Container for the parameters to the PutRolePolicy operation. Adds or updates an inline policy document that is embedded in the specified IAM role.

When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy. For more information about IAM roles, go to Using Roles to Delegate Permissions and Federate Identities.

A role can also have a managed policy attached to it. To attach a managed policy to a role, use AttachRolePolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

For information about limits on the number of inline policies that you can embed with a role, see Limitations on IAM Entities in the IAM User Guide.

Because policy documents can be large, you should use POST rather than GET when calling PutRolePolicy. For general information about using the Query API with IAM, go to Making Query Requests in the IAM User Guide.

Inheritance: AmazonIdentityManagementServiceRequest
        public object Execute(ExecutorContext context)
        {
            var cmdletContext = context as CmdletContext;
            // create request
            var request = new Amazon.IdentityManagement.Model.PutRolePolicyRequest();

            if (cmdletContext.PolicyDocument != null)
            {
                request.PolicyDocument = cmdletContext.PolicyDocument;
            }
            if (cmdletContext.PolicyName != null)
            {
                request.PolicyName = cmdletContext.PolicyName;
            }
            if (cmdletContext.RoleName != null)
            {
                request.RoleName = cmdletContext.RoleName;
            }

            CmdletOutput output;

            // issue call
            var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint);

            try
            {
                var    response       = CallAWSServiceOperation(client, request);
                object pipelineOutput = null;
                pipelineOutput = cmdletContext.Select(response, this);
                output         = new CmdletOutput
                {
                    PipelineOutput  = pipelineOutput,
                    ServiceResponse = response
                };
            }
            catch (Exception e)
            {
                output = new CmdletOutput {
                    ErrorResponse = e
                };
            }

            return(output);
        }
        /// <summary>
        /// Initiates the asynchronous execution of the PutRolePolicy operation.
        /// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService"/>
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation.</param>
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
        /// <returns>The task object representing the asynchronous operation.</returns>
        public Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;

            return InvokeAsync<PutRolePolicyRequest,PutRolePolicyResponse>(request, marshaller, 
                unmarshaller, cancellationToken);
        }
        internal PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;

            return Invoke<PutRolePolicyRequest,PutRolePolicyResponse>(request, marshaller, unmarshaller);
        }
 IAsyncResult invokePutRolePolicy(PutRolePolicyRequest putRolePolicyRequest, AsyncCallback callback, object state, bool synchronized)
 {
     IRequest irequest = new PutRolePolicyRequestMarshaller().Marshall(putRolePolicyRequest);
     var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
     AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
     Invoke(result);
     return result;
 }
 /// <summary>
 /// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, refer to Overview of Policies
 /// in <i>Using AWS Identity and Access Management</i> .</para> <para>For information about limits on the number of policies you can associate
 /// with a role, see Limitations on IAM Entities in <i>Using AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy
 /// documents can be large, you should use POST rather than GET when calling PutRolePolicy. For information about setting up signatures and
 /// authorization through the API, go to Signing AWS API Requests in the AWS General Reference. For general information about using the Query
 /// API with IAM, go to Making Query Requests in Using IAM.</para>
 /// </summary>
 /// 
 /// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy service method on
 ///          AmazonIdentityManagementService.</param>
 /// 
 /// <exception cref="MalformedPolicyDocumentException"/>
 /// <exception cref="NoSuchEntityException"/>
 /// <exception cref="LimitExceededException"/>
 public PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest putRolePolicyRequest)
 {
     IAsyncResult asyncResult = invokePutRolePolicy(putRolePolicyRequest, null, null, true);
     return EndPutRolePolicy(asyncResult);
 }
 /// <summary>
 /// Initiates the asynchronous execution of the PutRolePolicy operation.
 /// <seealso cref="Amazon.IdentityManagement.AmazonIdentityManagementService.PutRolePolicy"/>
 /// </summary>
 /// 
 /// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy operation on
 ///          AmazonIdentityManagementService.</param>
 /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
 /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
 ///          procedure using the AsyncState property.</param>
 public IAsyncResult BeginPutRolePolicy(PutRolePolicyRequest putRolePolicyRequest, AsyncCallback callback, object state)
 {
     return invokePutRolePolicy(putRolePolicyRequest, callback, state, false);
 }
        /// <summary>
        /// Initiates the asynchronous execution of the PutRolePolicy operation.
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation on AmazonIdentityManagementServiceClient.</param>
        /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
        /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
        ///          procedure using the AsyncState property.</param>
        /// 
        /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndPutRolePolicy
        ///         operation.</returns>
        public IAsyncResult BeginPutRolePolicy(PutRolePolicyRequest request, AsyncCallback callback, object state)
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;

            return BeginInvoke<PutRolePolicyRequest>(request, marshaller, unmarshaller,
                callback, state);
        }
 /// <summary>
 /// Initiates the asynchronous execution of the PutRolePolicy operation.
 /// </summary>
 /// 
 /// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation on AmazonIdentityManagementServiceClient.</param>
 /// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
 /// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
 ///          procedure using the AsyncState property.</param>
 public void PutRolePolicyAsync(PutRolePolicyRequest request, AmazonServiceCallback<PutRolePolicyRequest, PutRolePolicyResponse> callback, AsyncOptions options = null)
 {
     options = options == null?new AsyncOptions():options;
     var marshaller = new PutRolePolicyRequestMarshaller();
     var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;
     Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
     if(callback !=null )
         callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => { 
             AmazonServiceResult<PutRolePolicyRequest,PutRolePolicyResponse> responseObject 
                     = new AmazonServiceResult<PutRolePolicyRequest,PutRolePolicyResponse>((PutRolePolicyRequest)req, (PutRolePolicyResponse)res, ex , ao.State);    
                 callback(responseObject); 
         };
     BeginInvoke<PutRolePolicyRequest>(request, marshaller, unmarshaller, options, callbackHelper);
 }
        /// <summary>
        /// Initiates the asynchronous execution of the PutRolePolicy operation.
        /// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService.PutRolePolicy"/>
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the PutRolePolicy operation.</param>
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
        /// <returns>The task object representing the asynchronous operation.</returns>
		public async Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest request, CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
            var response = await Invoke<IRequest, PutRolePolicyRequest, PutRolePolicyResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
                .ConfigureAwait(continueOnCapturedContext: false);
            return response;
        }
        /// <summary>
        /// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?PoliciesOverview.html">Overview of Policies</a> in <i>Using AWS Identity
        /// and Access Management</i> .</para> <para>For information about limits on the policies you can associate with a role, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
        /// AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy documents can be large, you should use POST rather than GET
        /// when calling PutRolePolicy. For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in
        /// the AWS General Reference. For general information about using the Query API with IAM, go to Making Query Requests in Using IAM.</para>
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the PutRolePolicy service method on
        /// AmazonIdentityManagementService.</param>
        /// 
        /// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
        /// <exception cref="T:Amazon.IdentityManagement.Model.NoSuchEntityException" />
        /// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
		public PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
        {
            var task = PutRolePolicyAsync(request);
            try
            {
                return task.Result;
            }
            catch(AggregateException e)
            {
                throw e.InnerException;
            }
        }
 private Amazon.IdentityManagement.Model.PutRolePolicyResponse CallAWSServiceOperation(IAmazonIdentityManagementService client, Amazon.IdentityManagement.Model.PutRolePolicyRequest request)
 {
     Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Identity and Access Management", "PutRolePolicy");
     try
     {
         #if DESKTOP
         return(client.PutRolePolicy(request));
         #elif CORECLR
         return(client.PutRolePolicyAsync(request).GetAwaiter().GetResult());
         #else
                 #error "Unknown build edition"
         #endif
     }
     catch (AmazonServiceException exc)
     {
         var webException = exc.InnerException as System.Net.WebException;
         if (webException != null)
         {
             throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
         }
         throw;
     }
 }
Beispiel #12
0
        /// <summary>
        /// <para>Adds (or updates) a policy document associated with the specified role. For information about policies, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?PoliciesOverview.html">Overview of Policies</a> in <i>Using AWS Identity
        /// and Access Management</i> .</para> <para>For information about limits on the policies you can associate with a role, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
        /// AWS Identity and Access Management</i> .</para> <para><b>NOTE:</b>Because policy documents can be large, you should use POST rather than GET
        /// when calling PutRolePolicy. For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in
        /// the AWS General Reference. For general information about using the Query API with IAM, go to Making Query Requests in Using IAM.</para>
        /// </summary>
        /// 
        /// <param name="putRolePolicyRequest">Container for the necessary parameters to execute the PutRolePolicy service method on
        /// AmazonIdentityManagementService.</param>
        /// 
        /// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
        /// <exception cref="T:Amazon.IdentityManagement.Model.NoSuchEntityException" />
        /// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
		public Task<PutRolePolicyResponse> PutRolePolicyAsync(PutRolePolicyRequest putRolePolicyRequest, CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.GetInstance();
            return Invoke<IRequest, PutRolePolicyRequest, PutRolePolicyResponse>(putRolePolicyRequest, marshaller, unmarshaller, signer, cancellationToken);
        }
Beispiel #13
0
		internal PutRolePolicyResponse PutRolePolicy(PutRolePolicyRequest request)
        {
            var task = PutRolePolicyAsync(request);
            try
            {
                return task.Result;
            }
            catch(AggregateException e)
            {
                ExceptionDispatchInfo.Capture(e.InnerException).Throw();
                return null;
            }
        }
        public virtual string PrepMode_CreateRole(AmazonIdentityManagementServiceClient iamClient, string roleName,
            string policyText, string trustRelationshipText)
        {
            var roleArn = String.Empty;

            // Use the CreateRoleRequest object to define the role. The AssumeRolePolicyDocument property should be
            // set to the value of the trustRelationshipText parameter.

            var createRoleRequest = new CreateRoleRequest
            {
                AssumeRolePolicyDocument = trustRelationshipText,
                RoleName = roleName
            };
            roleArn = iamClient.CreateRole(createRoleRequest).Role.Arn;

            // Use the PutRolePolicyRequest object to define the request. Select whatever policy name you would like.
            // The PolicyDocument property is there the policy is described.
            var putRolePolicyRequest = new PutRolePolicyRequest
            {
                RoleName = roleName,
                PolicyName = String.Format("{0}_policy", roleName),
                PolicyDocument = policyText
            };
            iamClient.PutRolePolicy(putRolePolicyRequest);

            return roleArn;
        }
        IAsyncResult invokePutRolePolicy(PutRolePolicyRequest request, AsyncCallback callback, object state, bool synchronized)
        {
            var marshaller = new PutRolePolicyRequestMarshaller();
            var unmarshaller = PutRolePolicyResponseUnmarshaller.Instance;

            return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
        }
Beispiel #16
0
        public static void Test(string identityProvider)
        {
            // Login with credentials to create the role
            // credentials are defined in app.config
            var iamClient = new AmazonIdentityManagementServiceClient();
            string providerURL = null,
                   providerAppIdName = null,
                   providerUserIdName = null,
                   providerAppId = null;

            switch (identityProvider)
            {
                case "Facebook":
                    providerURL = "graph.facebook.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "id";
                    break;
                case "Google":
                    providerURL = "accounts.google.com";
                    providerAppIdName = "aud";
                    providerUserIdName = "sub";
                    break;
                case "Amazon":
                    providerURL = "www.amazon.com";
                    providerAppIdName = "app_id";
                    providerUserIdName = "user_id";
                    break;
            }

            //identity provider specific AppId is loaded from app.config (e.g)
            //  FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
            providerAppId = ConfigurationManager.AppSettings[identityProvider +
                                                               "ProviderAppId"];

            // Since the string is passed to String.Format, '{' & '}' has to be escaped.
            // Policy document specifies who can invoke AssumeRoleWithWebIdentity
            string trustPolicyTemplate = @"{{
                  ""Version"": ""2012-10-17"",
                  ""Statement"": [
                        {{
                              ""Effect"": ""Allow"",
                              ""Principal"": {{ ""Federated"": ""{1}"" }},
                              ""Action"": ""sts:AssumeRoleWithWebIdentity"",
                              ""Condition"": {{
                                    ""StringEquals"": {{""{1}:{2}"": ""{3}""}}
                              }}
                        }}
                  ]
                }}";

            // Defines what permissions to grant when AssumeRoleWithWebIdentity is called
            string accessPolicyTemplate = @"{{
                    ""Version"": ""2012-10-17"",
                    ""Statement"": [
                    {{
                        ""Effect"":""Allow"",
                        ""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
                        ""Resource"": [
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
                                ""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
                        ]
                    }}
                    ]
                }}";

            // Create Trust policy
            CreateRoleRequest createRoleRequest = new CreateRoleRequest
            {
                RoleName = "federationtestrole",
                AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
                                                            identityProvider,
                                                            providerURL,
                                                            providerAppIdName,
                                                            providerAppId)
            };
            Console.WriteLine("\nTrust Policy Document:\n{0}\n",
                createRoleRequest.AssumeRolePolicyDocument);
            CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);

            // Create Access policy (Permissions)
            PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
            {
                PolicyName = "federationtestrole-rolepolicy",
                RoleName = "federationtestrole",
                PolicyDocument = string.Format(accessPolicyTemplate,
                                                identityProvider,
                                                providerURL,
                                                providerAppIdName,
                                                providerAppId,
                                                providerUserIdName)

            };
            Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
                                                putRolePolicyRequest.PolicyDocument);
            PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
                                                               putRolePolicyRequest);

            // Sleep for the policy to replicate
            System.Threading.Thread.Sleep(5000);
            AmazonS3Config config = new AmazonS3Config
            {
                ServiceURL = "s3.amazonaws.com",
                RegionEndpoint = Amazon.RegionEndpoint.USEast1
            };

            Federation federationTest = new Federation();
            AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;

            switch (identityProvider)
            {
                case "Facebook":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingFacebook(
                                providerAppId,
                                createRoleResponse.Role.Arn);
                    break;
                case "Google":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingGoogle(
                                providerAppId,
                                createRoleResponse.Role.Arn);

                    //Uncomment to perform two step process
                    //assumeRoleWithWebIdentityResponse =
                    //    federationTest.GetTemporaryCredentialUsingGoogle(
                    //            providerAppId,
                    //            ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
                    //            createRoleResponse.Role.Arn);
                    break;
                case "Amazon":
                    assumeRoleWithWebIdentityResponse =
                        federationTest.GetTemporaryCredentialUsingAmazon(
                                ConfigurationManager.AppSettings["AmazonProviderClientId"],
                                createRoleResponse.Role.Arn);
                    break;
            }

            S3Test s3Test = new S3Test();
            s3Test.CreateS3Bucket("federationtestbucket",
                identityProvider + "/" +
                assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
                assumeRoleWithWebIdentityResponse.Credentials, config);

            DeleteRolePolicyResponse deleteRolePolicyResponse =
                iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
                {
                    PolicyName = "federationtestrole-rolepolicy",
                    RoleName = "federationtestrole"
                });

            DeleteRoleResponse deleteRoleResponse =
                iamClient.DeleteRole(new DeleteRoleRequest
                {
                    RoleName = "federationtestrole"
                });
        }