public static string GenerateUserPolicyDocument(string bucketName) { string resourcearn = "arn:aws:s3:::" + bucketName + "/*"; string resourcearn2 = "arn:aws:s3:::" + bucketName; var actionGet = new ActionIdentifier("s3:*"); var actions = new List <ActionIdentifier>(); actions.Add(actionGet); var resource = new Resource(resourcearn); var resource2 = new Resource(resourcearn2); var resources = new List <Resource>(); resources.Add(resource); resources.Add(resource2); var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow) { Actions = actions, Id = bucketName + "Statmentid", Resources = resources }; var statements = new List <Amazon.Auth.AccessControlPolicy.Statement>(); statements.Add(statement); var policy = new Policy { Id = bucketName + "Policy", Version = "2012-10-17", Statements = statements }; return(policy.ToJson()); }
/// <summary> /// Add statement to the policy that gives the sns topic access to send a message to the queue. /// </summary> /// <param name="policy"></param> /// <param name="topicArn"></param> /// <param name="sqsQueueArn"></param> private static void AddSQSPermission(Policy policy, string topicArn, string sqsQueueArn) { Statement statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(SQSActionIdentifiers.SendMessage); statement.Resources.Add(new Resource(sqsQueueArn)); statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(topicArn)); statement.Principals.Add(new Principal("*")); policy.Statements.Add(statement); }
public static string GenerateRolePolicyDocument() { // Create a policy that looks like this: /* * { * "Version" : "2012-10-17", * "Id" : "DemoEC2Permissions", * "Statement" : [ * { * "Sid" : "DemoEC2PermissionsStatement", * "Effect" : "Allow", * "Action" : [ * "s3:Get*", * "s3:List*" * ], * "Resource" : "*" * } * ] * } */ var actionGet = new ActionIdentifier("s3:Get*"); var actionList = new ActionIdentifier("s3:List*"); var actions = new List <ActionIdentifier>(); actions.Add(actionGet); actions.Add(actionList); var resource = new Resource("*"); var resources = new List <Resource>(); resources.Add(resource); var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow) { Actions = actions, Id = "DemoEC2PermissionsStatement", Resources = resources }; var statements = new List <Amazon.Auth.AccessControlPolicy.Statement>(); statements.Add(statement); var policy = new Policy { Id = "DemoEC2Permissions", Version = "2012-10-17", Statements = statements }; return(policy.ToJson()); }
public static void CreateLambdaFunction(string functionName, string iamRoleName, out string iamRoleArn, out string functionArn) { var iamCreateResponse = iamClient.CreateRole(new CreateRoleRequest { RoleName = iamRoleName, AssumeRolePolicyDocument = LAMBDA_ASSUME_ROLE_POLICY }); iamRoleArn = iamCreateResponse.Role.Arn; var statement = new Amazon.Auth.AccessControlPolicy.Statement( Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow); statement.Actions.Add(S3ActionIdentifiers.PutObject); statement.Actions.Add(S3ActionIdentifiers.GetObject); statement.Resources.Add(new Resource("*")); var policy = new Amazon.Auth.AccessControlPolicy.Policy(); policy.Statements.Add(statement); iamClient.PutRolePolicy(new PutRolePolicyRequest { RoleName = iamRoleName, PolicyName = "admin", PolicyDocument = policy.ToJson() }); MemoryStream stream = CreateScriptStream(); var uploadRequest = new CreateFunctionRequest { FunctionName = functionName, Code = new FunctionCode { ZipFile = stream }, Handler = "helloworld.handler", //Mode = Mode.Event, Runtime = Runtime.Nodejs, Role = iamCreateResponse.Role.Arn }; var uploadResponse = UtilityMethods.WaitUntilSuccess(() => Client.CreateFunction(uploadRequest)); createdFunctionNames.Add(functionName); Assert.IsTrue(uploadResponse.CodeSize > 0); Assert.IsNotNull(uploadResponse.FunctionArn); functionArn = uploadResponse.FunctionArn; }
public static void CreateRolePolicy() { var roleName = Args.Value("Role"); var client = new AmazonIdentityManagementServiceClient(); var statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(S3ActionIdentifiers.AllS3Actions); statement.Resources.Add(new Resource("*")); var policy = new Policy(); policy.Statements.Add(statement); client.PutRolePolicy(new PutRolePolicyRequest { RoleName = roleName, PolicyName = "S3Access", PolicyDocument = policy.ToJson() }); }
/// <summary> /// Helper method for AuthorizeS3ToSendMessage() /// </summary> /// <param name="response"></param> /// <param name="bucket"></param> /// <param name="policy"></param> /// <param name="statement"></param> private static void GetNewPolicyAndStatement(GetQueueAttributesResponse response, string bucket, out Policy policy, out Statement statement) { if (!string.IsNullOrEmpty(response.Policy)) { policy = Policy.FromJson(response.Policy); } else { policy = new Policy(); } var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket); statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(SQSActionIdentifiers.SendMessage); statement.Resources.Add(new Resource(response.QueueARN)); statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn)); statement.Principals.Add(new Principal("*")); }
/// <summary> /// This is a utility method which updates the policy of a queue to allow the /// S3 bucket to publish events to it. /// </summary> /// <param name="queueUrl">The queue that will have its policy updated.</param> /// <param name="bucket">The bucket that will be given access to send messages from.</param> /// <returns>The ARN for the SQS queue. This can be used when setting up the S3 bucket notification.</returns> public string AuthorizeS3ToSendMessage(string queueUrl, string bucket) { var getAttributeResponse = this.GetQueueAttributes(new GetQueueAttributesRequest { QueueUrl = queueUrl, AttributeNames = new List<string> { "All"} }); Policy policy; if (!string.IsNullOrEmpty(getAttributeResponse.Policy)) { policy = Policy.FromJson(getAttributeResponse.Policy); } else { policy = new Policy(); } var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket); Statement statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(SQSActionIdentifiers.SendMessage); statement.Resources.Add(new Resource(getAttributeResponse.QueueARN)); statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn)); statement.Principals.Add(new Principal("*")); if (!policy.CheckIfStatementExists(statement)) { policy.Statements.Add(statement); var policyString = policy.ToJson(); this.SetQueueAttributes(new SetQueueAttributesRequest { QueueUrl = queueUrl, Attributes = new Dictionary<string, string> { {"Policy", policyString} } }); } return getAttributeResponse.QueueARN; }
public void TestIfStatementAlreadyExists() { var policy = new Policy(); Statement statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(SQSActionIdentifiers.SendMessage); statement.Resources.Add(new Resource("the:queue:arn")); statement.Conditions.Add(ConditionFactory.NewSourceArnCondition("source:arn")); statement.Principals.Add(new Principal("*")); policy.Statements.Add(statement); Statement newStatement = new Statement(Statement.StatementEffect.Allow); newStatement.Actions.Add(SQSActionIdentifiers.SendMessage); newStatement.Resources.Add(new Resource("the:queue:arn")); newStatement.Conditions.Add(ConditionFactory.NewSourceArnCondition("source:arn")); newStatement.Principals.Add(new Principal("*")); Assert.IsTrue(policy.CheckIfStatementExists(newStatement)); newStatement.Effect = Statement.StatementEffect.Deny; Assert.IsFalse(policy.CheckIfStatementExists(newStatement)); newStatement.Effect = Statement.StatementEffect.Allow; Assert.IsTrue(policy.CheckIfStatementExists(newStatement)); newStatement.Actions.Add(SQSActionIdentifiers.AddPermission); Assert.IsFalse(policy.CheckIfStatementExists(newStatement)); newStatement.Actions.Remove(SQSActionIdentifiers.AddPermission); Assert.IsTrue(policy.CheckIfStatementExists(newStatement)); newStatement.Principals.Add(new Principal("data")); Assert.IsFalse(policy.CheckIfStatementExists(newStatement)); newStatement.Principals.RemoveAt(1); Assert.IsTrue(policy.CheckIfStatementExists(newStatement)); newStatement.Conditions[0].ConditionKey = "new:arn"; Assert.IsFalse(policy.CheckIfStatementExists(newStatement)); }
/// <summary> /// Create the instance profile that will give permission for the EC2 instance to make request to Amazon S3. /// </summary> /// <returns></returns> string CreateInstanceProfile() { var roleName = "magicec2" + RESOURCDE_POSTFIX; // AmazonIdentityManagementServiceClient var client = new AmazonIdentityManagementServiceClient(accessKeyId, secretAccessKey, region); client.CreateRoleAsync(new CreateRoleRequest { RoleName = roleName, AssumeRolePolicyDocument = @"{""Statement"":[{""Principal"":{""Service"":[""ec2.amazonaws.com""]},""Effect"":""Allow"",""Action"":[""sts:AssumeRole""]}]}" }); var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow); statement.Actions.Add(S3ActionIdentifiers.AllS3Actions); statement.Resources.Add(new Resource("*")); var policy = new Policy(); policy.Statements.Add(statement); client.PutRolePolicyAsync(new PutRolePolicyRequest { RoleName = roleName, PolicyName = "S3Access", PolicyDocument = policy.ToJson() }); var response = client.CreateInstanceProfileAsync(new CreateInstanceProfileRequest { InstanceProfileName = roleName }); client.AddRoleToInstanceProfileAsync(new AddRoleToInstanceProfileRequest { InstanceProfileName = roleName, RoleName = roleName }); return(response.Result.InstanceProfile.Arn); }
public void create_sqs_queue() { GetUserNameAndPassword(); var sqsClient = Amazon.AWSClientFactory.CreateAmazonSQSClient(_key, _secret); var snsTopic = Amazon.AWSClientFactory.CreateAmazonSNSClient(_key, _secret); var topicArn = "arn:aws:sns:us-east-1:451419498740:Elliott-has-an-awesome-blog"; //Create a new SQS queue var createQueueRequest = new CreateQueueRequest().WithQueueName("elliotts-blog"); var createQueueResponse = sqsClient.CreateQueue(createQueueRequest); // keep the queueUrl handy var queueUrl = createQueueResponse.CreateQueueResult.QueueUrl; // get the Access Resource Name so we can allow the SNS to put messages on it var getQueueArnRequest = new GetQueueAttributesRequest() .WithQueueUrl(queueUrl) .WithAttributeName("QueueArn"); var getQueueArnResponse = sqsClient.GetQueueAttributes(getQueueArnRequest); var queueArn = getQueueArnResponse.GetQueueAttributesResult.Attribute[0].Value; //create a Policy for the SQS queue that allows SNS to publish to it var allowSnsStatement = new Statement(Statement.StatementEffect.Allow) .WithPrincipals(Principal.AllUsers) .WithResources(new Resource(queueArn)) .WithConditions(ConditionFactory.NewSourceArnCondition(topicArn)) .WithActionIdentifiers(SQSActionIdentifiers.SendMessage); var policy = new Policy("allow sns").WithStatements(new[] {allowSnsStatement}); var attribute = new Attribute().WithName("Policy").WithValue(policy.ToJson()); var setQueueAttributesRequest = new SetQueueAttributesRequest().WithQueueUrl(queueUrl).WithAttribute(attribute); sqsClient.SetQueueAttributes(setQueueAttributesRequest); // ok, now lets create the subscription for sqs with the queueArn we created var subscribeRequest = new SubscribeRequest() .WithEndpoint(queueArn) .WithTopicArn(topicArn) .WithProtocol("sqs"); snsTopic.Subscribe(subscribeRequest); }
private static bool StatementContainsPrincipals(Statement statement, IList<Principal> principals) { foreach (var principal in principals) { if (statement.Principals.FirstOrDefault(x => string.Equals(x.Id, principal.Id) && string.Equals(x.Provider, principal.Provider)) == null) return false; } return true; }
private static bool StatementContainsConditions(Statement statement, IList<Condition> conditions) { foreach (var condition in conditions) { if (statement.Conditions.FirstOrDefault(x => string.Equals(x.Type, condition.Type) && string.Equals(x.ConditionKey, condition.ConditionKey) && x.Values.Intersect(condition.Values).Count() == condition.Values.Count()) == null) return false; } return true; }
private static bool StatementContainsActions(Statement statement, IList<ActionIdentifier> actions) { foreach (var action in actions) { if (statement.Actions.FirstOrDefault(x => string.Equals(x.ActionName, action.ActionName)) == null) return false; } return true; }
private static bool StatementContainsResources(Statement statement, IList<Resource> resources) { foreach(var resource in resources) { if(statement.Resources.FirstOrDefault(x => string.Equals(x.Id, resource.Id)) == null) return false; } return true; }
/// <summary> /// This is a utility method which updates the policy of a topic to allow the /// S3 bucket to publish events to it. /// </summary> /// <param name="topicArn">The topic that will have its policy updated.</param> /// <param name="bucket">The bucket that will be given access to publish from.</param> public void AuthorizeS3ToPublish(string topicArn, string bucket) { var attributes = this.GetTopicAttributes(new GetTopicAttributesRequest { TopicArn = topicArn }).Attributes; Policy policy; if(attributes.ContainsKey("Policy") && !string.IsNullOrEmpty(attributes["Policy"])) { policy = Policy.FromJson(attributes["Policy"]); } else { policy = new Policy(); } var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket); Statement newStatement = new Statement(Statement.StatementEffect.Allow); newStatement.Actions.Add(SNSActionIdentifiers.Publish); newStatement.Resources.Add(new Resource(topicArn)); newStatement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn)); newStatement.Principals.Add(new Principal("*")); if (!policy.CheckIfStatementExists(newStatement)) { policy.Statements.Add(newStatement); var policyString = policy.ToJson(); this.SetTopicAttributes(new SetTopicAttributesRequest { TopicArn = topicArn, AttributeName = "Policy", AttributeValue = policyString }); } }
/// <summary> /// Checks to see if the permissions set in the statement are already set by another /// statement in the policy. /// </summary> /// <param name="statement">The statement to verify</param> /// <returns>True if the statement's permissions are already allowed by the statement</returns> public bool CheckIfStatementExists(Statement statement) { if (this.Statements == null) return false; foreach (var existingStatement in this.Statements) { if (existingStatement.Effect != statement.Effect) continue; if(!StatementContainsResources(existingStatement, statement.Resources)) continue; if (!StatementContainsActions(existingStatement, statement.Actions)) continue; if (!StatementContainsConditions(existingStatement, statement.Conditions)) continue; if (!StatementContainsPrincipals(existingStatement, statement.Principals)) continue; return true; } return false; }
/// <summary> /// Helper method for AuthorizeS3ToPublishAsync() /// </summary> /// <param name="attributes"></param> /// <param name="topicArn"></param> /// <param name="bucket"></param> /// <param name="policy"></param> /// <param name="statement"></param> private static void GetNewPolicyAndStatementForTopicAttributes(Dictionary<string, string> attributes, string topicArn, string bucket, out Policy policy, out Statement statement) { if(attributes.ContainsKey("Policy") && !string.IsNullOrEmpty(attributes["Policy"])) { policy = Policy.FromJson(attributes["Policy"]); } else { policy = new Policy(); } var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket); statement = new Statement(Statement.StatementEffect.Allow); statement.Actions.Add(SNSActionIdentifiers.Publish); statement.Resources.Add(new Resource(topicArn)); statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn)); statement.Principals.Add(new Principal("*")); }