/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public ImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
{
throw new ArgumentException("Unknown or invalid role specified.");
}
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return(response.Credentials.GetCredentials());
}
private Amazon.SecurityToken.Model.AssumeRoleWithSAMLResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithSAMLRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithSAML");
try
{
#if DESKTOP
return(client.AssumeRoleWithSAML(request));
#elif CORECLR
return(client.AssumeRoleWithSAMLAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public SAMLImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
var swappedPrincipalAndRoleArns = string.Empty;
if (!string.IsNullOrEmpty(principalAndRoleArns))
{
var roleComponents = principalAndRoleArns.Split(',');
if (roleComponents.Count() != 2)
{
throw new ArgumentException("Unknown or invalid principal and role arns format.");
}
swappedPrincipalAndRoleArns = roleComponents.Last() + "," + roleComponents.First();
}
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase) || s.Equals(swappedPrincipalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
if (IsSamlProvider(roleComponents.First()))
{
//Backwards compatible format -- arn:...:saml-provider/SAML,arn:...:role/RoleName
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
}
else
{
//Documented format -- arn:...:role/RoleName,arn:...:saml-provider/SAML
roleArn = roleComponents.First();
principalArn = roleComponents.Last();
}
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
{
throw new ArgumentException("Unknown or invalid role specified.");
}
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return(new SAMLImmutableCredentials(response.Credentials.GetCredentials(),
response.Credentials.Expiration.ToUniversalTime(),
response.Subject));
}
public void SecurityTokenServiceAssumeRoleWithSAML()
{
#region to-assume-role-with-saml-14882749597814
var response = client.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
DurationSeconds = 3600,
PrincipalArn = "arn:aws:iam::123456789012:saml-provider/SAML-test",
RoleArn = "arn:aws:iam::123456789012:role/TestSaml",
SAMLAssertion = "VERYLONGENCODEDASSERTIONEXAMPLExzYW1sOkF1ZGllbmNlPmJsYW5rPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5TYW1sRXhhbXBsZTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxOS0xMS0wMVQyMDoyNTowNS4xNDVaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2lnbmluLmF3cy5hbWF6b24uY29tL3NhbWwiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRoPD94bWwgdmpSZXNwb25zZT4="
});
AssumedRoleUser assumedRoleUser = response.AssumedRoleUser;
string audience = response.Audience;
Credentials credentials = response.Credentials;
string issuer = response.Issuer;
string nameQualifier = response.NameQualifier;
int packedPolicySize = response.PackedPolicySize;
string subject = response.Subject;
string subjectType = response.SubjectType;
#endregion
}
/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public ImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
throw new ArgumentException("Unknown or invalid role specified.");
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return response.Credentials.GetCredentials();
}