-ad24-62ea8fc692c0"
}
};
//Build in buffer time for role/policy to be created
CreateUserPoolResponse createPoolResponse = null;
string bufferExMsg = "Role does not have a trust relationship allowing Cognito to assume the role";
while (true)
{
try
{
createPoolResponse = provider.CreateUserPoolAsync(createPoolRequest).Result;
break;
}
catch (Exception ex)
{
if (string.Equals(bufferExMsg, ex.InnerException.Message))
{
System.Threading.Thread.Sleep(3000);
}
else
{
throw ex;
}
}
}
UserPoolType poolCreated = createPoolResponse.UserPool;
CreateUserPoolClientResponse clientResponse =
provider.CreateUserPoolClientAsync(new CreateUserPoolClientRequest()
{
ClientName = "App1",
UserPoolId = poolCreated.Id,
GenerateSecret = false,
}).Result;
UserPoolClientType clientCreated = clientResponse.UserPoolClient;
this.pool = new CognitoUserPool(poolCreated.Id, clientCreated.ClientId, provider, "");
SignUpRequest signUpRequest = new SignUpRequest()
{
ClientId = clientCreated.ClientId,
Password = "******",
Username = "******",
UserAttributes = new List <AttributeType>()
{
new AttributeType()
{
Name = CognitoConstants.UserAttrEmail, Value = "*****@*****.**"
},
new AttributeType()
{
Name = CognitoConstants.UserAttrPhoneNumber, Value = "+15555555555"
}
},
ValidationData = new List <AttributeType>()
{
new AttributeType()
{
Name = CognitoConstants.UserAttrEmail, Value = "*****@*****.**"
},
new AttributeType()
{
Name = CognitoConstants.UserAttrPhoneNumber, Value = "+15555555555"
}
}
};
SignUpResponse signUpResponse = provider.SignUpAsync(signUpRequest).Result;
AdminConfirmSignUpRequest confirmRequest = new AdminConfirmSignUpRequest()
{
Username = "******",
UserPoolId = poolCreated.Id
};
AdminConfirmSignUpResponse confirmResponse = provider.AdminConfirmSignUpAsync(confirmRequest).Result;
this.user = new CognitoUser("User5", clientCreated.ClientId, pool, provider);
}
//Tests GetCognitoAWSCredentials
public async void TestGetCognitoAWSCredentials()
{
var password = "******";
var poolRegion = user.UserPool.PoolID.Substring(0, user.UserPool.PoolID.IndexOf("_", StringComparison.Ordinal));
var providerName = "cognito-idp." + poolRegion + ".amazonaws.com/" + user.UserPool.PoolID;
var context =
await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = password
}).ConfigureAwait(false);
//Create identity pool
identityClient = new AmazonCognitoIdentityClient(clientCredentials, clientRegion);
var poolResponse =
await identityClient.CreateIdentityPoolAsync(new CreateIdentityPoolRequest()
{
AllowUnauthenticatedIdentities = false,
CognitoIdentityProviders = new List <CognitoIdentityProviderInfo>()
{
new CognitoIdentityProviderInfo()
{
ProviderName = providerName, ClientId = user.ClientID
}
},
IdentityPoolName = "TestIdentityPool" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).ConfigureAwait(false);
identityPoolId = poolResponse.IdentityPoolId;
//Create role for identity pool
managementClient = new AmazonIdentityManagementServiceClient(clientCredentials, clientRegion);
var roleResponse = managementClient.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = "_TestRole_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
AssumeRolePolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect" +
"\": \"Allow\",\"Principal\": {\"Federated\": \"cognito-identity.amazonaws.com\"}," +
"\"Action\": \"sts:AssumeRoleWithWebIdentity\"}]}"
}).Result;
roleName = roleResponse.Role.RoleName;
//Create and attach policy for role
var policyResponse = managementClient.CreatePolicyAsync(new CreatePolicyRequest()
{
PolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": " +
"[{\"Effect\": \"Allow\",\"Action\": [\"mobileanalytics:PutEvents\",\"cog" +
"nito-sync:*\",\"cognito-identity:*\",\"s3:*\"],\"Resource\": [\"*\"]}]}",
PolicyName = "_Cognito_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).Result;
policyArn = policyResponse.Policy.Arn;
var attachRequest = new AttachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
};
var attachRolePolicyResponse = managementClient.AttachRolePolicyAsync(attachRequest).Result;
//Set the role for the identity pool
await identityClient.SetIdentityPoolRolesAsync(new SetIdentityPoolRolesRequest()
{
IdentityPoolId = identityPoolId,
Roles = new Dictionary <string, string>()
{
{ "authenticated", roleResponse.Role.Arn },
{ "unauthenticated", roleResponse.Role.Arn }
},
}).ConfigureAwait(false);
//Create and test credentials
var credentials = user.GetCognitoAWSCredentials(identityPoolId, clientRegion);
using (var client = new AmazonS3Client(credentials, Amazon.RegionEndpoint.USEast1))
{
var tries = 0;
var bufferExMsg = "Invalid identity pool configuration. Check assigned IAM roles for this pool.";
ListBucketsResponse bucketsResponse = null;
for (; tries < 5; tries++)
{
try
{
bucketsResponse = await client.ListBucketsAsync(new ListBucketsRequest()).ConfigureAwait(false);
break;
}
catch (NullReferenceException)
{
System.Threading.Thread.Sleep(3000);
}
catch (Exception ex)
{
if (string.Equals(bufferExMsg, ex.Message))
{
System.Threading.Thread.Sleep(3000);
}
else
{
throw ex;
}
}
}
Assert.True(tries < 5, "Failed to list buckets after 5 tries");
Assert.Equal(bucketsResponse.HttpStatusCode, System.Net.HttpStatusCode.OK);
}
}