Implementation for accessing SecurityTokenService AWS Security Token Service

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Using Temporary Security Credentials.

As an alternative to using the API, you can use one of the AWS SDKs, which consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to STS. For example, the SDKs take care of cryptographically signing requests, managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.

For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in the AWS General Reference. For general information about the Query API, go to Making Query Requests in Using IAM. For information about using security tokens with other AWS products, go to Using Temporary Security Credentials to Access AWS in Using Temporary Security Credentials.

If you're new to AWS and need additional technical information about a specific AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/.

Endpoints

The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com that maps to the US East (N. Virginia) region. Additional regions are available, but must first be activated in the AWS Management Console before you can use a different region's endpoint. For more information about activating a region for STS see Activating STS in a New Region in the Using Temporary Security Credentials guide.

For information about STS endpoints, see Regions and Endpoints in the AWS General Reference.

Recording API requests

STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine what requests were successfully made to STS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

Inheritance: AmazonUnityServiceClient, IAmazonSecurityTokenService
        public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole)
        {
            string[] role = awsRole.Split(',');

            AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest();
            samlRequest.SAMLAssertion = samlAssertion;
            samlRequest.RoleArn = role[1];
            samlRequest.PrincipalArn = role[0];
            samlRequest.DurationSeconds = 3600;

            AmazonSecurityTokenServiceClient sts;
            AssumeRoleWithSAMLResponse samlResponse;
            try {
                sts = new AmazonSecurityTokenServiceClient();
                samlResponse = sts.AssumeRoleWithSAML(samlRequest);
            }
            catch
            {
                sts = new AmazonSecurityTokenServiceClient("a", "b", "c");
                samlResponse = sts.AssumeRoleWithSAML(samlRequest);
            }

            SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
                samlResponse.Credentials.AccessKeyId,
                samlResponse.Credentials.SecretAccessKey,
                samlResponse.Credentials.SessionToken);

            return sessionCredentials;
        }
Esempio n. 2
0
        static async Task Main()
        {
            // Create the SecurityToken client and then display the identity of the
            // default user.
            var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole";

            var client = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(REGION);

            // Get and display the information about the identity of the default user.
            var callerIdRequest = new GetCallerIdentityRequest();
            var caller          = await client.GetCallerIdentityAsync(callerIdRequest);

            Console.WriteLine($"Original Caller: {caller.Arn}");

            // Create the request to use with the AssumeRoleAsync call.
            var assumeRoleReq = new AssumeRoleRequest()
            {
                DurationSeconds = 1600,
                RoleSessionName = "Session1",
                RoleArn         = roleArnToAssume
            };

            var assumeRoleRes = await client.AssumeRoleAsync(assumeRoleReq);

            // Now create a new client based on the credentials of the caller assuming the role.
            var client2 = new AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Credentials);

            // Get and display information about the caller that has assumed the defined role.
            var caller2 = await client2.GetCallerIdentityAsync(callerIdRequest);

            Console.WriteLine($"AssumedRole Caller: {caller2.Arn}");
        }
Esempio n. 3
0
        private void CreateAndCheckTestBucket()
        {
            TestBucketIsReady = false;
            USEast1Client = new AmazonS3Client(RegionEndpoint.USEast1);
            USWest1Client = new AmazonS3Client(RegionEndpoint.USWest1);
            var sessionCredentials = new AmazonSecurityTokenServiceClient().GetSessionToken().Credentials;
            USEast1ClientWithSessionCredentials = new AmazonS3Client(sessionCredentials, RegionEndpoint.USEast1);

            TestBucket = USWest1Client.ListBuckets().Buckets.Find(bucket => bucket.BucketName.StartsWith(BucketPrefix));
            if (TestBucket == null)
            {
                // add ticks to bucket name because the bucket namespace is shared globally
                var bucketName = BucketPrefix + DateTime.Now.Ticks;
                // Create the bucket but don't run the test.
                // If the bucket is ready the next time this test runs we'll test then.
                USWest1Client.PutBucket(new PutBucketRequest()
                {
                    BucketRegion = S3Region.USW1,
                    BucketName = bucketName,
                });
            }
            else if (TestBucket.CreationDate.AddHours(TemporaryRedirectMaxExpirationHours) < DateTime.Now)
            {
                BucketRegionDetector.BucketRegionCache.Clear();
                TestBucketIsReady = true;
            }
        }
        static void Main(string[] args)
        {
            var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole";
            var principalArn    = "arn:aws:iam::123456789012:saml-provider/testSamlProvider";

            string base64SamlFile = "saml.xml.b64";

            if (File.Exists(base64SamlFile))
            {
                string samlAssertion = File.ReadAllText(base64SamlFile);

                var stsClient1 = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());

                var assumeRoleReq = new AssumeRoleWithSAMLRequest();
                assumeRoleReq.DurationSeconds = 3600;
                assumeRoleReq.RoleArn         = roleArnToAssume;
                assumeRoleReq.PrincipalArn    = principalArn;
                assumeRoleReq.SAMLAssertion   = samlAssertion;

                var assumeRoleRes = GetAssumeRoleWithSAMLResponseAsync(client: stsClient1, request: assumeRoleReq);

                var stsClient2          = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Result.Credentials);
                var getCallerIdReq      = new GetCallerIdentityRequest();
                var assumedRoleIdentity = GetCallerIdentityResponseAsync(client: stsClient2, request: getCallerIdReq);
                Console.WriteLine("AssumedRole Caller: " + assumedRoleIdentity.Result.Arn.ToString());
            }
            else
            {
                Console.WriteLine("Base64 Encoded SAML File: " + base64SamlFile + " does not exist in this directory.");
            }
        }
        static void Main(string[] args)
        {
            var client         = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient();
            var getCallerIdReq = new GetCallerIdentityRequest();
            var caller         = GetCallerIdentityResponseAsync(client: client, request: getCallerIdReq);

            Console.WriteLine("Caller Identity ARN: " + caller.Result.Arn.ToString());
        }
		public override void ViewDidLoad ()
		{
			base.ViewDidLoad ();
			
			var client = new AmazonSecurityTokenServiceClient (new BasicAWSCredentials (ACCESS_KEY, SECRET_KEY), Amazon.RegionEndpoint.USEast1);
			var response = client.GetSessionToken ();

			Console.WriteLine (response.Credentials.AccessKeyId);
		}
Esempio n. 7
0
 public void HappyCaseWithSessionToken()
 {
     var stsClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.USWest2);
     var response = stsClient.GetSessionToken(new GetSessionTokenRequest
     {
         DurationSeconds = 900
     });
     AssertPreSignedUrl(SynthesizeSpeechUtil.GeneratePresignedUrl(response.Credentials, RegionEndpoint.USWest2, GetRequest()));
 }
        public virtual Credentials AppMode_AssumeRole(AmazonSecurityTokenServiceClient stsClient, string roleArn,
            string roleSessionName)
        {
            Credentials credentials = null;

            var assumeRoleRequest = new AssumeRoleRequest
            {
                RoleArn = roleArn,
                RoleSessionName = roleSessionName
            };

            bool retry;
            int sleepSeconds = 3;

            DateTime startTime = DateTime.Now;
            do
            {
                try
                {
                    AssumeRoleResponse assumeRoleResponse = stsClient.AssumeRole(assumeRoleRequest);
                    credentials = assumeRoleResponse.Credentials;

                    retry = false;
                }
                catch (AmazonServiceException ase)
                {
                    if (ase.ErrorCode.Equals("AccessDenied"))
                    {
                        if (sleepSeconds > 20)
                        {
                            // If we've gotten here it's because we've retried a few times and are still getting the same error.
                            // Just rethrow the error to stop waiting. The exception will bubble up.
                            Console.WriteLine(" [Aborted AssumeRole Operation]");
                            retry = false;
                        }
                        else
                        {
                            // Write a period to the screen so we have a visual indication that we're in our retry logic.
                            Console.Write(".");
                            // Sleep before retrying.
                            Thread.Sleep(TimeSpan.FromSeconds(sleepSeconds));
                            // Increment the retry interval.
                            sleepSeconds = sleepSeconds*3;
                            retry = true;
                        }
                    }
                    else
                    {
                        throw;
                    }
                }
            } while (retry);

            return credentials;
        }
 protected virtual void Dispose(bool disposing)
 {
     if (!_isDisposed)
     {
         if (disposing && _stsClient != null)
         {
             _stsClient.Dispose();
             _stsClient = null;
         }
         _isDisposed = true;
     }
 }
 public STSAssumeRoleAWSCredentials(AssumeRoleWithSAMLRequest assumeRoleWithSamlRequest)
     : this()
 {
     //IL_0015: Unknown result type (might be due to invalid IL or missing references)
     //IL_001f: Expected O, but got Unknown
     if (assumeRoleWithSamlRequest == null)
     {
         throw new ArgumentNullException("assumeRoleWithSamlRequest");
     }
     _stsClient         = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
     _assumeSamlRequest = assumeRoleWithSamlRequest;
     this.set_PreemptExpiryTime(_defaultPreemptExpiryTime);
 }
 public STSAssumeRoleAWSCredentials(IAmazonSecurityTokenService sts, AssumeRoleRequest assumeRoleRequest)
     : this()
 {
     if (sts == null)
     {
         throw new ArgumentNullException("sts");
     }
     if (assumeRoleRequest == null)
     {
         throw new ArgumentNullException("assumeRoleRequest");
     }
     _stsClient     = (AmazonSecurityTokenServiceClient)sts;
     _assumeRequest = assumeRoleRequest;
     this.set_PreemptExpiryTime(_defaultPreemptExpiryTime);
 }
Esempio n. 12
0
		protected override void OnCreate (Bundle bundle)
		{
			base.OnCreate (bundle);

			// Set our view from the "main" layout resource
			SetContentView (Resource.Layout.Main);

			// Get our button from the layout resource,
			// and attach an event to it
			Button button = FindViewById<Button> (Resource.Id.myButton);
			
			button.Click += delegate
			{
				button.Text = string.Format ("{0} clicks!", count++);
			};

			var client = new AmazonSecurityTokenServiceClient (new BasicAWSCredentials (ACCESS_KEY, SECRET_KEY), Amazon.RegionEndpoint.USEast1);
			var response = client.GetSessionToken ();

			Console.WriteLine (response.Credentials.AccessKeyId);
		}
Esempio n. 13
0
        static void Main(string[] args)
        {
            var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole";

            var client         = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient();
            var getCallerIdReq = new GetCallerIdentityRequest();
            var caller         = GetCallerIdentityResponseAsync(client: client, request: getCallerIdReq);

            Console.WriteLine("Original Caller: " + caller.Result.Arn.ToString());

            var assumeRoleReq = new AssumeRoleRequest();

            assumeRoleReq.DurationSeconds = 1600;
            assumeRoleReq.RoleSessionName = "Session1";
            assumeRoleReq.RoleArn         = roleArnToAssume;
            var assumeRoleRes = GetAssumeRoleResponseAsync(client: client, request: assumeRoleReq);

            var client2 = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Result.Credentials);
            var caller2 = GetCallerIdentityResponseAsync(client: client2, request: getCallerIdReq);

            Console.WriteLine("AssumedRole Caller: " + caller2.Result.Arn.ToString());
        }
Esempio n. 14
0
 AssumeRoleWithWebIdentityResponse GetAssumeRoleWithWebIdentityResponse(
     AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest)
 {
     // Start with Anonymous AWS Credentials and get temporary credentials.
     var stsClient = new AmazonSecurityTokenServiceClient(
                             new AnonymousAWSCredentials());
     assumeRoleWithWebIdentityRequest.DurationSeconds = 3600;
     assumeRoleWithWebIdentityRequest.RoleSessionName = "MySession";
     return stsClient.AssumeRoleWithWebIdentity(
                             assumeRoleWithWebIdentityRequest);
 }
Esempio n. 15
0
        public Deployer(AwsConfiguration awsConfiguration)
        {
            _awsEndpoint = awsConfiguration.AwsEndpoint;
            _bucket = awsConfiguration.Bucket;
            _assumeRoleTrustDocument = awsConfiguration.AssumeRoleTrustDocument;
            _iamRolePolicyDocument = awsConfiguration.IamRolePolicyDocument;

            AWSCredentials credentials;

            if (isArn(awsConfiguration.RoleName))
            {
                var securityTokenServiceClient = new AmazonSecurityTokenServiceClient(awsConfiguration.AwsEndpoint);

                var assumeRoleResult = securityTokenServiceClient.AssumeRole(new AssumeRoleRequest
                {
                    RoleArn = awsConfiguration.RoleName,
                    DurationSeconds = 3600,
                    RoleSessionName = "Net2User",
                    ExternalId = Guid.NewGuid().ToString()
                });

                Credentials stsCredentials = assumeRoleResult.Credentials;

                SessionAWSCredentials sessionCredentials =
                          new SessionAWSCredentials(stsCredentials.AccessKeyId,
                                                    stsCredentials.SecretAccessKey,
                                                    stsCredentials.SessionToken);

                credentials = sessionCredentials;

                _role = new AssumedRole(assumeRoleResult.AssumedRoleUser);
            }
            else {
                credentials = awsConfiguration.Credentials ?? new EnvironmentAWSCredentials();
            }

            _codeDeployClient = new AmazonCodeDeployClient(
                credentials,
                new AmazonCodeDeployConfig {
                    RegionEndpoint = awsConfiguration.AwsEndpoint,
                    ProxyHost = awsConfiguration.ProxyHost,
                    ProxyPort = awsConfiguration.ProxyPort
                });

            _cloudFormationClient = new AmazonCloudFormationClient(
                credentials,
                new AmazonCloudFormationConfig {
                    RegionEndpoint = awsConfiguration.AwsEndpoint,
                    ProxyHost = awsConfiguration.ProxyHost,
                    ProxyPort = awsConfiguration.ProxyPort
                });

            _s3Client = new AmazonS3Client(
                credentials,
                new AmazonS3Config {
                    RegionEndpoint = awsConfiguration.AwsEndpoint,
                    ProxyHost = awsConfiguration.ProxyHost,
                    ProxyPort = awsConfiguration.ProxyPort
                });

            _iamClient = new AmazonIdentityManagementServiceClient(
                credentials,
                new AmazonIdentityManagementServiceConfig  {
                    RegionEndpoint = awsConfiguration.AwsEndpoint,
                    ProxyHost = awsConfiguration.ProxyHost,
                    ProxyPort = awsConfiguration.ProxyPort
                });

            _autoScalingClient = new AmazonAutoScalingClient(
                credentials,
                new AmazonAutoScalingConfig {
                    RegionEndpoint = awsConfiguration.AwsEndpoint,
                    ProxyHost = awsConfiguration.ProxyHost,
                    ProxyPort = awsConfiguration.ProxyPort
                });
        }
Esempio n. 16
0
        /// <summary>
        ///     Perform the AppMode operations by assuming the dev and prod roles, and checking for permissions.
        /// </summary>
        /// <param name="labVariables">The data.</param>
        public void AppMode_Run(LabVariables labVariables)
        {
            var credentials = new BasicAWSCredentials(
                ConfigurationManager.AppSettings["appModeAWSAccessKey"],
                ConfigurationManager.AppSettings["appModeAWSSecretKey"]);

            Credentials devCredentials = null, prodCredentials = null;

            using (var stsClient = new AmazonSecurityTokenServiceClient(credentials, RegionEndpoint))
            {
                Console.WriteLine("Assuming developer role to retrieve developer session credentials.");
                devCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.DevelopmentRoleArn, "dev_session");
                if (devCredentials == null)
                {
                    Console.WriteLine("No developer credentials returned. AccessDenied.");
                    return;
                }

                Console.WriteLine("\nAssuming production role to retrieve production session credentials.");

                prodCredentials = LabCode.AppMode_AssumeRole(stsClient, labVariables.ProductionRoleArn, "prod_session");
                if (prodCredentials == null)
                {
                    Console.WriteLine("No production credentials returned. AccessDenied.");
                    return;
                }
            }

            using (var devS3Client = LabCode.AppMode_CreateS3Client(devCredentials, RegionEndpoint))
            {
                using (var prodS3Client = LabCode.AppMode_CreateS3Client(prodCredentials, RegionEndpoint))
                {
                    Console.WriteLine("\nTesting Developer Session...");
                    var devSession = new SessionAWSCredentials(
                        devCredentials.AccessKeyId,
                        devCredentials.SecretAccessKey,
                        devCredentials.SessionToken);

                    Console.WriteLine("  IAM: {0}",
                        OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, devSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  SQS: {0}",
                        OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, devSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  SNS: {0}",
                        OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, devSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  S3:");
                    foreach (string bucketName in labVariables.BucketNames)
                    {
                        TestS3Client(devS3Client, bucketName);
                    }

                    Console.WriteLine("\nTesting Production Session...");
                    var prodSession = new SessionAWSCredentials(
                        prodCredentials.AccessKeyId,
                        prodCredentials.SecretAccessKey,
                        prodCredentials.SessionToken);

                    Console.WriteLine("  IAM: {0}",
                        OptionalLabCode.AppMode_TestIamAccess(RegionEndpoint, prodSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  SQS: {0}",
                        OptionalLabCode.AppMode_TestSqsAccess(RegionEndpoint, prodSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  SNS: {0}",
                        OptionalLabCode.AppMode_TestSnsAccess(RegionEndpoint, prodSession)
                            ? "Accessible."
                            : "Inaccessible.");
                    Console.WriteLine("  S3:");
                    foreach (string bucketName in labVariables.BucketNames)
                    {
                        TestS3Client(prodS3Client, bucketName);
                    }
                }
            }
        }
Esempio n. 17
0
 public void SetupClient(Hashtable State)
 {
     //Creating AmazonSecurityTokenServiceClient, using Access and Secret keys from web.config
     AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient();
     //Creating RefreshingSessionAWSCredentials and initializing AmazonDynamoDBClient
     RefreshingSessionAWSCredentials sessionCredentials = new RefreshingSessionAWSCredentials(stsClient);
     State["DynamoDBClient"] = new AmazonDynamoDBClient(sessionCredentials);
 }
Esempio n. 18
0
        private static AmazonSecurityTokenService ConstructSTSClient(AWSCredentials credentials, AmazonSecurityTokenServiceConfig config)
        {
            using (ImmutableCredentials immmutableCredentials = credentials.GetCredentials())
            {
                if (immmutableCredentials.UseToken)
                    throw new ArgumentException("Session credentials cannot be used to create refreshing session credentials");

                AmazonSecurityTokenServiceClient stsClient;
                if (immmutableCredentials.UseSecureStringForSecretKey)
                {
                    stsClient = new AmazonSecurityTokenServiceClient(immmutableCredentials.AccessKey, GetClearSecretKey(immmutableCredentials.SecureSecretKey), config);
                }
                else
                {
                    stsClient = new AmazonSecurityTokenServiceClient(immmutableCredentials.AccessKey, immmutableCredentials.ClearSecretKey, config);
                }
                return stsClient;
            }
        }
Esempio n. 19
0
 /// <summary>
 ///     Assume the specified role.
 ///     Hint: Use the AssumeRole() method of the client object.
 ///     Optional: You may see an eventual consistency issue here. The AssumeRole permissions may not
 ///     have propagated through the system yet which could prevent us from assuming the role. Check for
 ///     an AmazonServiceException with an ErrorCode of "AccessDenied" and retry the assume role operation
 ///     after a short wait (with exponential back-off on retries). If you decide to stop retrying,
 ///     return null.
 /// </summary>
 /// <param name="stsClient">The STS client object.</param>
 /// <param name="roleArn">The ARN of the role to assume.</param>
 /// <param name="roleSessionName">The name to use as the role session name.</param>
 /// <returns>The role credentials, or null if there was a problem.</returns>
 public override Credentials AppMode_AssumeRole(AmazonSecurityTokenServiceClient stsClient, string roleArn,
     string roleSessionName)
 {
     //TODO: Replace this call to the base class with your own method implementation.
     return base.AppMode_AssumeRole(stsClient, roleArn, roleSessionName);
 }