/// <summary>
/// Constructs a RefreshingSessionAWSCredentials object.
/// The passed-in AmazonSecurityTokenService is used to refresh credentials.
/// </summary>
/// <param name="awsAccessKeyId">AWS Access Key ID</param>
/// <param name="awsSecretAccessKey">AWS Secret Access Key</param>
/// <param name="stsConfig">Config object used for the constructed AmazonSecurityTokenService.</param>
public RefreshingSessionAWSCredentials(string awsAccessKeyId, string awsSecretAccessKey, AmazonSecurityTokenServiceConfig stsConfig)
: this(ConstructSTSClient(new BasicAWSCredentials(awsAccessKeyId, awsSecretAccessKey), stsConfig))
{
}
/// <summary>
/// Constructs a RefreshingSessionAWSCredentials object.
/// AmazonSecurityTokenService is created from passed-in credentials and
/// config object and is used to refresh credentials.
///
/// Passed-in AWSCredentials cannot be session credentials.
/// </summary>
/// <param name="stsCredentials"></param>
/// <param name="stsConfig">Config object used for the constructed AmazonSecurityTokenService.</param>
public RefreshingSessionAWSCredentials(AWSCredentials stsCredentials, AmazonSecurityTokenServiceConfig stsConfig)
: this(ConstructSTSClient(stsCredentials, stsConfig), true)
{
}
/// <summary>
/// Create a client for the Amazon SecurityTokenService Service with AWSCredentials and an AmazonSecurityTokenService Configuration object.
/// </summary>
/// <param name="credentials">AWS Credentials</param>
/// <param name="config">Configuration options for the service like HTTP Proxy, # of connections, etc</param>
/// <returns>An Amazon SecurityTokenService client</returns>
/// <remarks>
/// </remarks>
public static IAmazonSecurityTokenService CreateAmazonSecurityTokenServiceClient(AWSCredentials credentials, AmazonSecurityTokenServiceConfig config)
{
return(new AmazonSecurityTokenServiceClient(credentials, config));
}
/// <summary>
/// Create a client for the Amazon SecurityTokenService Service with the credentials loaded from the application's
/// default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.
///
/// Example App.config with credentials set.
/// <code>
/// <?xml version="1.0" encoding="utf-8" ?>
/// <configuration>
/// <appSettings>
/// <add key="AWSAccessKey" value="********************"/>
/// <add key="AWSSecretKey" value="****************************************"/>
/// </appSettings>
/// </configuration>
/// </code>
/// </summary>
/// <param name="config">Configuration options for the service like HTTP Proxy, # of connections, etc</param>
/// <returns>An Amazon SecurityTokenService client</returns>
public static IAmazonSecurityTokenService CreateAmazonSecurityTokenServiceClient(AmazonSecurityTokenServiceConfig config)
{
return(new AmazonSecurityTokenServiceClient(config));
}
/// <summary>
/// Constructs an <see cref="AmazonEC2Client" /> instance with the
/// temporary details generated from role assumption.
/// </summary>
/// <param name="explicitCredentials">
/// An instance of <see cref="AWSCredentials" /> containing explicitly
/// declared credentials (i.e. from the command line). Can be null.
/// </param>
/// <param name="amazonEC2Config">
/// An instance of <see cref="AmazonEC2Config" />.
/// </param>
/// <param name="roleArn">
/// An IAM role ARN to assume.
/// </param>
/// <returns>
/// A configured instance of <see cref="AmazonEC2Client" />.
/// </returns>
private AmazonEC2Client AssumeRoleAndCreateEC2Client(
AWSCredentials explicitCredentials,
AmazonEC2Config amazonEC2Config,
string roleArn)
{
AmazonEC2Client toReturn = null;
AmazonSecurityTokenServiceConfig amazonSecurityTokenServiceConfig =
new AmazonSecurityTokenServiceConfig()
{
// Nothing for now...
};
IAmazonSecurityTokenService amazonSecurityTokenService = null;
// Explcit credentials supplied?
if (explicitCredentials == null)
{
this.loggingProvider.Debug(
$"No explicit credentials provided. Creating an " +
$"instance of the " +
$"{nameof(AmazonSecurityTokenServiceClient)} using " +
"credentials stored in the credentials file...");
// Nope. Use the credentials file.
amazonSecurityTokenService =
new AmazonSecurityTokenServiceClient(
amazonSecurityTokenServiceConfig);
}
else
{
this.loggingProvider.Debug(
$"Explicit credentials provided. Creating an instance " +
$"of the {nameof(AmazonSecurityTokenServiceClient)} " +
$"using these details...");
// Yep.
amazonSecurityTokenService =
new AmazonSecurityTokenServiceClient(
explicitCredentials,
amazonSecurityTokenServiceConfig);
}
this.loggingProvider.Info(
$"Instance of {nameof(AmazonSecurityTokenServiceClient)} " +
$"established.");
this.loggingProvider.Debug(
$"Parsing role ARN \"{roleArn}\" to create the session " +
$"name...");
// Just use the latter part of the ARN as the session name.
string roleSessionName = roleArn.Split('/')
.Last();
this.loggingProvider.Info(
$"Session name created from ARN: \"{roleSessionName}\".");
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
{
RoleArn = roleArn,
RoleSessionName = roleSessionName
};
this.loggingProvider.Debug(
$"Pulling back credentials from " +
$"{nameof(AmazonSecurityTokenServiceClient)} by assuming " +
$"specified role...");
// Get the temporary credentials using the specified role.
AssumeRoleResponse assumeRoleResponse =
amazonSecurityTokenService.AssumeRole(assumeRoleRequest);
Credentials roleCreds = assumeRoleResponse.Credentials;
this.loggingProvider.Info(
$"Credentials returned. Access ID: " +
$"\"{roleCreds.AccessKeyId}\". Returning " +
$"an instance of {nameof(AmazonEC2Client)}.");
toReturn = new AmazonEC2Client(
roleCreds,
amazonEC2Config);
return(toReturn);
}
private static AmazonSecurityTokenService ConstructSTSClient(AWSCredentials credentials, AmazonSecurityTokenServiceConfig config)
{
using (ImmutableCredentials immmutableCredentials = credentials.GetCredentials())
{
if (immmutableCredentials.UseToken)
{
throw new ArgumentException("Session credentials cannot be used to create refreshing session credentials");
}
AmazonSecurityTokenServiceClient stsClient;
if (immmutableCredentials.UseSecureStringForSecretKey)
{
stsClient = new AmazonSecurityTokenServiceClient(immmutableCredentials.AccessKey, GetClearSecretKey(immmutableCredentials.SecureSecretKey), config);
}
else
{
stsClient = new AmazonSecurityTokenServiceClient(immmutableCredentials.AccessKey, immmutableCredentials.ClearSecretKey, config);
}
return(stsClient);
}
}
/// <summary>
/// Constructs a RefreshingSessionAWSCredentials object.
/// AccessKey and SecretKey are taken from the app.config for the application.
///
/// Example App.config with credentials set.
/// <code>
/// <?xml version="1.0" encoding="utf-8" ?>
/// <configuration>
/// <appSettings>
/// <add key="AWSAccessKey" value="********************"/>
/// <add key="AWSSecretKey" value="****************************************"/>
/// </appSettings>
/// </configuration>
/// </code>
/// </summary>
/// <param name="stsConfig">Config object used for the constructed AmazonSecurityTokenService.</param>
public RefreshingSessionAWSCredentials(AmazonSecurityTokenServiceConfig stsConfig)
: this(new EnvironmentAWSCredentials(), stsConfig)
{
}
