private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest) { var ars = new AutoResetEvent(false); Amazon.SecurityToken.Model.Credentials credentials = null; Exception exception = null; sts.AssumeRoleWithWebIdentityAsync(assumeRequest, (assumeResult) => { if (assumeResult.Exception != null) exception = assumeResult.Exception; else credentials = assumeResult.Response.Credentials; ars.Set(); }); ars.WaitOne(); if (exception != null) throw exception; return credentials; }
internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request) { var task = AssumeRoleWithWebIdentityAsync(request); try { return task.Result; } catch(AggregateException e) { throw e.InnerException; } }
internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request) { var task = AssumeRoleWithWebIdentityAsync(request); try { return task.Result; } catch(AggregateException e) { ExceptionDispatchInfo.Capture(e.InnerException).Throw(); return null; } }
/// <summary> /// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web /// identity provider, such as Login with Amazon, Facebook, or Google. <c>AssumeRoleWithWebIdentity</c> is an API call that does not require the /// use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary /// security credentials without including long-term AWS credentials in the application or by deploying server-based proxy services that use /// long-term AWS credentials. </para> <para> The temporary security credentials consist of an access key ID, a secret access key, and a /// security token. Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for /// the duration that you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds /// (1 hour). By default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access /// policy to this operation. The temporary security credentials that are returned by the operation have the permissions that are associated /// with the access policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way /// to further restrict the permissions for the federated user. These policies and any applicable resource-based policies are evaluated when /// calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call /// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application /// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other /// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity /// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para> /// <ul> /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider"> Creating a Mobile /// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html"> Creating Temporary /// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li> /// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html"> Web Identity Federation Playground</a> . This /// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary /// security credentials, and then using those credentials to make a request to AWS. </li> /// <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for /// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from /// these providers to get and use temporary security credentials. </li> /// <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web Identity Federation with Mobile Applications</a> . This article /// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li> /// /// </ul> /// /// </summary> /// /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service /// method on AmazonSecurityTokenService.</param> /// /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns> /// /// <exception cref="T:Amazon.SecurityToken.Model.PackedPolicyTooLargeException" /> /// <exception cref="T:Amazon.SecurityToken.Model.IDPRejectedClaimException" /> /// <exception cref="T:Amazon.SecurityToken.Model.MalformedPolicyDocumentException" /> /// <exception cref="T:Amazon.SecurityToken.Model.InvalidIdentityTokenException" /> /// <exception cref="T:Amazon.SecurityToken.Model.ExpiredTokenException" /> /// <exception cref="T:Amazon.SecurityToken.Model.IDPCommunicationErrorException" /> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance(); return Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(assumeRoleWithWebIdentityRequest, marshaller, unmarshaller, signer, cancellationToken); }
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle2( string client_id, string client_secret, string role) { string query = "https://accounts.google.com/o/oauth2/auth?" + string.Format("client_id={0}&", client_id) + "response_type=code&" + "scope=email%20profile&" + "redirect_uri=http://www.padisetty.com"; string id_token = null; using (var wc = new WebClient()) { var data = new NameValueCollection(); data["code"] = GetToken("code", query); data["client_id"] = client_id; data["client_secret"] = client_secret; data["redirect_uri"] = "http://www.padisetty.com"; data["grant_type"] = "authorization_code"; var response = wc.UploadValues( "https://accounts.google.com/o/oauth2/token", "POST", data); string responsebody = Encoding.UTF8.GetString(response); dynamic result = JsonConvert.DeserializeObject(responsebody); id_token = result.id_token; } AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = new AssumeRoleWithWebIdentityRequest () { WebIdentityToken = id_token, RoleArn = role }; return GetAssumeRoleWithWebIdentityResponse(assumeRoleWithWebIdentityRequest); }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param> /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param> /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> /// /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndAssumeRoleWithWebIdentity /// operation.</returns> public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance; return BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller, callback, state); }
private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn) { CredentialsRefreshState credentialsState; // Retrieve Open Id Token // (Reuses existing IdentityId or creates a new one) var identityId = await GetIdentityIdAsync().ConfigureAwait(false); var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identityId }; // If logins are set, pass them to the GetOpenId call if (Logins.Count > 0) getTokenRequest.Logins = Logins; var getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false); string token = getTokenResult.Token; // IdentityId may have changed, save the new value UpdateIdentity(getTokenResult.IdentityId, true); // Assume role with Open Id Token var assumeRequest = new AssumeRoleWithWebIdentityRequest { WebIdentityToken = token, RoleArn = roleArn, RoleSessionName = "NetProviderSession", DurationSeconds = DefaultDurationSeconds }; var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials; // Return new refresh state (credentials and expiration) credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration); return credentialsState; }
// Retrieves credentials for the specific role, by making a call to STS private CredentialsRefreshState GetCredentialsForRole(string roleArn) { CredentialsRefreshState credentialsState; // Retrieve Open Id Token // (Reuses existing IdentityId or creates a new one) var identity = this.GetIdentityIdWithCaching(); var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity.IdentityId }; // If logins are set, pass them to the GetOpenId call if (Logins.Count > 0) getTokenRequest.Logins = Logins; bool retry = false; GetOpenIdTokenResponse getTokenResult = null; try { getTokenResult = GetOpenId(getTokenRequest); } catch (AmazonCognitoIdentityException e) { if (ShouldRetry(e, identity)) retry = true; else throw; } if (retry) { return GetCredentialsForRole(roleArn); } string token = getTokenResult.Token; // IdentityId may have changed, save the new value UpdateIdentity(getTokenResult.IdentityId, true); // Assume role with Open Id Token var assumeRequest = new AssumeRoleWithWebIdentityRequest { WebIdentityToken = token, RoleArn = roleArn, RoleSessionName = "NetProviderSession", DurationSeconds = DefaultDurationSeconds }; var credentials = GetStsCredentials(assumeRequest); credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration); return credentialsState; }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> /// <returns>The task object representing the asynchronous operation.</returns> public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance; return InvokeAsync<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller, cancellationToken); }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param> /// <param name="callback">An Action delegate that is invoked when the operation completes.</param> /// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> public void AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, AmazonServiceCallback<AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse> callback, AsyncOptions options = null) { options = options == null?new AsyncOptions():options; var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance; Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null; if(callback !=null ) callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => { AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse> responseObject = new AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>((AssumeRoleWithWebIdentityRequest)req, (AssumeRoleWithWebIdentityResponse)res, ex , ao.State); callback(responseObject); }; BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller, options, callbackHelper); }
private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest) { var assumeResult = sts.AssumeRoleWithWebIdentity(assumeRequest); var credentials = assumeResult.Credentials; return credentials; }
IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state, bool synchronized) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance; return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer); }
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle( string client_id, string role) { string query = "https://accounts.google.com/o/oauth2/auth?" + string.Format("client_id={0}&", client_id) + "response_type=id_token&" + "scope=email%20profile&" + "redirect_uri=http://www.padisetty.com"; AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = new AssumeRoleWithWebIdentityRequest () { WebIdentityToken = GetToken ("id_token", query), RoleArn = role }; return GetAssumeRoleWithWebIdentityResponse( assumeRoleWithWebIdentityRequest); }
AssumeRoleWithWebIdentityResponse GetAssumeRoleWithWebIdentityResponse( AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest) { // Start with Anonymous AWS Credentials and get temporary credentials. var stsClient = new AmazonSecurityTokenServiceClient( new AnonymousAWSCredentials()); assumeRoleWithWebIdentityRequest.DurationSeconds = 3600; assumeRoleWithWebIdentityRequest.RoleSessionName = "MySession"; return stsClient.AssumeRoleWithWebIdentity( assumeRoleWithWebIdentityRequest); }
/// <summary> /// Returns a set of temporary security credentials for users who have been authenticated /// in a mobile or web application with a web identity provider, such as Amazon Cognito, /// Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider. /// /// /// <note> /// <para> /// For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon /// Cognito with the <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and /// the <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a> to uniquely /// identify a user and supply the user with a consistent identity throughout the lifetime /// of an application. /// </para> /// /// <para> /// To learn more about Amazon Cognito, see <a href="http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840">Amazon /// Cognito Overview</a> in the <i>AWS SDK for Android Developer Guide</i> guide and <a /// href="http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664">Amazon /// Cognito Overview</a> in the <i>AWS SDK for iOS Developer Guide</i>. /// </para> /// </note> /// <para> /// Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of AWS security /// credentials. Therefore, you can distribute an application (for example, on mobile /// devices) that requests temporary security credentials without including long-term /// AWS credentials in the application, and without deploying server-based proxy services /// that use long-term AWS credentials. Instead, the identity of the caller is validated /// by using a token from the web identity provider. /// </para> /// /// <para> /// The temporary security credentials returned by this API consist of an access key ID, /// a secret access key, and a security token. Applications can use these temporary security /// credentials to sign calls to AWS service APIs. The credentials are valid for the duration /// that you specified when calling <code>AssumeRoleWithWebIdentity</code>, which can /// be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary /// security credentials are valid for 1 hour. /// </para> /// /// <para> /// Optionally, you can pass an IAM access policy to this operation. If you choose not /// to pass a policy, the temporary security credentials that are returned by the operation /// have the permissions that are defined in the access policy of the role that is being /// assumed. If you pass a policy to this operation, the temporary security credentials /// that are returned by the operation have the permissions that are allowed by both the /// access policy of the role that is being assumed, <i><b>and</b></i> the policy that /// you pass. This gives you a way to further restrict the permissions for the resulting /// temporary security credentials. You cannot use the passed policy to grant permissions /// that are in excess of those allowed by the access policy of the role that is being /// assumed. For more information, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html">Permissions /// for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>Using /// IAM</i>. /// </para> /// /// <para> /// Before your application can call <code>AssumeRoleWithWebIdentity</code>, you must /// have an identity token from a supported identity provider and create a role that the /// application can assume. The role that your application assumes must trust the identity /// provider that is associated with the identity token. In other words, the identity /// provider must be specified in the role's trust policy. /// </para> /// /// <para> /// For more information about how to use web identity federation and the <code>AssumeRoleWithWebIdentity</code> /// API, see the following resources: /// </para> /// <ul> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual">Using /// Web Identity Federation APIs for Mobile Apps</a> and <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation /// Through a Web-based Identity Provider</a>. </li> <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html"> /// Web Identity Federation Playground</a>. This interactive website lets you walk through /// the process of authenticating via Login with Amazon, Facebook, or Google, getting /// temporary security credentials, and then using those credentials to make a request /// to AWS. </li> <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> /// and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a>. These /// toolkits contain sample apps that show how to invoke the identity providers, and then /// how to use the information from these providers to get and use temporary security /// credentials. </li> <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web /// Identity Federation with Mobile Applications</a>. This article discusses web identity /// federation and shows an example of how to use web identity federation to get access /// to content in Amazon S3. </li> </ul> /// </summary> /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service method.</param> /// /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by SecurityTokenService.</returns> /// <exception cref="Amazon.SecurityToken.Model.ExpiredTokenException"> /// The web identity token that was passed is expired or is not valid. Get a new identity /// token from the identity provider and then retry the request. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.IDPCommunicationErrorException"> /// The request could not be fulfilled because the non-AWS identity provider (IDP) that /// was asked to verify the incoming identity token could not be reached. This is often /// a transient error caused by network conditions. Retry the request a limited number /// of times so that you don't exceed the request rate. If the error persists, the non-AWS /// identity provider might be down or not responding. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.IDPRejectedClaimException"> /// The identity provider (IdP) reported that authentication failed. This might be because /// the claim is invalid. /// /// /// <para> /// If this error is returned for the <code>AssumeRoleWithWebIdentity</code> operation, /// it can also mean that the claim has expired or has been explicitly revoked. /// </para> /// </exception> /// <exception cref="Amazon.SecurityToken.Model.InvalidIdentityTokenException"> /// The web identity token that was passed could not be validated by AWS. Get a new identity /// token from the identity provider and then retry the request. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.MalformedPolicyDocumentException"> /// The request was rejected because the policy document was malformed. The error message /// describes the specific error. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.PackedPolicyTooLargeException"> /// The request was rejected because the policy document was too large. The error message /// describes how big the policy document is, in packed form, as a percentage of what /// the API allows. /// </exception> public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance; return Invoke<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller); }
IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state, bool synchronized) { IRequest irequest = new AssumeRoleWithWebIdentityRequestMarshaller().Marshall(assumeRoleWithWebIdentityRequest); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance(); AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller); Invoke(result); return result; }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation. /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/> /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> /// <returns>The task object representing the asynchronous operation.</returns> public async Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller(); var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance(); var response = await Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller, signer, cancellationToken) .ConfigureAwait(continueOnCapturedContext: false); return response; }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation. /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/> /// </summary> /// /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on /// AmazonSecurityTokenService.</param> /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param> /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> /// /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking /// EndAssumeRoleWithWebIdentity operation.</returns> public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state) { return invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, callback, state, false); }
/// <summary> /// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web /// identity provider, such as Login with Amazon, Facebook, or Google. </para> <para> Calling <c>AssumeRoleWithWebIdentity</c> does not require /// the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary /// security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that /// use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. </para> /// <para> The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. /// Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for the duration that /// you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By /// default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access policy to this /// operation. The temporary security credentials that are returned by the operation have the permissions that are associated with the access /// policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way to further /// restrict the permissions for the resulting temporary security credentials. These policies and any applicable resource-based policies are /// evaluated when calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call /// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application /// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other /// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity /// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para> /// <ul> /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider" > Creating a Mobile /// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html" > Creating Temporary /// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li> /// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html" > Web Identity Federation Playground</a> . This /// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary /// security credentials, and then using those credentials to make a request to AWS. </li> /// <li> <a href="http://aws.amazon.com/sdkforios/" >AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/" >AWS SDK for /// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from /// these providers to get and use temporary security credentials. </li> /// <li> <a href="http://aws.amazon.com/articles/4617974389850313" >Web Identity Federation with Mobile Applications</a> . This article /// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li> /// /// </ul> /// /// </summary> /// /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service /// method on AmazonSecurityTokenService.</param> /// /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns> /// /// <exception cref="PackedPolicyTooLargeException"/> /// <exception cref="IDPRejectedClaimException"/> /// <exception cref="MalformedPolicyDocumentException"/> /// <exception cref="InvalidIdentityTokenException"/> /// <exception cref="ExpiredTokenException"/> /// <exception cref="IDPCommunicationErrorException"/> public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest) { IAsyncResult asyncResult = invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, null, null, true); return EndAssumeRoleWithWebIdentity(asyncResult); }
private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest) { var assumeResult = Amazon.Runtime.Internal.Util.AsyncHelpers.RunSync<AssumeRoleWithWebIdentityResponse>(() => sts.AssumeRoleWithWebIdentityAsync(assumeRequest)); var credentials = assumeResult.Credentials; return credentials; }
// Retrieves credentials for the specific role, by making a call to STS private CredentialsRefreshState GetCredentialsForRole(string roleArn) { CredentialsRefreshState credentialsState; // Retrieve Open Id Token // (Reuses existing IdentityId or creates a new one) var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = GetIdentityId() }; // If logins are set, pass them to the GetOpenId call if (Logins.Count > 0) getTokenRequest.Logins = Logins; var getTokenResult = GetOpenId(getTokenRequest); string token = getTokenResult.Token; // IdentityId may have changed, save the new value UpdateIdentity(getTokenResult.IdentityId, true); // Assume role with Open Id Token var assumeRequest = new AssumeRoleWithWebIdentityRequest { WebIdentityToken = token, RoleArn = roleArn, RoleSessionName = "NetProviderSession", DurationSeconds = DefaultDurationSeconds }; var credentials = GetStsCredentials(assumeRequest); credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration); return credentialsState; }
private Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityRequest request) { Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithWebIdentity"); try { #if DESKTOP return(client.AssumeRoleWithWebIdentity(request)); #elif CORECLR return(client.AssumeRoleWithWebIdentityAsync(request).GetAwaiter().GetResult()); #else #error "Unknown build edition" #endif } catch (AmazonServiceException exc) { var webException = exc.InnerException as System.Net.WebException; if (webException != null) { throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException); } throw; } }
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingFacebook( string client_id, string role) { string query = "https://www.facebook.com/dialog/oauth?" + string.Format ("client_id={0}&", client_id) + "response_type=token&" + "redirect_uri=https://www.facebook.com/connect/login_success.html"; AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = new AssumeRoleWithWebIdentityRequest () { ProviderId = "graph.facebook.com", WebIdentityToken = GetToken("access_token", query), RoleArn = role, }; return GetAssumeRoleWithWebIdentityResponse (assumeRoleWithWebIdentityRequest); }
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingAmazon( string client_id, string role) { string query = "https://www.amazon.com/ap/oa?" + string.Format("client_id={0}&", client_id) + "response_type=token&" + "scope=profile&" + "redirect_uri=https://www.google.com"; AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest = new AssumeRoleWithWebIdentityRequest () { ProviderId = "www.amazon.com", WebIdentityToken = GetToken("access_token", query), RoleArn = role }; return GetAssumeRoleWithWebIdentityResponse( assumeRoleWithWebIdentityRequest); }
private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn) { CredentialsRefreshState credentialsState; // Retrieve Open Id Token // (Reuses existing IdentityId or creates a new one) var identity = await GetIdentityIdAsync(RefreshIdentityOptions.Refresh).ConfigureAwait(false); var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity }; // If logins are set, pass them to the GetOpenId call if (Logins.Count > 0) getTokenRequest.Logins = Logins; bool retry = false; GetOpenIdTokenResponse getTokenResult = null; try { getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false); } catch (AmazonCognitoIdentityException e) { if (ShouldRetry(e)) retry = true; else throw; } if (retry) { return await GetCredentialsForRoleAsync(roleArn); } string token = getTokenResult.Token; // IdentityId may have changed, save the new value UpdateIdentity(getTokenResult.IdentityId); // Assume role with Open Id Token var assumeRequest = new AssumeRoleWithWebIdentityRequest { WebIdentityToken = token, RoleArn = roleArn, RoleSessionName = "NetProviderSession", DurationSeconds = DefaultDurationSeconds }; var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials; // Return new refresh state (credentials and expiration) credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration); return credentialsState; }