public static Credentials GetTemporaryCredentials(string policy) { var config = new AmazonSecurityTokenServiceConfig { RegionEndpoint = RegionEndpoint.APSoutheast2 }; var client = new AmazonSecurityTokenServiceClient(config); var iamClient = new AmazonIdentityManagementServiceClient( RegionEndpoint.APSoutheast2); var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials"); var role = iamClient.GetRole( new GetRoleRequest() { RoleName = iamRoleName }); var assumeRoleRequest = new AssumeRoleRequest() { RoleArn = role.Role.Arn, RoleSessionName = Guid.NewGuid().ToString().Replace("-", ""), DurationSeconds = 900 }; if (!string.IsNullOrEmpty(policy)) { assumeRoleRequest.Policy = policy; } var assumeRoleResponse = client.AssumeRole(assumeRoleRequest); var credentials = assumeRoleResponse.Credentials; return(credentials); }
private static void Ec2IamTest() { var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials"); var iamRole = EC2InstanceMetadata.GetData($"/iam/security-credentials/{iamRoleName}"); var iamCredentials = JsonConvert.DeserializeObject <IamRoleCredentials>(iamRole); Console.WriteLine(iamCredentials.AccessKeyId); Console.WriteLine(iamCredentials.Token); var request = new AwsApiGatewayRequest() { RegionName = "ap-southeast-2", Host = apiEndpoint, AccessKey = iamCredentials.AccessKeyId, SecretKey = iamCredentials.SecretAccessKey, AbsolutePath = apiEndpointStaging, JsonData = "245", SessionToken = iamCredentials.Token, RequestMethod = HttpMethod.Post }; var apiRequest = new ApiRequest(request); var response = apiRequest.GetResponse(); Console.WriteLine(response.ContentLength); }
private IamRoleCredentials GetEc2Credential() { var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials"); var iamRole = EC2InstanceMetadata.GetData($"/iam/security-credentials/{iamRoleName}"); var iamCredentials = JsonConvert.DeserializeObject <IamRoleCredentials>(iamRole); return(iamCredentials); }
protected override CredentialsRefreshState GenerateNewCredentials() { CredentialsRefreshState newState = null; var token = EC2InstanceMetadata.FetchApiToken(); try { // Attempt to get early credentials. OK to fail at this point. newState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials)); logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e); } // If successful, save new credentials if (newState != null) { _currentRefreshState = newState; } // If still not successful (no credentials available at start), attempt once more to // get credentials, but now without swallowing exception if (_currentRefreshState == null) { try { _currentRefreshState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } } // Return credentials that will expire in at most one hour CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState); return(state); }
private bool IsRunningOnEc2() { bool isOnEc2 = false; try { var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials"); isOnEc2 = !string.IsNullOrEmpty(iamRoleName); } catch (Exception) { } return(isOnEc2); }
void MetadataFromPath() { foreach (var p in Path) { try { var output = EC2InstanceMetadata.GetData(p); WriteObject(output, true); } catch (Exception e) { WriteError(new ErrorRecord(e, "PathNotFound", ErrorCategory.InvalidArgument, p)); } } }
/// <summary> /// Retrieves a list of all roles available through current InstanceProfile service /// </summary> /// <returns></returns> public static IEnumerable <string> GetAvailableRoles(IWebProxy proxy) { var token = EC2InstanceMetadata.FetchApiToken(); var allAliases = string.Empty; try { allAliases = GetContents(RolesUri, proxy, CreateMetadataTokenHeaders(token)); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } if (string.IsNullOrEmpty(allAliases)) { yield break; } string[] parts = allAliases.Split(AliasSeparators, StringSplitOptions.RemoveEmptyEntries); foreach (var part in parts) { var trim = part.Trim(); if (!string.IsNullOrEmpty(trim)) { yield return(trim); } } }
public static string EvaluateAWSVariable(string variable) { if (!variable.StartsWith("{") || !variable.EndsWith("}")) { //Variable already evaluated return(variable); } (string prefix, string variableNoPrefix) = Utility.SplitPrefix(variable.Substring(1, variable.Length - 2), ':'); switch (variableNoPrefix.ToLower()) { case "instance_id": return(EC2InstanceMetadata.InstanceId); case "hostname": return(EC2InstanceMetadata.Hostname); default: if ("ec2".Equals(prefix, StringComparison.CurrentCultureIgnoreCase)) { if (!variableNoPrefix.StartsWith("/")) { variableNoPrefix = "/" + variableNoPrefix; } return(EC2InstanceMetadata.GetData(variableNoPrefix)); } else if ("ec2tag".Equals(prefix, StringComparison.CurrentCultureIgnoreCase)) { return(EC2Utility.GetTagValue(variableNoPrefix)); } else { return(variable); } } }
private static List <string> GetItems(string path, int tries, bool slurp, string token) { var items = new List <string>(); //For all meta-data queries we need to fetch an api token to use. In the event a //token cannot be obtained we will fallback to not using a token. Dictionary <string, string> headers = null; if (token == null) { token = Amazon.Util.EC2InstanceMetadata.FetchApiToken(); } if (!string.IsNullOrEmpty(token)) { headers = new Dictionary <string, string>(); headers.Add(HeaderKeys.XAwsEc2MetadataToken, token); } try { if (!Amazon.Util.EC2InstanceMetadata.IsIMDSEnabled) { throw new IMDSDisabledException(); } HttpWebRequest request; if (path.StartsWith("http", StringComparison.Ordinal)) { request = WebRequest.Create(path) as HttpWebRequest; } else { request = WebRequest.Create(EC2_METADATA_ROOT + path) as HttpWebRequest; } request.Timeout = (int)TimeSpan.FromSeconds(5).TotalMilliseconds; request.UserAgent = _userAgent; if (headers != null) { foreach (var header in headers) { request.Headers.Add(header.Key, header.Value); } } using (var response = request.GetResponse()) { using (var stream = new StreamReader(response.GetResponseStream())) { if (slurp) { items.Add(stream.ReadToEnd()); } else { string line; do { line = stream.ReadLine(); if (line != null) { items.Add(line.Trim()); } }while (line != null); } } } } catch (WebException wex) { var response = wex.Response as HttpWebResponse; if (response != null) { if (response.StatusCode == HttpStatusCode.NotFound) { return(null); } else if (response.StatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } } if (tries <= 1) { Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "Unable to contact EC2 Metadata service."); return(null); } PauseExponentially(tries); return(GetItems(path, tries - 1, slurp, token)); } catch (IMDSDisabledException) { // Keep this behavior identical to when HttpStatusCode.NotFound is returned. return(null); } return(items); }
protected override CredentialsRefreshState GenerateNewCredentials() { CredentialsRefreshState newState = null; var token = EC2InstanceMetadata.FetchApiToken(); try { // Attempt to get early credentials. OK to fail at this point. newState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); throw; } var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials)); logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e); // if we already have cached credentials, we'll continue to use those credentials, // but try again to refresh them in 2 minutes. if (null != _currentRefreshState) { #pragma warning disable CS0612 // Type or member is obsolete var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(2); #pragma warning restore CS0612 // Type or member is obsolete _currentRefreshState = new CredentialsRefreshState(_currentRefreshState.Credentials.Copy(), newExpiryTime); return(_currentRefreshState); } } if (newState?.IsExpiredWithin(TimeSpan.Zero) == true) { // special case - credentials returned are expired _logger.InfoFormat(_receivedExpiredCredentialsFromIMDS); // use a custom refresh time #pragma warning disable CS0612 // Type or member is obsolete var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(new Random().Next(5, 16)); #pragma warning restore CS0612 // Type or member is obsolete _currentRefreshState = new CredentialsRefreshState(newState.Credentials.Copy(), newExpiryTime); return(_currentRefreshState); } // If successful, save new credentials if (newState != null) { _currentRefreshState = newState; } // If still not successful (no credentials available at start), attempt once more to // get credentials, but now without swallowing exception if (_currentRefreshState == null) { try { _currentRefreshState = GetRefreshState(token); } catch (Exception e) { HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e); if (httpStatusCode == HttpStatusCode.Unauthorized) { EC2InstanceMetadata.ClearTokenFlag(); Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow."); } throw; } } // Return credentials that will expire in at most one hour CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState); return(state); }