public async Task <Role> EnsureRoleExistsAsync(RoleName roleName) { var identityResponse = await _securityTokenServiceClient.GetCallerIdentityAsync(new GetCallerIdentityRequest()); var accountArn = new AwsAccountArn(identityResponse.Account); var request = CreateRoleRequest(accountArn, roleName); try { var response = await _client.CreateRoleAsync(request); if (response.HttpStatusCode != HttpStatusCode.OK) { var metadata = string.Join(", ", response.ResponseMetadata.Metadata.Select(m => $"{m.Key}:{m.Value}")); throw new Exception( $"Error creating role: \"{roleName}\". Status code was {response.HttpStatusCode}, metadata: {metadata}"); } return(response.Role); } catch (EntityAlreadyExistsException) { // Role exists we are happy var getRoleRequest = new GetRoleRequest { RoleName = roleName }; var getRoleResponse = await _client.GetRoleAsync(getRoleRequest); return(getRoleResponse.Role); } }
public void Will_Set_RoleName() { var accountArn = new AwsAccountArn("foo"); var roleName = new RoleName("baa"); var sut = new AwsIdentityCommandClient(null, null, null, null); // Act var assumableRoleRequest = sut.CreateRoleRequest(accountArn, roleName); // Assert Assert.Equal(roleName, assumableRoleRequest.RoleName); }
//allowed or denied access to a resource. The public void Principal_Will_Point_To_Federated_Login() { var accountArn = new AwsAccountArn("foo"); var roleName = new RoleName("baa"); var sut = new AwsIdentityCommandClient(null, null, null, null); // Act var assumableRoleRequest = sut.CreateRoleRequest(accountArn, roleName); // Assert var expectedSubstring = "Principal\":{\"Federated\":\"arn:aws:iam::foo:saml-provider/ADFS\"}";//@"{""Effect"":""Allow"",""Principal"":{""AWS"":""" + accountArn + @"""}"; Assert.Contains(expectedSubstring, assumableRoleRequest.AssumeRolePolicyDocument); }
public CreateRoleRequest CreateRoleRequest(AwsAccountArn accountArn, RoleName roleName) { return(new CreateRoleRequest { RoleName = roleName, Tags = new List <Tag> { new Tag { Key = MANAGED_BY, Value = AWS_JANITOR }, new Tag { Key = "capability", Value = roleName } }, Description = $"sts assumable role for capability: '{roleName}'. Managed by {AWS_JANITOR}", AssumeRolePolicyDocument = @"{""Version"":""2012-10-17"",""Statement"":[{""Effect"":""Allow"",""Principal"":{""Federated"":""" + accountArn + ":saml-provider/ADFS" + @"""},""Action"":""sts:AssumeRoleWithSAML"", ""Condition"": {""StringEquals"": {""SAML:aud"": ""https://signin.aws.amazon.com/saml""}}}]}" }); }