/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public ImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
throw new ArgumentException("Unknown or invalid role specified.");
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return response.Credentials.GetCredentials();
}
/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public ImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
{
throw new ArgumentException("Unknown or invalid role specified.");
}
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return(response.Credentials.GetCredentials());
}
public async Task EmittedFactories_PerformAssumeRole_IfArnGiven(
string roleArn,
AssumeRoleResponse response,
Credentials credentials,
IAmazonSecurityTokenService stsClient
)
{
response.Credentials = credentials;
stsClient.AssumeRoleAsync(Any <AssumeRoleRequest>()).Returns(response);
using var generation = await project.GenerateAssembly();
var(assembly, _) = generation;
var factoryType = assembly.GetType("Lambdajection.CompilationTests.AmazonFactories.Handler+LambdajectionConfigurator+S3Factory");
var factory = (IAwsFactory <IAmazonS3>)Activator.CreateInstance(factoryType !, new object[] { stsClient }) !;
var result = await factory.Create(roleArn);
var credentialsProperty = typeof(AmazonServiceClient).GetProperty("Credentials", BindingFlags.NonPublic | BindingFlags.Instance) !;
var actualCredentials = credentialsProperty.GetMethod !.Invoke(result, Array.Empty <object>());
actualCredentials.Should().BeSameAs(credentials);
await stsClient.Received().AssumeRoleAsync(Is <AssumeRoleRequest>(req =>
req.RoleArn == roleArn
));
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(
string accountId, string identityPoolId,
string unAuthRoleArn, string authRoleArn,
IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(identityPoolId))
{
throw new ArgumentNullException("identityPoolId");
}
if (cibClient == null)
{
throw new ArgumentNullException("cibClient");
}
if (stsClient == null)
{
throw new ArgumentNullException("stsClient");
}
AccountId = accountId;
IdentityPoolId = identityPoolId;
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
Logins = new Dictionary <string, string>(StringComparer.Ordinal);
cib = cibClient;
sts = stsClient;
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(
string accountId, string identityPoolId,
string unAuthRoleArn, string authRoleArn,
IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(identityPoolId))
{
throw new ArgumentNullException("identityPoolId");
}
if (cibClient == null)
{
throw new ArgumentNullException("cibClient");
}
if ((unAuthRoleArn != null || authRoleArn != null) && stsClient == null)
{
throw new ArgumentNullException("stsClient");
}
AccountId = accountId;
IdentityPoolId = identityPoolId;
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
Logins = new Dictionary <string, string>(StringComparer.Ordinal);
cib = cibClient;
sts = stsClient;
//check cache for identity id
string cachedIdentity = GetCachedIdentityId();
if (!string.IsNullOrEmpty(cachedIdentity))
{
UpdateIdentity(cachedIdentity);
//update the credentials from cache
currentState = GetCachedCredentials();
}
}
/// <summary>
/// Instantiates STSAssumeRoleAWSCredentials which automatically assumes a specified SAML role.
/// The credentials are refreshed before expiration.
/// </summary>
/// <param name="assumeRoleWithSamlRequest">Configuration for the SAML role to assume.</param>
public STSAssumeRoleAWSCredentials(AssumeRoleWithSAMLRequest assumeRoleWithSamlRequest)
{
if (assumeRoleWithSamlRequest == null) throw new ArgumentNullException("assumeRoleWithSamlRequest");
_stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
_assumeSamlRequest = assumeRoleWithSamlRequest;
PreemptExpiryTime = _defaultPreemptExpiryTime;
}
/// <summary>
/// Instantiates STSAssumeRoleAWSCredentials which automatically assumes a specified role.
/// The credentials are refreshed before expiration.
/// </summary>
/// <param name="sts">
/// Instance of IAmazonSecurityTokenService that will be used to make the AssumeRole service call.
/// </param>
/// <param name="assumeRoleRequest">Configuration for the role to assume.</param>
public STSAssumeRoleAWSCredentials(IAmazonSecurityTokenService sts, AssumeRoleRequest assumeRoleRequest)
{
if (sts == null) throw new ArgumentNullException("sts");
if (assumeRoleRequest == null) throw new ArgumentNullException("assumeRoleRequest");
_stsClient = sts;
_assumeRequest = assumeRoleRequest;
PreemptExpiryTime = _defaultPreemptExpiryTime;
}
/// <summary>
/// Retrieves a set of temporary credentials for the specified role, valid for the specified timespan.
/// If the SAML authentication data yield more than one role, a valid role name must be specified.
/// </summary>
/// <param name="stsClient">The STS client to use when making the AssumeRoleWithSAML request.</param>
/// <param name="principalAndRoleArns">
/// The arns of the principal and role as returned in the SAML assertion.
/// </param>
/// <param name="duration">The valid timespan for the credentials.</param>
/// <returns>Temporary session credentials for the specified or default role for the user.</returns>
public SAMLImmutableCredentials GetRoleCredentials(IAmazonSecurityTokenService stsClient, string principalAndRoleArns, TimeSpan duration)
{
string roleArn = null;
string principalArn = null;
var swappedPrincipalAndRoleArns = string.Empty;
if (!string.IsNullOrEmpty(principalAndRoleArns))
{
var roleComponents = principalAndRoleArns.Split(',');
if (roleComponents.Count() != 2)
{
throw new ArgumentException("Unknown or invalid principal and role arns format.");
}
swappedPrincipalAndRoleArns = roleComponents.Last() + "," + roleComponents.First();
}
foreach (var s in RoleSet.Values)
{
if (s.Equals(principalAndRoleArns, StringComparison.OrdinalIgnoreCase) || s.Equals(swappedPrincipalAndRoleArns, StringComparison.OrdinalIgnoreCase))
{
var roleComponents = s.Split(',');
if (IsSamlProvider(roleComponents.First()))
{
//Backwards compatible format -- arn:...:saml-provider/SAML,arn:...:role/RoleName
principalArn = roleComponents.First();
roleArn = roleComponents.Last();
}
else
{
//Documented format -- arn:...:role/RoleName,arn:...:saml-provider/SAML
roleArn = roleComponents.First();
principalArn = roleComponents.Last();
}
break;
}
}
if (string.IsNullOrEmpty(roleArn) || string.IsNullOrEmpty(principalArn))
{
throw new ArgumentException("Unknown or invalid role specified.");
}
var response = stsClient.AssumeRoleWithSAML(new AssumeRoleWithSAMLRequest
{
SAMLAssertion = AssertionDocument,
RoleArn = roleArn,
PrincipalArn = principalArn,
DurationSeconds = (int)duration.TotalSeconds
});
return(new SAMLImmutableCredentials(response.Credentials.GetCredentials(),
response.Credentials.Expiration.ToUniversalTime(),
response.Subject));
}
/// <summary>
/// Instantiates AssumeRoleAWSCredentials which automatically assumes a specified SAML role.
/// The credentials are refreshed before expiration.
/// </summary>
/// <param name="assumeRoleWithSamlRequest">Configuration for the SAML role to assume.</param>
public AssumeRoleAWSCredentials(AssumeRoleWithSAMLRequest assumeRoleWithSamlRequest)
{
if (assumeRoleWithSamlRequest == null)
{
throw new ArgumentNullException("assumeRoleWithSamlRequest");
}
_stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
PreemptExpiryTime = _defaultPreemptExpiryTime;
}
public IndexModel(
ILogger <IndexModel> logger,
IAmazonSecurityTokenService amazonSecurityTokenService,
IAmazonQuickSight amazonQuickSight
)
{
_logger = logger;
_amazonSecurityTokenService = amazonSecurityTokenService;
_amazonQuickSight = amazonQuickSight;
}
public AwsIdentityCommandClient(
IAmazonIdentityManagementService client,
IAmazonSecurityTokenService securityTokenServiceClient,
IPolicyTemplateRepository policyTemplateRepository,
IIdentityManagementServiceClient identityManagementClient)
{
_client = client;
_securityTokenServiceClient = securityTokenServiceClient;
_policyTemplateRepository = policyTemplateRepository;
_identityManagementClient = identityManagementClient;
}
/// <summary>
/// Implements the Dispose pattern
/// </summary>
/// <param name="disposing">Whether this object is being disposed via a call to Dispose
/// or garbage collected.</param>
protected virtual void Dispose(bool disposing)
{
if (!this._isDisposed)
{
if (disposing && _stsClient != null)
{
_stsClient.Dispose();
_stsClient = null;
}
this._isDisposed = true;
}
}
/// <summary>
/// Implements the Dispose pattern
/// </summary>
/// <param name="disposing">Whether this object is being disposed via a call to Dispose
/// or garbage collected.</param>
protected virtual void Dispose(bool disposing)
{
if (!this._isDisposed)
{
if (disposing && _stsClient != null)
{
_stsClient.Dispose();
_stsClient = null;
}
this._isDisposed = true;
}
}
/// <summary>
/// Instantiates STSAssumeRoleAWSCredentials which automatically assumes a specified role.
/// The credentials are refreshed before expiration.
/// </summary>
/// <param name="sts">
/// Instance of IAmazonSecurityTokenService that will be used to make the AssumeRole service call.
/// </param>
/// <param name="assumeRoleRequest">Configuration for the role to assume.</param>
public STSAssumeRoleAWSCredentials(IAmazonSecurityTokenService sts, AssumeRoleRequest assumeRoleRequest)
{
if (sts == null)
{
throw new ArgumentNullException("sts");
}
if (assumeRoleRequest == null)
{
throw new ArgumentNullException("assumeRoleRequest");
}
_stsClient = sts;
_assumeRequest = assumeRoleRequest;
PreemptExpiryTime = _defaultPreemptExpiryTime;
}
public async Task Permissions_ShouldContainGetObject(
string roleArn,
AssumeRoleResponse response,
Credentials credentials,
IAmazonSecurityTokenService stsClient
)
{
using var generation = await project.GenerateAssembly();
var iamDocText = await File.ReadAllTextAsync(IamDocPath);
var permissions = iamDocText.ToString().Split('\n');
permissions.Should().Contain("s3:GetObject");
}
public async Task EmittedFactories_DoNotPerformAssumeRole_IfNoArnGiven(
IAmazonSecurityTokenService stsClient
)
{
using var generation = await project.GenerateAssembly();
var(assembly, _) = generation;
var factoryType = assembly.GetType("Lambdajection.CompilationTests.AmazonFactories.Handler+LambdajectionConfigurator+S3Factory");
var factory = (IAwsFactory <IAmazonS3>)Activator.CreateInstance(factoryType !, new object[] { stsClient }) !;
var result = await factory.Create();
result.Should().NotBeNull();
await stsClient.DidNotReceive().AssumeRoleAsync(Any <AssumeRoleRequest>());
}
public async Task EmittedFactories_ThrowsIfCancellationRequested(
IAmazonSecurityTokenService stsClient
)
{
using var generation = await project.GenerateAssembly();
var(assembly, _) = generation;
var factoryType = assembly.GetType("Lambdajection.CompilationTests.AmazonFactories.Handler+LambdajectionConfigurator+S3Factory");
var factory = (IAwsFactory <IAmazonS3>)Activator.CreateInstance(factoryType !, new object[] { stsClient }) !;
var cancellationToken = new CancellationToken(true);
Func <Task> func = async() => await factory.Create(cancellationToken : cancellationToken);
await func.Should().ThrowAsync <OperationCanceledException>();
await stsClient.DidNotReceive().AssumeRoleAsync(Any <AssumeRoleRequest>());
}
public async Task GeneratedTemplate_ShouldHaveHandlerRole(
string roleArn,
AssumeRoleResponse response,
Credentials credentials,
IAmazonSecurityTokenService stsClient
)
{
var deserializer = new DeserializerBuilder()
.WithNodeDeserializer(new IntrinsicNodeDeserializer())
.WithNodeTypeResolver(new IntrinsicNodeTypeResolver())
.Build();
using var generation = await project.GenerateAssembly();
var templateText = await File.ReadAllTextAsync(TemplatePath);
var template = deserializer.Deserialize <dynamic>(templateText.ToString());
((string)template["Resources"]["HandlerRole"]["Type"]).Should().Be("AWS::IAM::Role");
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(string unAuthRoleArn, string authRoleArn,
AbstractCognitoIdentityProvider idClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(unAuthRoleArn) && string.IsNullOrEmpty(authRoleArn))
{
throw new InvalidOperationException("At least one of unAuthRoleArn or authRoleArn must be specified");
}
if (idClient == null)
{
throw new ArgumentNullException("idClient");
}
if (stsClient == null)
{
throw new ArgumentNullException("stsClient");
}
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
IdentityProvider = idClient;
sts = stsClient;
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(string unAuthRoleArn, string authRoleArn,
AbstractCognitoIdentityProvider idClient, IAmazonSecurityTokenService stsClient)
{
if (idClient == null)
{
throw new ArgumentNullException("idClient");
}
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
IdentityProvider = idClient;
sts = stsClient;
#if UNITY_WEBPLAYER
_persistentStore = new InMemoryKVStore();
#else
_persistentStore = new SQLiteKVStore();
#endif
//Load cached credentials
string cachedIdentity = _persistentStore.Get(namespacedKey(ID_KEY));
if (string.IsNullOrEmpty(cachedIdentity))
{
//Try to recover unamespaced identities stored by old versions of the SDK
cachedIdentity = _persistentStore.Get(ID_KEY);
}
if (!string.IsNullOrEmpty(cachedIdentity))
{
IdentityProvider.UpdateIdentity(cachedIdentity);
loadCachedCredentials();
}
//Register Identity Changed Listener to update the cache
IdentityProvider.IdentityChangedEvent += delegate(object sender, IdentityChangedArgs e)
{
saveCredentials();
AmazonLogging.Log(AmazonLogging.AmazonLoggingLevel.Verbose, "CognitoAWSCredentials", "Saved identityID to LocalStorage");
};
}
public async Task Role_ShouldNotHaveEmptyPolicy(
string roleArn,
AssumeRoleResponse response,
Credentials credentials,
IAmazonSecurityTokenService stsClient
)
{
using var generation = await project.GenerateAssembly();
var templateText = await File.ReadAllTextAsync(TemplatePath);
var template = new DeserializerBuilder()
.WithTagMapping("!GetAtt", typeof(GetAttTag))
.WithTagMapping("!Sub", typeof(SubTag))
.WithTypeConverter(new GetAttTagConverter())
.WithTypeConverter(new SubTagConverter())
.Build()
.Deserialize <dynamic>(templateText.ToString());
var props = (Dictionary <object, object>)template["Resources"]["HandlerRole"]["Properties"] !;
props.Should().NotContainKey("Policies");
}
protected override void ProcessRecord()
{
base.ProcessRecord();
Client = CreateClient(_CurrentCredentials, _RegionEndpoint);
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(
string accountId, string identityPoolId,
string unAuthRoleArn, string authRoleArn,
IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(identityPoolId)) throw new ArgumentNullException("identityPoolId");
if (cibClient == null) throw new ArgumentNullException("cibClient");
if ((unAuthRoleArn != null || authRoleArn != null) && stsClient == null) throw new ArgumentNullException("stsClient");
AccountId = accountId;
IdentityPoolId = identityPoolId;
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
Logins = new Dictionary<string, string>(StringComparer.Ordinal);
cib = cibClient;
sts = stsClient;
//check cache for identity id
string cachedIdentity = GetCachedIdentityId();
if (!string.IsNullOrEmpty(cachedIdentity))
{
UpdateIdentity(cachedIdentity);
//update the credentials from cache
_currentState = GetCachedCredentials();
}
}
/// <summary>
/// Constructs a new SQLiteCognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public SQLiteCognitoAWSCredentials(string accountId, string identityPoolId, string unAuthRoleArn, string authRoleArn, IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
: base(accountId, identityPoolId, unAuthRoleArn, authRoleArn, cibClient, stsClient) { }
public TenantSecurity(IAmazonSecurityTokenService sts, ClaimsPrincipal claims)
{
_sts = sts;
_claims = claims;
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CachingCognitoAWSCredentials(string unAuthRoleArn, string authRoleArn,
AbstractCognitoIdentityProvider idClient, IAmazonSecurityTokenService stsClient)
: base(unAuthRoleArn, authRoleArn, idClient, stsClient)
{
}
/// <summary>
/// Constructs a new CognitoAWSCredentials instance, which will use the
/// specified Amazon Cognito identity pool to make a requests to the
/// AWS Security Token Service (STS) to request short lived session credentials.
/// </summary>
/// <param name="accountId">The AWS accountId for the account with Amazon Cognito</param>
/// <param name="identityPoolId">The Amazon Cogntio identity pool to use</param>
/// <param name="unAuthRoleArn">The ARN of the IAM Role that will be assumed when unauthenticated</param>
/// <param name="authRoleArn">The ARN of the IAM Role that will be assumed when authenticated</param>
/// <param name="cibClient">Preconfigured Cognito Identity client to make requests with</param>
/// <param name="stsClient">>Preconfigured STS client to make requests with</param>
public CognitoAWSCredentials(
string accountId, string identityPoolId,
string unAuthRoleArn, string authRoleArn,
IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(identityPoolId)) throw new ArgumentNullException("identityPoolId");
if (cibClient == null) throw new ArgumentNullException("cibClient");
if (stsClient == null) throw new ArgumentNullException("stsClient");
AccountId = accountId;
IdentityPoolId = identityPoolId;
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
Logins = new Dictionary<string, string>(StringComparer.Ordinal);
cib = cibClient;
sts = stsClient;
}
public DotnetCognitoAWSCredentials(string accountId, string identityPoolId, string unAuthRoleArn, string authRoleArn, IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient) : base(accountId, identityPoolId, unAuthRoleArn, authRoleArn, cibClient, stsClient)
{
}
private Amazon.SecurityToken.Model.DecodeAuthorizationMessageResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.DecodeAuthorizationMessageRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service (STS)", "DecodeAuthorizationMessage");
try
{
#if DESKTOP
return(client.DecodeAuthorizationMessage(request));
#elif CORECLR
return(client.DecodeAuthorizationMessageAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
/// <summary>
/// Constructs an <see cref="AmazonEC2Client" /> instance with the
/// temporary details generated from role assumption.
/// </summary>
/// <param name="explicitCredentials">
/// An instance of <see cref="AWSCredentials" /> containing explicitly
/// declared credentials (i.e. from the command line). Can be null.
/// </param>
/// <param name="amazonEC2Config">
/// An instance of <see cref="AmazonEC2Config" />.
/// </param>
/// <param name="roleArn">
/// An IAM role ARN to assume.
/// </param>
/// <returns>
/// A configured instance of <see cref="AmazonEC2Client" />.
/// </returns>
private AmazonEC2Client AssumeRoleAndCreateEC2Client(
AWSCredentials explicitCredentials,
AmazonEC2Config amazonEC2Config,
string roleArn)
{
AmazonEC2Client toReturn = null;
AmazonSecurityTokenServiceConfig amazonSecurityTokenServiceConfig =
new AmazonSecurityTokenServiceConfig()
{
// Nothing for now...
};
IAmazonSecurityTokenService amazonSecurityTokenService = null;
// Explcit credentials supplied?
if (explicitCredentials == null)
{
this.loggingProvider.Debug(
$"No explicit credentials provided. Creating an " +
$"instance of the " +
$"{nameof(AmazonSecurityTokenServiceClient)} using " +
"credentials stored in the credentials file...");
// Nope. Use the credentials file.
amazonSecurityTokenService =
new AmazonSecurityTokenServiceClient(
amazonSecurityTokenServiceConfig);
}
else
{
this.loggingProvider.Debug(
$"Explicit credentials provided. Creating an instance " +
$"of the {nameof(AmazonSecurityTokenServiceClient)} " +
$"using these details...");
// Yep.
amazonSecurityTokenService =
new AmazonSecurityTokenServiceClient(
explicitCredentials,
amazonSecurityTokenServiceConfig);
}
this.loggingProvider.Info(
$"Instance of {nameof(AmazonSecurityTokenServiceClient)} " +
$"established.");
this.loggingProvider.Debug(
$"Parsing role ARN \"{roleArn}\" to create the session " +
$"name...");
// Just use the latter part of the ARN as the session name.
string roleSessionName = roleArn.Split('/')
.Last();
this.loggingProvider.Info(
$"Session name created from ARN: \"{roleSessionName}\".");
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
{
RoleArn = roleArn,
RoleSessionName = roleSessionName
};
this.loggingProvider.Debug(
$"Pulling back credentials from " +
$"{nameof(AmazonSecurityTokenServiceClient)} by assuming " +
$"specified role...");
// Get the temporary credentials using the specified role.
AssumeRoleResponse assumeRoleResponse =
amazonSecurityTokenService.AssumeRole(assumeRoleRequest);
Credentials roleCreds = assumeRoleResponse.Credentials;
this.loggingProvider.Info(
$"Credentials returned. Access ID: " +
$"\"{roleCreds.AccessKeyId}\". Returning " +
$"an instance of {nameof(AmazonEC2Client)}.");
toReturn = new AmazonEC2Client(
roleCreds,
amazonEC2Config);
return(toReturn);
}
