public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole)
{
string[] role = awsRole.Split(',');
AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest();
samlRequest.SAMLAssertion = samlAssertion;
samlRequest.RoleArn = role[1];
samlRequest.PrincipalArn = role[0];
samlRequest.DurationSeconds = 3600;
AmazonSecurityTokenServiceClient sts;
AssumeRoleWithSAMLResponse samlResponse;
try {
sts = new AmazonSecurityTokenServiceClient();
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
catch
{
sts = new AmazonSecurityTokenServiceClient("a", "b", "c");
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
samlResponse.Credentials.AccessKeyId,
samlResponse.Credentials.SecretAccessKey,
samlResponse.Credentials.SessionToken);
return sessionCredentials;
}
public Deployer(AwsConfiguration awsConfiguration)
{
_awsEndpoint = awsConfiguration.AwsEndpoint;
_bucket = awsConfiguration.Bucket;
_assumeRoleTrustDocument = awsConfiguration.AssumeRoleTrustDocument;
_iamRolePolicyDocument = awsConfiguration.IamRolePolicyDocument;
AWSCredentials credentials;
if (isArn(awsConfiguration.RoleName))
{
var securityTokenServiceClient = new AmazonSecurityTokenServiceClient(awsConfiguration.AwsEndpoint);
var assumeRoleResult = securityTokenServiceClient.AssumeRole(new AssumeRoleRequest
{
RoleArn = awsConfiguration.RoleName,
DurationSeconds = 3600,
RoleSessionName = "Net2User",
ExternalId = Guid.NewGuid().ToString()
});
Credentials stsCredentials = assumeRoleResult.Credentials;
SessionAWSCredentials sessionCredentials =
new SessionAWSCredentials(stsCredentials.AccessKeyId,
stsCredentials.SecretAccessKey,
stsCredentials.SessionToken);
credentials = sessionCredentials;
_role = new AssumedRole(assumeRoleResult.AssumedRoleUser);
}
else {
credentials = awsConfiguration.Credentials ?? new EnvironmentAWSCredentials();
}
_codeDeployClient = new AmazonCodeDeployClient(
credentials,
new AmazonCodeDeployConfig {
RegionEndpoint = awsConfiguration.AwsEndpoint,
ProxyHost = awsConfiguration.ProxyHost,
ProxyPort = awsConfiguration.ProxyPort
});
_cloudFormationClient = new AmazonCloudFormationClient(
credentials,
new AmazonCloudFormationConfig {
RegionEndpoint = awsConfiguration.AwsEndpoint,
ProxyHost = awsConfiguration.ProxyHost,
ProxyPort = awsConfiguration.ProxyPort
});
_s3Client = new AmazonS3Client(
credentials,
new AmazonS3Config {
RegionEndpoint = awsConfiguration.AwsEndpoint,
ProxyHost = awsConfiguration.ProxyHost,
ProxyPort = awsConfiguration.ProxyPort
});
_iamClient = new AmazonIdentityManagementServiceClient(
credentials,
new AmazonIdentityManagementServiceConfig {
RegionEndpoint = awsConfiguration.AwsEndpoint,
ProxyHost = awsConfiguration.ProxyHost,
ProxyPort = awsConfiguration.ProxyPort
});
_autoScalingClient = new AmazonAutoScalingClient(
credentials,
new AmazonAutoScalingConfig {
RegionEndpoint = awsConfiguration.AwsEndpoint,
ProxyHost = awsConfiguration.ProxyHost,
ProxyPort = awsConfiguration.ProxyPort
});
}
/// <summary>
/// Resolves the set of <see cref="AWSCredentials">AWS Credentials</see> based on the
/// combination of credential-related parameters that are specified.
/// </summary>
/// <remarks>
/// The order of resolution is as follows:
/// <list>
/// <item>
/// 1. If AccessKeyId is found
/// <item>a. If Session Token is found, returns Session AWS Credential</item>
/// <item>b. If no Session Token, returns a Base AWS Credential</item>
/// </item>
/// <item>
/// 2. If Profile Name is found, return a Stored Profile AWS Credential, with
/// an optional, overridden Profile Location
/// </item>
/// <item>
/// 3. If an IAM Role Name is specified, get the credentials from the local
/// EC2 instance IAM Role environment; if the special name '*' is used,
/// it uses the first IAM Role found in the current EC2 environment
/// </item>
/// <item>
/// 4. Otherwise, assume credentials are specified in environment variables
/// accessible to the hosting process and retrieve them from the following
/// variables:
/// <item><code>AWS_ACCESS_KEY_ID</code></item>
/// <item><code>AWS_SECRET_ACCESS_KEY</code></item>
/// <item><code></code>AWS_SESSION_TOKEN</code> (optional)</code></item>
/// </item>
/// </list>
/// </remarks>
public AWSCredentials ResolveCredentials()
{
AWSCredentials cr;
if (!string.IsNullOrEmpty(AwsAccessKeyId))
{
if (!string.IsNullOrEmpty(AwsSessionToken))
{
cr = new SessionAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey, AwsSessionToken);
}
else
{
cr = new Amazon.Runtime.BasicAWSCredentials(AwsAccessKeyId, AwsSecretAccessKey);
}
}
else if (!string.IsNullOrEmpty(AwsProfileName))
{
cr = new StoredProfileAWSCredentials(AwsProfileName, AwsProfileLocation);
}
else if (!string.IsNullOrEmpty(AwsIamRole))
{
if (AwsIamRole == IAM_ROLE_ANY)
cr = new InstanceProfileAWSCredentials();
else
cr = new InstanceProfileAWSCredentials(AwsIamRole);
}
else
{
cr = new EnvironmentVariablesAWSCredentials();
}
return cr;
}
public virtual AmazonS3Client AppMode_CreateS3Client(Credentials credentials, RegionEndpoint regionEndpoint)
{
AmazonS3Client s3Client;
var sessionCredentials = new SessionAWSCredentials(
credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
s3Client = new AmazonS3Client(sessionCredentials, regionEndpoint);
return s3Client;
}
public virtual bool AppMode_TestSqsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var sqsClient = new AmazonSQSClient(credentials, regionEndpoint);
sqsClient.ListQueues(new ListQueuesRequest());
return true;
}
catch
{
return false;
}
}
public virtual bool AppMode_TestSnsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var snsClient = new AmazonSimpleNotificationServiceClient(credentials, regionEndpoint);
snsClient.ListTopics(new ListTopicsRequest());
return true;
}
catch
{
return false;
}
}
public virtual bool AppMode_TestIamAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
try
{
var iamClient = new AmazonIdentityManagementServiceClient(credentials, regionEndpoint);
iamClient.ListUsers(new ListUsersRequest());
return true;
}
catch
{
return false;
}
}
/// <summary>
/// Perform the AppMode operations by assuming the dev and prod roles, and checking for permissions.
/// </summary>
/// <param name="labVariables">The data.</param>
public void AppMode_Run(LabVariables labVariables)
{
var credentials = new BasicAWSCredentials(
ConfigurationManager.AppSettings["appModeAWSAccessKey"],
ConfigurationManager.AppSettings["appModeAWSSecretKey"]);
Credentials devCredentials = null, prodCredentials = null;
using (var stsClient = new AmazonSecurityTokenServiceClient(credentials, RegionEndpoint))
{
Console.WriteLine("Assuming developer role to retrieve developer session credentials.");
devCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.DevelopmentRoleArn, "dev_session");
if (devCredentials == null)
{
Console.WriteLine("No developer credentials returned. AccessDenied.");
return;
}
Console.WriteLine("\nAssuming production role to retrieve production session credentials.");
prodCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.ProductionRoleArn, "prod_session");
if (prodCredentials == null)
{
Console.WriteLine("No production credentials returned. AccessDenied.");
return;
}
}
using (var devS3Client = LabCode.AppMode_CreateS3Client(devCredentials, RegionEndpoint))
{
using (var prodS3Client = LabCode.AppMode_CreateS3Client(prodCredentials, RegionEndpoint))
{
Console.WriteLine("\nTesting Developer Session...");
var devSession = new SessionAWSCredentials(
devCredentials.AccessKeyId,
devCredentials.SecretAccessKey,
devCredentials.SessionToken);
Console.WriteLine(" IAM: {0}",
OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, devSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" SQS: {0}",
OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, devSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" SNS: {0}",
OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, devSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" S3:");
foreach (string bucketName in labVariables.BucketNames)
{
TestS3Client(devS3Client, bucketName);
}
Console.WriteLine("\nTesting Production Session...");
var prodSession = new SessionAWSCredentials(
prodCredentials.AccessKeyId,
prodCredentials.SecretAccessKey,
prodCredentials.SessionToken);
Console.WriteLine(" IAM: {0}",
OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, prodSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" SQS: {0}",
OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, prodSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" SNS: {0}",
OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, prodSession)
? "Accessible."
: "Inaccessible.");
Console.WriteLine(" S3:");
foreach (string bucketName in labVariables.BucketNames)
{
TestS3Client(prodS3Client, bucketName);
}
}
}
}
/// <summary>
/// Test access to the SQS service using the provided credentials by requesting a listing of the SQS queues.
/// You are free to test in any way you like. Submit any sort of request and watch for an exception.
/// </summary>
/// <param name="regionEndpoint">The region endpoint to use for the client connection.</param>
/// <param name="credentials">The credentials to use.</param>
/// <returns>True, if the service is accessible. False, if the credentials are rejected.</returns>
public override bool AppMode_TestSqsAccess(RegionEndpoint regionEndpoint, SessionAWSCredentials credentials)
{
//TODO: Replace this call to the base class with your own method implementation.
return base.AppMode_TestSqsAccess(regionEndpoint, credentials);
}
