/// <summary>
/// <see cref="ICoreAmazonSTS"/>
/// </summary>
/// <param name="roleArn"></param>
/// <param name="roleSessionName"></param>
/// <param name="options"></param>
/// <returns></returns>
AssumeRoleImmutableCredentials ICoreAmazonSTS.CredentialsFromAssumeRoleAuthentication(string roleArn,
string roleSessionName, AssumeRoleAWSCredentialsOptions options)
{
try
{
var request = new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = roleSessionName
};
if (options != null)
{
request.ExternalId = options.ExternalId;
request.SerialNumber = options.MfaSerialNumber;
request.TokenCode = options.MfaTokenCode;
request.Policy = options.Policy;
if (options.DurationSeconds.HasValue)
{
request.DurationSeconds = options.DurationSeconds.Value;
}
}
var response = AssumeRole(request);
return(new AssumeRoleImmutableCredentials(response.Credentials.AccessKeyId, response.Credentials.SecretAccessKey,
response.Credentials.SessionToken, response.Credentials.Expiration));
}
catch (Exception e)
{
var msg = "Error calling AssumeRole for role " + roleArn;
var exception = new AmazonClientException(msg, e);
Logger.GetLogger(typeof(AmazonSecurityTokenServiceClient)).Error(exception, exception.Message);
throw exception;
}
}
public void TestGetSessionWhenMakingNewSessionThrowsException()
{
var testException = new AmazonClientException("");
mockClient.Setup(x => x.SendCommandAsync(It.IsAny <SendCommandRequest>(), It.IsAny <CancellationToken>()))
.Throws(testException);
var driver = new PooledQldbDriver("ledgerName", mockClient.Object, 4, 1, 10, NullLogger.Instance);
Assert.ThrowsException <AmazonClientException>(driver.GetSession);
// Ensure semaphore released due to earlier exception. Will throw TimeoutException if not.
Assert.ThrowsException <AmazonClientException>(driver.GetSession);
// Start session twice.
mockClient.Verify(x => x.SendCommandAsync(It.IsAny <SendCommandRequest>(), It.IsAny <CancellationToken>()),
Times.Exactly(2));
}
/// <summary>
/// <see cref="ICoreAmazonSTS_WebIdentity"/>
/// </summary>
/// <param name="webIdentityToken">The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider.</param>
/// <param name="roleArn">The Amazon Resource Name (ARN) of the role to assume.</param>
/// <param name="roleSessionName">An identifier for the assumed role session.</param>
/// <param name="options">Options to be used in the call to AssumeRole.</param>
/// <returns>Immutable AssumeRoleCredentials</returns>
AssumeRoleImmutableCredentials ICoreAmazonSTS_WebIdentity.CredentialsFromAssumeRoleWithWebIdentityAuthentication(string webIdentityToken, string roleArn,
string roleSessionName, AssumeRoleWithWebIdentityCredentialsOptions options)
{
var request = SetupAssumeRoleWithWebIdentityRequest(webIdentityToken, roleArn, roleSessionName, options);
try
{
var response = AssumeRoleWithWebIdentity(request);
return(new AssumeRoleImmutableCredentials(response.Credentials.AccessKeyId, response.Credentials.SecretAccessKey,
response.Credentials.SessionToken, response.Credentials.Expiration));
}
catch (Exception e)
{
var msg = "Error calling AssumeRole for role " + roleArn;
var exception = new AmazonClientException(msg, e);
Logger.GetLogger(typeof(AmazonSecurityTokenServiceClient)).Error(exception, exception.Message);
throw exception;
}
}
private CredentialsRefreshState Authenticate(ICredentials userCredential, TimeSpan credentialDuration)
{
CredentialsRefreshState state;
SAMLAssertion assertion;
var configuredRegion = AWSConfigs.AWSRegion;
var region = string.IsNullOrEmpty(configuredRegion)
? DefaultSTSClientRegion
: RegionEndpoint.GetBySystemName(configuredRegion);
try
{
assertion = new SAMLAuthenticationController().GetSAMLAssertion(ProfileData.EndpointSettings.Endpoint.ToString(),
userCredential,
ProfileData.EndpointSettings.AuthenticationType);
}
catch (Exception e)
{
throw new AuthenticationFailedException("Authentication failure, unable to obtain SAML assertion.", e);
}
try
{
using (var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials(), region))
{
var credentials = assertion.GetRoleCredentials(stsClient, ProfileData.RoleArn, credentialDuration);
state = new CredentialsRefreshState(credentials, DateTime.UtcNow + credentialDuration);
}
}
catch (Exception e)
{
var wrappedException = new AmazonClientException("Credential generation failed following successful authentication.", e);
var logger = Logger.GetLogger(typeof(StoredProfileSAMLCredentials));
logger.Error(wrappedException, wrappedException.Message);
throw wrappedException;
}
return(state);
}
public static void HandleAmazonClientExceptionException(AmazonClientException ace)
{
Console.WriteLine("AmazonClientException:");
Console.WriteLine(ace.Message);
}
