public static Credentials GetTemporaryCredentials(string policy)
{
var config = new AmazonSecurityTokenServiceConfig
{
RegionEndpoint = RegionEndpoint.APSoutheast2
};
var client = new AmazonSecurityTokenServiceClient(config);
var iamClient = new AmazonIdentityManagementServiceClient(
RegionEndpoint.APSoutheast2);
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
var role = iamClient.GetRole(
new GetRoleRequest()
{
RoleName = iamRoleName
});
var assumeRoleRequest = new AssumeRoleRequest()
{
RoleArn = role.Role.Arn,
RoleSessionName = Guid.NewGuid().ToString().Replace("-", ""),
DurationSeconds = 900
};
if (!string.IsNullOrEmpty(policy))
{
assumeRoleRequest.Policy = policy;
}
var assumeRoleResponse =
client.AssumeRole(assumeRoleRequest);
var credentials = assumeRoleResponse.Credentials;
return(credentials);
}
private static void Ec2IamTest()
{
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
var iamRole = EC2InstanceMetadata.GetData($"/iam/security-credentials/{iamRoleName}");
var iamCredentials = JsonConvert.DeserializeObject <IamRoleCredentials>(iamRole);
Console.WriteLine(iamCredentials.AccessKeyId);
Console.WriteLine(iamCredentials.Token);
var request = new AwsApiGatewayRequest()
{
RegionName = "ap-southeast-2",
Host = apiEndpoint,
AccessKey = iamCredentials.AccessKeyId,
SecretKey = iamCredentials.SecretAccessKey,
AbsolutePath = apiEndpointStaging,
JsonData = "245",
SessionToken = iamCredentials.Token,
RequestMethod = HttpMethod.Post
};
var apiRequest = new ApiRequest(request);
var response = apiRequest.GetResponse();
Console.WriteLine(response.ContentLength);
}
private IamRoleCredentials GetEc2Credential()
{
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
var iamRole = EC2InstanceMetadata.GetData($"/iam/security-credentials/{iamRoleName}");
var iamCredentials = JsonConvert.DeserializeObject <IamRoleCredentials>(iamRole);
return(iamCredentials);
}
protected override CredentialsRefreshState GenerateNewCredentials()
{
CredentialsRefreshState newState = null;
var token = EC2InstanceMetadata.FetchApiToken();
try
{
// Attempt to get early credentials. OK to fail at this point.
newState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials));
logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e);
}
// If successful, save new credentials
if (newState != null)
{
_currentRefreshState = newState;
}
// If still not successful (no credentials available at start), attempt once more to
// get credentials, but now without swallowing exception
if (_currentRefreshState == null)
{
try
{
_currentRefreshState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
}
// Return credentials that will expire in at most one hour
CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState);
return(state);
}
private bool IsRunningOnEc2()
{
bool isOnEc2 = false;
try
{
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
isOnEc2 = !string.IsNullOrEmpty(iamRoleName);
}
catch (Exception)
{
}
return(isOnEc2);
}
void MetadataFromPath()
{
foreach (var p in Path)
{
try
{
var output = EC2InstanceMetadata.GetData(p);
WriteObject(output, true);
}
catch (Exception e)
{
WriteError(new ErrorRecord(e, "PathNotFound", ErrorCategory.InvalidArgument, p));
}
}
}
/// <summary>
/// Retrieves a list of all roles available through current InstanceProfile service
/// </summary>
/// <returns></returns>
public static IEnumerable <string> GetAvailableRoles(IWebProxy proxy)
{
var token = EC2InstanceMetadata.FetchApiToken();
var allAliases = string.Empty;
try
{
allAliases = GetContents(RolesUri, proxy, CreateMetadataTokenHeaders(token));
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
if (string.IsNullOrEmpty(allAliases))
{
yield break;
}
string[] parts = allAliases.Split(AliasSeparators, StringSplitOptions.RemoveEmptyEntries);
foreach (var part in parts)
{
var trim = part.Trim();
if (!string.IsNullOrEmpty(trim))
{
yield return(trim);
}
}
}
public static string EvaluateAWSVariable(string variable)
{
if (!variable.StartsWith("{") || !variable.EndsWith("}"))
{
//Variable already evaluated
return(variable);
}
(string prefix, string variableNoPrefix) = Utility.SplitPrefix(variable.Substring(1, variable.Length - 2), ':');
switch (variableNoPrefix.ToLower())
{
case "instance_id":
return(EC2InstanceMetadata.InstanceId);
case "hostname":
return(EC2InstanceMetadata.Hostname);
default:
if ("ec2".Equals(prefix, StringComparison.CurrentCultureIgnoreCase))
{
if (!variableNoPrefix.StartsWith("/"))
{
variableNoPrefix = "/" + variableNoPrefix;
}
return(EC2InstanceMetadata.GetData(variableNoPrefix));
}
else if ("ec2tag".Equals(prefix, StringComparison.CurrentCultureIgnoreCase))
{
return(EC2Utility.GetTagValue(variableNoPrefix));
}
else
{
return(variable);
}
}
}
private static List <string> GetItems(string path, int tries, bool slurp, string token)
{
var items = new List <string>();
//For all meta-data queries we need to fetch an api token to use. In the event a
//token cannot be obtained we will fallback to not using a token.
Dictionary <string, string> headers = null;
if (token == null)
{
token = Amazon.Util.EC2InstanceMetadata.FetchApiToken();
}
if (!string.IsNullOrEmpty(token))
{
headers = new Dictionary <string, string>();
headers.Add(HeaderKeys.XAwsEc2MetadataToken, token);
}
try
{
if (!Amazon.Util.EC2InstanceMetadata.IsIMDSEnabled)
{
throw new IMDSDisabledException();
}
HttpWebRequest request;
if (path.StartsWith("http", StringComparison.Ordinal))
{
request = WebRequest.Create(path) as HttpWebRequest;
}
else
{
request = WebRequest.Create(EC2_METADATA_ROOT + path) as HttpWebRequest;
}
request.Timeout = (int)TimeSpan.FromSeconds(5).TotalMilliseconds;
request.UserAgent = _userAgent;
if (headers != null)
{
foreach (var header in headers)
{
request.Headers.Add(header.Key, header.Value);
}
}
using (var response = request.GetResponse())
{
using (var stream = new StreamReader(response.GetResponseStream()))
{
if (slurp)
{
items.Add(stream.ReadToEnd());
}
else
{
string line;
do
{
line = stream.ReadLine();
if (line != null)
{
items.Add(line.Trim());
}
}while (line != null);
}
}
}
}
catch (WebException wex)
{
var response = wex.Response as HttpWebResponse;
if (response != null)
{
if (response.StatusCode == HttpStatusCode.NotFound)
{
return(null);
}
else if (response.StatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
}
if (tries <= 1)
{
Logger.GetLogger(typeof(Amazon.EC2.Util.EC2Metadata)).Error(wex, "Unable to contact EC2 Metadata service.");
return(null);
}
PauseExponentially(tries);
return(GetItems(path, tries - 1, slurp, token));
}
catch (IMDSDisabledException)
{
// Keep this behavior identical to when HttpStatusCode.NotFound is returned.
return(null);
}
return(items);
}
protected override CredentialsRefreshState GenerateNewCredentials()
{
CredentialsRefreshState newState = null;
var token = EC2InstanceMetadata.FetchApiToken();
try
{
// Attempt to get early credentials. OK to fail at this point.
newState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
throw;
}
var logger = Logger.GetLogger(typeof(InstanceProfileAWSCredentials));
logger.InfoFormat("Error getting credentials from Instance Profile service: {0}", e);
// if we already have cached credentials, we'll continue to use those credentials,
// but try again to refresh them in 2 minutes.
if (null != _currentRefreshState)
{
#pragma warning disable CS0612 // Type or member is obsolete
var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(2);
#pragma warning restore CS0612 // Type or member is obsolete
_currentRefreshState = new CredentialsRefreshState(_currentRefreshState.Credentials.Copy(), newExpiryTime);
return(_currentRefreshState);
}
}
if (newState?.IsExpiredWithin(TimeSpan.Zero) == true)
{
// special case - credentials returned are expired
_logger.InfoFormat(_receivedExpiredCredentialsFromIMDS);
// use a custom refresh time
#pragma warning disable CS0612 // Type or member is obsolete
var newExpiryTime = AWSSDKUtils.CorrectedUtcNow.ToLocalTime() + TimeSpan.FromMinutes(new Random().Next(5, 16));
#pragma warning restore CS0612 // Type or member is obsolete
_currentRefreshState = new CredentialsRefreshState(newState.Credentials.Copy(), newExpiryTime);
return(_currentRefreshState);
}
// If successful, save new credentials
if (newState != null)
{
_currentRefreshState = newState;
}
// If still not successful (no credentials available at start), attempt once more to
// get credentials, but now without swallowing exception
if (_currentRefreshState == null)
{
try
{
_currentRefreshState = GetRefreshState(token);
}
catch (Exception e)
{
HttpStatusCode?httpStatusCode = ExceptionUtils.DetermineHttpStatusCode(e);
if (httpStatusCode == HttpStatusCode.Unauthorized)
{
EC2InstanceMetadata.ClearTokenFlag();
Logger.GetLogger(typeof(EC2InstanceMetadata)).Error(e, "EC2 Metadata service returned unauthorized for token based secure data flow.");
}
throw;
}
}
// Return credentials that will expire in at most one hour
CredentialsRefreshState state = GetEarlyRefreshState(_currentRefreshState);
return(state);
}
