public static string GenerateUserPolicyDocument(string bucketName)
{
string resourcearn = "arn:aws:s3:::" + bucketName + "/*";
string resourcearn2 = "arn:aws:s3:::" + bucketName;
var actionGet = new ActionIdentifier("s3:*");
var actions = new List <ActionIdentifier>();
actions.Add(actionGet);
var resource = new Resource(resourcearn);
var resource2 = new Resource(resourcearn2);
var resources = new List <Resource>();
resources.Add(resource);
resources.Add(resource2);
var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow)
{
Actions = actions,
Id = bucketName + "Statmentid",
Resources = resources
};
var statements = new List <Amazon.Auth.AccessControlPolicy.Statement>();
statements.Add(statement);
var policy = new Policy
{
Id = bucketName + "Policy",
Version = "2012-10-17",
Statements = statements
};
return(policy.ToJson());
}
/// <summary>
/// Add statement to the policy that gives the sns topic access to send a message to the queue.
/// </summary>
/// <param name="policy"></param>
/// <param name="topicArn"></param>
/// <param name="sqsQueueArn"></param>
private static void AddSQSPermission(Policy policy, string topicArn, string sqsQueueArn)
{
Statement statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(SQSActionIdentifiers.SendMessage);
statement.Resources.Add(new Resource(sqsQueueArn));
statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(topicArn));
statement.Principals.Add(new Principal("*"));
policy.Statements.Add(statement);
}
public static string GenerateRolePolicyDocument()
{
// Create a policy that looks like this:
/*
* {
* "Version" : "2012-10-17",
* "Id" : "DemoEC2Permissions",
* "Statement" : [
* {
* "Sid" : "DemoEC2PermissionsStatement",
* "Effect" : "Allow",
* "Action" : [
* "s3:Get*",
* "s3:List*"
* ],
* "Resource" : "*"
* }
* ]
* }
*/
var actionGet = new ActionIdentifier("s3:Get*");
var actionList = new ActionIdentifier("s3:List*");
var actions = new List <ActionIdentifier>();
actions.Add(actionGet);
actions.Add(actionList);
var resource = new Resource("*");
var resources = new List <Resource>();
resources.Add(resource);
var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow)
{
Actions = actions,
Id = "DemoEC2PermissionsStatement",
Resources = resources
};
var statements = new List <Amazon.Auth.AccessControlPolicy.Statement>();
statements.Add(statement);
var policy = new Policy
{
Id = "DemoEC2Permissions",
Version = "2012-10-17",
Statements = statements
};
return(policy.ToJson());
}
public static void CreateLambdaFunction(string functionName, string iamRoleName, out string iamRoleArn, out string functionArn)
{
var iamCreateResponse = iamClient.CreateRole(new CreateRoleRequest
{
RoleName = iamRoleName,
AssumeRolePolicyDocument = LAMBDA_ASSUME_ROLE_POLICY
});
iamRoleArn = iamCreateResponse.Role.Arn;
var statement = new Amazon.Auth.AccessControlPolicy.Statement(
Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow);
statement.Actions.Add(S3ActionIdentifiers.PutObject);
statement.Actions.Add(S3ActionIdentifiers.GetObject);
statement.Resources.Add(new Resource("*"));
var policy = new Amazon.Auth.AccessControlPolicy.Policy();
policy.Statements.Add(statement);
iamClient.PutRolePolicy(new PutRolePolicyRequest
{
RoleName = iamRoleName,
PolicyName = "admin",
PolicyDocument = policy.ToJson()
});
MemoryStream stream = CreateScriptStream();
var uploadRequest = new CreateFunctionRequest
{
FunctionName = functionName,
Code = new FunctionCode
{
ZipFile = stream
},
Handler = "helloworld.handler",
//Mode = Mode.Event,
Runtime = Runtime.Nodejs,
Role = iamCreateResponse.Role.Arn
};
var uploadResponse = UtilityMethods.WaitUntilSuccess(() => Client.CreateFunction(uploadRequest));
createdFunctionNames.Add(functionName);
Assert.IsTrue(uploadResponse.CodeSize > 0);
Assert.IsNotNull(uploadResponse.FunctionArn);
functionArn = uploadResponse.FunctionArn;
}
public static void CreateRolePolicy()
{
var roleName = Args.Value("Role");
var client = new AmazonIdentityManagementServiceClient();
var statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(S3ActionIdentifiers.AllS3Actions);
statement.Resources.Add(new Resource("*"));
var policy = new Policy();
policy.Statements.Add(statement);
client.PutRolePolicy(new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = "S3Access",
PolicyDocument = policy.ToJson()
});
}
/// <summary>
/// Helper method for AuthorizeS3ToSendMessage()
/// </summary>
/// <param name="response"></param>
/// <param name="bucket"></param>
/// <param name="policy"></param>
/// <param name="statement"></param>
private static void GetNewPolicyAndStatement(GetQueueAttributesResponse response, string bucket, out Policy policy, out Statement statement)
{
if (!string.IsNullOrEmpty(response.Policy))
{
policy = Policy.FromJson(response.Policy);
}
else
{
policy = new Policy();
}
var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket);
statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(SQSActionIdentifiers.SendMessage);
statement.Resources.Add(new Resource(response.QueueARN));
statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn));
statement.Principals.Add(new Principal("*"));
}
/// <summary>
/// This is a utility method which updates the policy of a queue to allow the
/// S3 bucket to publish events to it.
/// </summary>
/// <param name="queueUrl">The queue that will have its policy updated.</param>
/// <param name="bucket">The bucket that will be given access to send messages from.</param>
/// <returns>The ARN for the SQS queue. This can be used when setting up the S3 bucket notification.</returns>
public string AuthorizeS3ToSendMessage(string queueUrl, string bucket)
{
var getAttributeResponse = this.GetQueueAttributes(new GetQueueAttributesRequest
{
QueueUrl = queueUrl,
AttributeNames = new List<string> { "All"}
});
Policy policy;
if (!string.IsNullOrEmpty(getAttributeResponse.Policy))
{
policy = Policy.FromJson(getAttributeResponse.Policy);
}
else
{
policy = new Policy();
}
var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket);
Statement statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(SQSActionIdentifiers.SendMessage);
statement.Resources.Add(new Resource(getAttributeResponse.QueueARN));
statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn));
statement.Principals.Add(new Principal("*"));
if (!policy.CheckIfStatementExists(statement))
{
policy.Statements.Add(statement);
var policyString = policy.ToJson();
this.SetQueueAttributes(new SetQueueAttributesRequest
{
QueueUrl = queueUrl,
Attributes = new Dictionary<string, string>
{
{"Policy", policyString}
}
});
}
return getAttributeResponse.QueueARN;
}
public void TestIfStatementAlreadyExists()
{
var policy = new Policy();
Statement statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(SQSActionIdentifiers.SendMessage);
statement.Resources.Add(new Resource("the:queue:arn"));
statement.Conditions.Add(ConditionFactory.NewSourceArnCondition("source:arn"));
statement.Principals.Add(new Principal("*"));
policy.Statements.Add(statement);
Statement newStatement = new Statement(Statement.StatementEffect.Allow);
newStatement.Actions.Add(SQSActionIdentifiers.SendMessage);
newStatement.Resources.Add(new Resource("the:queue:arn"));
newStatement.Conditions.Add(ConditionFactory.NewSourceArnCondition("source:arn"));
newStatement.Principals.Add(new Principal("*"));
Assert.IsTrue(policy.CheckIfStatementExists(newStatement));
newStatement.Effect = Statement.StatementEffect.Deny;
Assert.IsFalse(policy.CheckIfStatementExists(newStatement));
newStatement.Effect = Statement.StatementEffect.Allow;
Assert.IsTrue(policy.CheckIfStatementExists(newStatement));
newStatement.Actions.Add(SQSActionIdentifiers.AddPermission);
Assert.IsFalse(policy.CheckIfStatementExists(newStatement));
newStatement.Actions.Remove(SQSActionIdentifiers.AddPermission);
Assert.IsTrue(policy.CheckIfStatementExists(newStatement));
newStatement.Principals.Add(new Principal("data"));
Assert.IsFalse(policy.CheckIfStatementExists(newStatement));
newStatement.Principals.RemoveAt(1);
Assert.IsTrue(policy.CheckIfStatementExists(newStatement));
newStatement.Conditions[0].ConditionKey = "new:arn";
Assert.IsFalse(policy.CheckIfStatementExists(newStatement));
}
/// <summary>
/// Create the instance profile that will give permission for the EC2 instance to make request to Amazon S3.
/// </summary>
/// <returns></returns>
string CreateInstanceProfile()
{
var roleName = "magicec2" + RESOURCDE_POSTFIX;
// AmazonIdentityManagementServiceClient
var client = new AmazonIdentityManagementServiceClient(accessKeyId, secretAccessKey, region);
client.CreateRoleAsync(new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = @"{""Statement"":[{""Principal"":{""Service"":[""ec2.amazonaws.com""]},""Effect"":""Allow"",""Action"":[""sts:AssumeRole""]}]}"
});
var statement = new Amazon.Auth.AccessControlPolicy.Statement(Amazon.Auth.AccessControlPolicy.Statement.StatementEffect.Allow);
statement.Actions.Add(S3ActionIdentifiers.AllS3Actions);
statement.Resources.Add(new Resource("*"));
var policy = new Policy();
policy.Statements.Add(statement);
client.PutRolePolicyAsync(new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = "S3Access",
PolicyDocument = policy.ToJson()
});
var response = client.CreateInstanceProfileAsync(new CreateInstanceProfileRequest
{
InstanceProfileName = roleName
});
client.AddRoleToInstanceProfileAsync(new AddRoleToInstanceProfileRequest
{
InstanceProfileName = roleName,
RoleName = roleName
});
return(response.Result.InstanceProfile.Arn);
}
public void create_sqs_queue()
{
GetUserNameAndPassword();
var sqsClient = Amazon.AWSClientFactory.CreateAmazonSQSClient(_key, _secret);
var snsTopic = Amazon.AWSClientFactory.CreateAmazonSNSClient(_key, _secret);
var topicArn = "arn:aws:sns:us-east-1:451419498740:Elliott-has-an-awesome-blog";
//Create a new SQS queue
var createQueueRequest = new CreateQueueRequest().WithQueueName("elliotts-blog");
var createQueueResponse = sqsClient.CreateQueue(createQueueRequest);
// keep the queueUrl handy
var queueUrl = createQueueResponse.CreateQueueResult.QueueUrl;
// get the Access Resource Name so we can allow the SNS to put messages on it
var getQueueArnRequest = new GetQueueAttributesRequest()
.WithQueueUrl(queueUrl)
.WithAttributeName("QueueArn");
var getQueueArnResponse = sqsClient.GetQueueAttributes(getQueueArnRequest);
var queueArn = getQueueArnResponse.GetQueueAttributesResult.Attribute[0].Value;
//create a Policy for the SQS queue that allows SNS to publish to it
var allowSnsStatement = new Statement(Statement.StatementEffect.Allow)
.WithPrincipals(Principal.AllUsers)
.WithResources(new Resource(queueArn))
.WithConditions(ConditionFactory.NewSourceArnCondition(topicArn))
.WithActionIdentifiers(SQSActionIdentifiers.SendMessage);
var policy = new Policy("allow sns").WithStatements(new[] {allowSnsStatement});
var attribute = new Attribute().WithName("Policy").WithValue(policy.ToJson());
var setQueueAttributesRequest =
new SetQueueAttributesRequest().WithQueueUrl(queueUrl).WithAttribute(attribute);
sqsClient.SetQueueAttributes(setQueueAttributesRequest);
// ok, now lets create the subscription for sqs with the queueArn we created
var subscribeRequest = new SubscribeRequest()
.WithEndpoint(queueArn)
.WithTopicArn(topicArn)
.WithProtocol("sqs");
snsTopic.Subscribe(subscribeRequest);
}
private static bool StatementContainsPrincipals(Statement statement, IList<Principal> principals)
{
foreach (var principal in principals)
{
if (statement.Principals.FirstOrDefault(x =>
string.Equals(x.Id, principal.Id) &&
string.Equals(x.Provider, principal.Provider)) == null)
return false;
}
return true;
}
private static bool StatementContainsConditions(Statement statement, IList<Condition> conditions)
{
foreach (var condition in conditions)
{
if (statement.Conditions.FirstOrDefault(x =>
string.Equals(x.Type, condition.Type) &&
string.Equals(x.ConditionKey, condition.ConditionKey) &&
x.Values.Intersect(condition.Values).Count() == condition.Values.Count()) == null)
return false;
}
return true;
}
private static bool StatementContainsActions(Statement statement, IList<ActionIdentifier> actions)
{
foreach (var action in actions)
{
if (statement.Actions.FirstOrDefault(x => string.Equals(x.ActionName, action.ActionName)) == null)
return false;
}
return true;
}
private static bool StatementContainsResources(Statement statement, IList<Resource> resources)
{
foreach(var resource in resources)
{
if(statement.Resources.FirstOrDefault(x => string.Equals(x.Id, resource.Id)) == null)
return false;
}
return true;
}
/// <summary>
/// This is a utility method which updates the policy of a topic to allow the
/// S3 bucket to publish events to it.
/// </summary>
/// <param name="topicArn">The topic that will have its policy updated.</param>
/// <param name="bucket">The bucket that will be given access to publish from.</param>
public void AuthorizeS3ToPublish(string topicArn, string bucket)
{
var attributes = this.GetTopicAttributes(new GetTopicAttributesRequest
{
TopicArn = topicArn
}).Attributes;
Policy policy;
if(attributes.ContainsKey("Policy") && !string.IsNullOrEmpty(attributes["Policy"]))
{
policy = Policy.FromJson(attributes["Policy"]);
}
else
{
policy = new Policy();
}
var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket);
Statement newStatement = new Statement(Statement.StatementEffect.Allow);
newStatement.Actions.Add(SNSActionIdentifiers.Publish);
newStatement.Resources.Add(new Resource(topicArn));
newStatement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn));
newStatement.Principals.Add(new Principal("*"));
if (!policy.CheckIfStatementExists(newStatement))
{
policy.Statements.Add(newStatement);
var policyString = policy.ToJson();
this.SetTopicAttributes(new SetTopicAttributesRequest
{
TopicArn = topicArn,
AttributeName = "Policy",
AttributeValue = policyString
});
}
}
/// <summary>
/// Checks to see if the permissions set in the statement are already set by another
/// statement in the policy.
/// </summary>
/// <param name="statement">The statement to verify</param>
/// <returns>True if the statement's permissions are already allowed by the statement</returns>
public bool CheckIfStatementExists(Statement statement)
{
if (this.Statements == null)
return false;
foreach (var existingStatement in this.Statements)
{
if (existingStatement.Effect != statement.Effect)
continue;
if(!StatementContainsResources(existingStatement, statement.Resources))
continue;
if (!StatementContainsActions(existingStatement, statement.Actions))
continue;
if (!StatementContainsConditions(existingStatement, statement.Conditions))
continue;
if (!StatementContainsPrincipals(existingStatement, statement.Principals))
continue;
return true;
}
return false;
}
/// <summary>
/// Helper method for AuthorizeS3ToPublishAsync()
/// </summary>
/// <param name="attributes"></param>
/// <param name="topicArn"></param>
/// <param name="bucket"></param>
/// <param name="policy"></param>
/// <param name="statement"></param>
private static void GetNewPolicyAndStatementForTopicAttributes(Dictionary<string, string> attributes, string topicArn, string bucket, out Policy policy, out Statement statement)
{
if(attributes.ContainsKey("Policy") && !string.IsNullOrEmpty(attributes["Policy"]))
{
policy = Policy.FromJson(attributes["Policy"]);
}
else
{
policy = new Policy();
}
var sourceArn = string.Format(CultureInfo.InvariantCulture, "arn:aws:s3:*:*:{0}", bucket);
statement = new Statement(Statement.StatementEffect.Allow);
statement.Actions.Add(SNSActionIdentifiers.Publish);
statement.Resources.Add(new Resource(topicArn));
statement.Conditions.Add(ConditionFactory.NewSourceArnCondition(sourceArn));
statement.Principals.Add(new Principal("*"));
}
