public async Task TestAssumeRoleWithWebIdentityCredentialsPropertiesUsedInAsyncSTSCallAsync() { #region Setup // Set up request variables var dummyToken = "dummyToken"; var dummyRoleArn = "dummyRoleArn"; var dummyRoleSessionName = "dummyRoleSessionName"; var dummyOptions = new AssumeRoleWithWebIdentityCredentialsOptions(); var currentDirectory = Directory.GetCurrentDirectory(); var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt"); File.WriteAllText(webIdentityTokenFilePath, dummyToken); var equalityCheck = new Func <AssumeRoleWithWebIdentityRequest, bool>(req => { return(req.DurationSeconds.Equals(dummyOptions.DurationSeconds ?? 0) && string.Equals(req.Policy, dummyOptions.Policy) && Equals(req.PolicyArns, dummyOptions.PolicyArns) && Equals(req.ProviderId, dummyOptions.ProviderId) && req.RoleArn.Equals(dummyRoleArn) && req.RoleSessionName.Equals(dummyRoleSessionName) && req.WebIdentityToken.Equals(dummyToken)); }); var envVariables = new Dictionary <string, string>() { { AssumeRoleWithWebIdentityCredentials.WebIdentityTokenFileEnvVariable, webIdentityTokenFilePath }, { AssumeRoleWithWebIdentityCredentials.RoleArnEnvVariable, dummyRoleArn }, { AssumeRoleWithWebIdentityCredentials.RoleSessionNameEnvVariable, dummyRoleSessionName }, }; // Set up response var dummyAccessKeyId = "dummyAccessKeyId"; var dummySecretAccessKey = "dummySecretAccessKey"; var dummySessionToken = "dummySessionToken"; var dummyExpiration = DateTime.UtcNow.AddDays(1); var forcedResponse = new AssumeRoleWithWebIdentityResponse() { Credentials = new Credentials(dummyAccessKeyId, dummySecretAccessKey, dummySessionToken, dummyExpiration) }; // Setup service client mock var mock = new Mock <AmazonSecurityTokenServiceClient>(); Expression <Func <AmazonSecurityTokenServiceClient, Task <AssumeRoleWithWebIdentityResponse> > > stsCall = c => c.AssumeRoleWithWebIdentityAsync(It.Is <AssumeRoleWithWebIdentityRequest>(req => equalityCheck(req)), new System.Threading.CancellationToken()); mock.Setup(stsCall).Returns(Task.FromResult(forcedResponse)); // Setup credentials using (var testCredentials = new AssumeRoleWithWebIdentityTestCredentials(webIdentityTokenFilePath, dummyRoleArn, dummyRoleSessionName, dummyOptions) { Client = mock.Object }) { using (new FallbackFactoryTestFixture(ProfileText, "default", envVariables)) { #endregion Setup #region Act await testCredentials.GetCredentialsAsync().ConfigureAwait(false); #endregion Act } } // Verify that the credential properties were used for the STS call mock.Verify(stsCall, Times.Once); }
public async void TestAssumeRoleWithWebIdentityCredentialsUsesAnonymousAWSCredentialsToFetch() { var user = await Client.GetUserAsync().ConfigureAwait(false); var createRoleRequest = new CreateRoleRequest() { RoleName = "DummyAccountRole", AssumeRolePolicyDocument = "{\"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"" + user.User.Arn + "\"},\"Action\": \"sts:AssumeRole\",\"Condition\": {}}]}" }; var role = await Client.CreateRoleAsync(createRoleRequest).ConfigureAwait(false); var dummyToken = "dummyToken"; var dummyRoleArn = role.Role.Arn; var dummyRoleSessionName = "dummyRoleSessionName"; var dummyOptions = new AssumeRoleWithWebIdentityCredentialsOptions(); var currentDirectory = Directory.GetCurrentDirectory(); var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt"); File.WriteAllText(webIdentityTokenFilePath, dummyToken); var webIdentityCredentials = new AssumeRoleWithWebIdentityCredentials(webIdentityTokenFilePath, dummyRoleArn, dummyRoleSessionName, dummyOptions); try { var fetchedCredentials = webIdentityCredentials.GetCredentials(); } catch (AmazonClientException e) { Assert.Equal("InvalidIdentityToken", ((AmazonServiceException)e.InnerException).ErrorCode); } finally { var deleteRoleRequest = new DeleteRoleRequest() { RoleName = role.Role.RoleName }; await Client.DeleteRoleAsync(deleteRoleRequest); } }
public AssumeRoleWithWebIdentityTestCredentials(AssumeRoleWithWebIdentityCredentials baseCreds, AssumeRoleWithWebIdentityCredentialsOptions options) : base(baseCreds.WebIdentityTokenFile, baseCreds.RoleArn, baseCreds.RoleSessionName, options) { Client = base.CreateClient(); }
public AssumeRoleWithWebIdentityTestCredentials(string webIdentityTokenFile, string roleArn, string roleSessionName, AssumeRoleWithWebIdentityCredentialsOptions options) : base(webIdentityTokenFile, roleArn, roleSessionName, options) { Client = base.CreateClient(); }
private AssumeRoleWithWebIdentityRequest SetupAssumeRoleWithWebIdentityRequest(string webIdentityToken, string roleArn, string roleSessionName, AssumeRoleWithWebIdentityCredentialsOptions options) { var request = new AssumeRoleWithWebIdentityRequest { WebIdentityToken = webIdentityToken, RoleArn = roleArn, RoleSessionName = roleSessionName }; if (options != null) { request.ProviderId = options.ProviderId; request.PolicyArns = options.PolicyArns?.Select((arn) => new PolicyDescriptorType { Arn = arn }).ToList(); request.Policy = options.Policy; if (options.DurationSeconds.HasValue) { request.DurationSeconds = options.DurationSeconds.Value; } } return(request); }
/// <summary> /// <see cref="ICoreAmazonSTS_WebIdentity"/> /// </summary> /// <param name="webIdentityToken">The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider.</param> /// <param name="roleArn">The Amazon Resource Name (ARN) of the role to assume.</param> /// <param name="roleSessionName">An identifier for the assumed role session.</param> /// <param name="options">Options to be used in the call to AssumeRole.</param> /// <returns>Immutable AssumeRoleCredentials</returns> async Task <AssumeRoleImmutableCredentials> ICoreAmazonSTS_WebIdentity.CredentialsFromAssumeRoleWithWebIdentityAuthenticationAsync(string webIdentityToken, string roleArn, string roleSessionName, AssumeRoleWithWebIdentityCredentialsOptions options) { var request = SetupAssumeRoleWithWebIdentityRequest(webIdentityToken, roleArn, roleSessionName, options); try { var response = await AssumeRoleWithWebIdentityAsync(request).ConfigureAwait(false); return(new AssumeRoleImmutableCredentials(response.Credentials.AccessKeyId, response.Credentials.SecretAccessKey, response.Credentials.SessionToken, response.Credentials.Expiration)); } catch (Exception e) { var msg = "Error calling AssumeRole for role " + roleArn; var exception = new AmazonClientException(msg, e); Logger.GetLogger(typeof(AmazonSecurityTokenServiceClient)).Error(exception, exception.Message); throw exception; } }