private static void SetupIfFederatedCredentials(
AWSCredentials credentials,
PSHost psHost,
IAWSCredentialsArguments self,
SessionState sessionState)
{
// if we have picked up a SAML-based credentials profile, make sure the callback
// to authenticate the user is set. The underlying SDK will then call us back
// if it needs to (we could skip setting if the profile indicates its for the
// default identity, but it's simpler to just set up anyway)
var samlCredentials = credentials as FederatedAWSCredentials;
if (samlCredentials != null)
{
// set up callback
var state = new SAMLCredentialCallbackState
{
Host = psHost, CmdletNetworkCredentialParameter = self.NetworkCredential
};
samlCredentials.Options.CredentialRequestCallback = UserCredentialCallbackHandler;
samlCredentials.Options.CustomCallbackState = state;
// set up proxy
samlCredentials.Options.ProxySettings = GetWebProxy(self, sessionState);
}
}
private static void SetProxyAndCallbackIfNecessary(
AWSCredentials innerCredentials,
IAWSCredentialsArguments self,
PSHost psHost,
SessionState sessionState)
{
SetupIfFederatedCredentials(innerCredentials, psHost, self, sessionState);
SetupIfAssumeRoleCredentials(innerCredentials, self, sessionState);
}
private static void SetupIfAssumeRoleCredentials(AWSCredentials credentials, IAWSCredentialsArguments self, SessionState sessionState)
{
var assumeRoleCredentials = credentials as AssumeRoleAWSCredentials;
if (assumeRoleCredentials != null)
{
// set up callback
assumeRoleCredentials.Options.MfaTokenCodeCallback = ReadMFACode;
// set up proxy
assumeRoleCredentials.Options.ProxySettings = GetWebProxy(self, sessionState);
}
}
private static WebProxy GetWebProxy(IAWSCredentialsArguments self, SessionState sessionState)
{
var proxySettings = ProxySettings.GetFromSettingsVariable(sessionState);
return(proxySettings != null?proxySettings.GetWebProxy() : null);
}
public static bool TryGetCredentials(
this IAWSCredentialsArguments self,
PSHost psHost,
out AWSPSCredentials credentials,
SessionState sessionState)
{
if (self == null)
{
throw new ArgumentNullException("self");
}
credentials = null;
string name = null;
var source = CredentialsSource.Unknown;
var userSpecifiedProfile = !string.IsNullOrEmpty(self.ProfileName);
var profileChain = new CredentialProfileStoreChain(self.ProfileLocation);
// we probe for credentials by first checking the bound parameters to see if explicit credentials
// were supplied (keys, profile name, credential object), overriding anything in the shell environment
if (AWSCredentialsFactory.TryGetAWSCredentials(
self.GetCredentialProfileOptions(),
profileChain,
out var innerCredentials))
{
source = CredentialsSource.Strings;
name = "Supplied Key Parameters";
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
// user gave us the profile name?
if (innerCredentials == null && userSpecifiedProfile)
{
if (profileChain.TryGetProfile(self.ProfileName, out var credentialProfile))
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = self.ProfileName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
else
{
// if the user gave us an explicit profile name (and optional location) it's an error if we
// don't find it as otherwise we could drop through and pick up a 'default' profile that is
// for a different account
return(false);
}
}
// how about an aws credentials object?
if (innerCredentials == null && self.Credential != null)
{
innerCredentials = self.Credential;
source = CredentialsSource.CredentialsObject;
name = "Credentials Object";
// don't set proxy and callback, use self.Credential as-is
}
// shell session variable set (this allows override of machine-wide environment variables)
if (innerCredentials == null && sessionState != null)
{
if (TryGetAWSPSCredentialsFromConflictingType(
sessionState.PSVariable.GetValue(SessionKeys.AWSCredentialsVariableName),
out var psCredentials))
{
credentials = psCredentials;
source = CredentialsSource.Session;
innerCredentials = credentials.Credentials; // so remaining probes are skipped
// don't set proxy and callback, use credentials.Credentials as-is
}
}
// no explicit command-level or shell instance override set, start to inspect the environment
// starting environment variables
if (innerCredentials == null)
{
try
{
var environmentCredentials = new EnvironmentVariablesAWSCredentials();
innerCredentials = environmentCredentials;
source = CredentialsSource.Environment;
name = "Environment Variables";
// no need to set proxy and callback - only basic or session credentials
}
catch
{
}
}
// get credentials from a 'default' profile?
if (innerCredentials == null && !userSpecifiedProfile)
{
if (profileChain.TryGetProfile(SettingsStore.PSDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
innerCredentials = AWSCredentialsFactory.GetAWSCredentials(credentialProfile, profileChain);
source = CredentialsSource.Profile;
name = SettingsStore.PSDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
// get credentials from a legacy default profile name?
if (innerCredentials == null)
{
if (profileChain.TryGetProfile(SettingsStore.PSLegacyDefaultSettingName, out var credentialProfile) &&
credentialProfile.CanCreateAWSCredentials)
{
if (AWSCredentialsFactory.TryGetAWSCredentials(
credentialProfile,
profileChain,
out innerCredentials))
{
source = CredentialsSource.Profile;
name = SettingsStore.PSLegacyDefaultSettingName;
SetProxyAndCallbackIfNecessary(innerCredentials, self, psHost, sessionState);
}
}
}
if (innerCredentials == null)
{
// try and load credentials from ECS endpoint (if the relevant environment variable is set)
// or EC2 Instance Profile as a last resort
try
{
var relativeUri =
Environment.GetEnvironmentVariable(ECSTaskCredentials.ContainerCredentialsURIEnvVariable);
var fullUri = Environment.GetEnvironmentVariable(
ECSTaskCredentials.ContainerCredentialsFullURIEnvVariable);
if (!string.IsNullOrEmpty(relativeUri) || !string.IsNullOrEmpty(fullUri))
{
innerCredentials = new ECSTaskCredentials();
source = CredentialsSource.Container;
name = "Container";
// no need to set proxy and callback
}
else
{
innerCredentials = new InstanceProfileAWSCredentials();
source = CredentialsSource.InstanceProfile;
name = "Instance Profile";
// no need to set proxy and callback
}
}
catch
{
innerCredentials = null;
}
}
if (credentials == null && innerCredentials != null)
{
credentials = new AWSPSCredentials(innerCredentials, name, source);
}
return(credentials != null);
}
