public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole) { string[] role = awsRole.Split(','); AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest(); samlRequest.SAMLAssertion = samlAssertion; samlRequest.RoleArn = role[1]; samlRequest.PrincipalArn = role[0]; samlRequest.DurationSeconds = 3600; AmazonSecurityTokenServiceClient sts; AssumeRoleWithSAMLResponse samlResponse; try { sts = new AmazonSecurityTokenServiceClient(); samlResponse = sts.AssumeRoleWithSAML(samlRequest); } catch { sts = new AmazonSecurityTokenServiceClient("a", "b", "c"); samlResponse = sts.AssumeRoleWithSAML(samlRequest); } SessionAWSCredentials sessionCredentials = new SessionAWSCredentials( samlResponse.Credentials.AccessKeyId, samlResponse.Credentials.SecretAccessKey, samlResponse.Credentials.SessionToken); return sessionCredentials; }
/// <summary> /// Instantiates STSAssumeRoleAWSCredentials which automatically assumes a specified SAML role. /// The credentials are refreshed before expiration. /// </summary> /// <param name="assumeRoleWithSamlRequest">Configuration for the SAML role to assume.</param> public STSAssumeRoleAWSCredentials(AssumeRoleWithSAMLRequest assumeRoleWithSamlRequest) { if (assumeRoleWithSamlRequest == null) throw new ArgumentNullException("assumeRoleWithSamlRequest"); _stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials()); _assumeSamlRequest = assumeRoleWithSamlRequest; PreemptExpiryTime = _defaultPreemptExpiryTime; }
public object Execute(ExecutorContext context) { var cmdletContext = context as CmdletContext; // create request var request = new Amazon.SecurityToken.Model.AssumeRoleWithSAMLRequest(); if (cmdletContext.DurationInSeconds != null) { request.DurationSeconds = cmdletContext.DurationInSeconds.Value; } if (cmdletContext.Policy != null) { request.Policy = cmdletContext.Policy; } if (cmdletContext.PrincipalArn != null) { request.PrincipalArn = cmdletContext.PrincipalArn; } if (cmdletContext.RoleArn != null) { request.RoleArn = cmdletContext.RoleArn; } if (cmdletContext.SAMLAssertion != null) { request.SAMLAssertion = cmdletContext.SAMLAssertion; } CmdletOutput output; // issue call var client = Client ?? CreateClient(); try { var response = CallAWSServiceOperation(client, request); object pipelineOutput = cmdletContext.Select(response, this); output = new CmdletOutput { PipelineOutput = pipelineOutput, ServiceResponse = response }; } catch (Exception e) { output = new CmdletOutput { ErrorResponse = e }; } return(output); }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithSAML operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on AmazonSecurityTokenServiceClient.</param> /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param> /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> /// /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndAssumeRoleWithSAML /// operation.</returns> public IAsyncResult BeginAssumeRoleWithSAML(AssumeRoleWithSAMLRequest request, AsyncCallback callback, object state) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance; return BeginInvoke<AssumeRoleWithSAMLRequest>(request, marshaller, unmarshaller, callback, state); }
/// <summary> /// Returns a set of temporary security credentials for users who have been authenticated /// via a SAML authentication response. This operation provides a mechanism for tying /// an enterprise identity store or directory to role-based AWS access without user-specific /// credentials or configuration. /// /// /// <para> /// The temporary security credentials returned by this operation consist of an access /// key ID, a secret access key, and a security token. Applications can use these temporary /// security credentials to sign calls to AWS services. The credentials are valid for /// the duration that you specified when calling <code>AssumeRoleWithSAML</code>, which /// can be up to 3600 seconds (1 hour) or until the time specified in the SAML authentication /// response's <code>SessionNotOnOrAfter</code> value, whichever is shorter. /// </para> /// <note>The maximum duration for a session is 1 hour, and the minimum duration is 15 /// minutes, even if values outside this range are specified. </note> /// <para> /// Optionally, you can pass an IAM access policy to this operation. If you choose not /// to pass a policy, the temporary security credentials that are returned by the operation /// have the permissions that are defined in the access policy of the role that is being /// assumed. If you pass a policy to this operation, the temporary security credentials /// that are returned by the operation have the permissions that are allowed by both the /// access policy of the role that is being assumed, <i><b>and</b></i> the policy that /// you pass. This gives you a way to further restrict the permissions for the resulting /// temporary security credentials. You cannot use the passed policy to grant permissions /// that are in excess of those allowed by the access policy of the role that is being /// assumed. For more information, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html">Permissions /// for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>Using /// IAM</i>. /// </para> /// /// <para> /// Before your application can call <code>AssumeRoleWithSAML</code>, you must configure /// your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, /// you must use AWS Identity and Access Management (IAM) to create a SAML provider entity /// in your AWS account that represents your identity provider, and create an IAM role /// that specifies this SAML provider in its trust policy. /// </para> /// /// <para> /// Calling <code>AssumeRoleWithSAML</code> does not require the use of AWS security credentials. /// The identity of the caller is validated by using keys in the metadata document that /// is uploaded for the SAML provider entity for your identity provider. /// </para> /// /// <para> /// For more information, see the following resources: /// </para> /// <ul> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About /// SAML 2.0-based Federation</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating /// SAML Identity Providers</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring /// a Relying Party and Claims</a> in the <i>Using IAM</i>. </li> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating /// a Role for SAML 2.0 Federation</a> in the <i>Using IAM</i>. </li> </ul> <member name="RoleArn" /// target="arnType"></member> <member name="SAMLAssertion" target="SAMLAssertionType"></member> /// <member name="Policy" target="sessionPolicyDocumentType"></member> <member name="DurationSeconds" /// target="roleDurationSecondsType"></member> /// </summary> /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML service method.</param> /// /// <returns>The response from the AssumeRoleWithSAML service method, as returned by SecurityTokenService.</returns> /// <exception cref="Amazon.SecurityToken.Model.ExpiredTokenException"> /// The web identity token that was passed is expired or is not valid. Get a new identity /// token from the identity provider and then retry the request. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.IDPRejectedClaimException"> /// The identity provider (IdP) reported that authentication failed. This might be because /// the claim is invalid. /// /// /// <para> /// If this error is returned for the <code>AssumeRoleWithWebIdentity</code> operation, /// it can also mean that the claim has expired or has been explicitly revoked. /// </para> /// </exception> /// <exception cref="Amazon.SecurityToken.Model.InvalidIdentityTokenException"> /// The web identity token that was passed could not be validated by AWS. Get a new identity /// token from the identity provider and then retry the request. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.MalformedPolicyDocumentException"> /// The request was rejected because the policy document was malformed. The error message /// describes the specific error. /// </exception> /// <exception cref="Amazon.SecurityToken.Model.PackedPolicyTooLargeException"> /// The request was rejected because the policy document was too large. The error message /// describes how big the policy document is, in packed form, as a percentage of what /// the API allows. /// </exception> public AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance; return Invoke<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>(request, marshaller, unmarshaller); }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithSAML operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation.</param> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> /// <returns>The task object representing the asynchronous operation.</returns> public Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance; return InvokeAsync<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>(request, marshaller, unmarshaller, cancellationToken); }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithSAML operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on AmazonSecurityTokenServiceClient.</param> /// <param name="callback">An Action delegate that is invoked when the operation completes.</param> /// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> public void AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, AmazonServiceCallback<AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse> callback, AsyncOptions options = null) { options = options == null?new AsyncOptions():options; var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance; Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null; if(callback !=null ) callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => { AmazonServiceResult<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse> responseObject = new AmazonServiceResult<AssumeRoleWithSAMLRequest,AssumeRoleWithSAMLResponse>((AssumeRoleWithSAMLRequest)req, (AssumeRoleWithSAMLResponse)res, ex , ao.State); callback(responseObject); }; BeginInvoke<AssumeRoleWithSAMLRequest>(request, marshaller, unmarshaller, options, callbackHelper); }
IAsyncResult invokeAssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, AsyncCallback callback, object state, bool synchronized) { IRequest irequest = new AssumeRoleWithSAMLRequestMarshaller().Marshall(assumeRoleWithSAMLRequest); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance(); AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller); Invoke(result); return result; }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithSAML operation. /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithSAML"/> /// </summary> /// /// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML operation on /// AmazonSecurityTokenService.</param> /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param> /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback /// procedure using the AsyncState property.</param> /// /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking /// EndAssumeRoleWithSAML operation.</returns> public IAsyncResult BeginAssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, AsyncCallback callback, object state) { return invokeAssumeRoleWithSAML(assumeRoleWithSAMLRequest, callback, state, false); }
/// <summary> /// <para> Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This /// operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific /// credentials or configuration. </para> <para> The temporary security credentials returned by this operation consist of an access key ID, a /// secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services. The /// credentials are valid for the duration that you specified when calling <c>AssumeRoleWithSAML</c> , which can be up to 3600 seconds (1 hour) /// or until the time specified in the SAML authentication response's <c>NotOnOrAfter</c> value, whichever is shorter.</para> /// <para><b>NOTE:</b>The maximum duration for a session is 1 hour, and the minimum duration is 15 minutes, even if values outside this range /// are specified. </para> <para>Optionally, you can pass an AWS IAM access policy to this operation. The temporary security credentials that /// are returned by the operation have the permissions that are associated with the access policy of the role being assumed, except for any /// permissions explicitly denied by the policy you pass. This gives you a way to further restrict the permissions for the resulting temporary /// security credentials. These policies and any applicable resource-based policies are evaluated when calls to AWS are made using the temporary /// security credentials. </para> <para> Before your application can call <c>AssumeRoleWithSAML</c> , you must configure your SAML identity /// provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (AWS IAM) to create a SAML /// provider entity in your AWS account that represents your identity provider, and create an AWS IAM role that specifies this SAML provider in /// its trust policy. </para> <para> Calling <c>AssumeRoleWithSAML</c> does not require the use of AWS security credentials. The identity of the /// caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider. </para> /// <para>For more information, see the following resources:</para> /// <ul> /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html" >Creating Temporary Security Credentials for SAML /// Federation</a> in the <i>Using Temporary Security Credentials</i> guide. </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html" >SAML Providers</a> in the <i>Using /// IAM</i> guide. </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html" >Configuring a Relying Party and Claims in /// the Using IAM guide. </a> </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html" >Creating a Role for SAML-Based Federation</a> in the /// <i>Using IAM</i> guide. </li> /// /// </ul> /// /// </summary> /// /// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML service method on /// AmazonSecurityTokenService.</param> /// /// <returns>The response from the AssumeRoleWithSAML service method, as returned by AmazonSecurityTokenService.</returns> /// /// <exception cref="PackedPolicyTooLargeException"/> /// <exception cref="IDPRejectedClaimException"/> /// <exception cref="MalformedPolicyDocumentException"/> /// <exception cref="InvalidIdentityTokenException"/> /// <exception cref="ExpiredTokenException"/> public AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest) { IAsyncResult asyncResult = invokeAssumeRoleWithSAML(assumeRoleWithSAMLRequest, null, null, true); return EndAssumeRoleWithSAML(asyncResult); }
IAsyncResult invokeAssumeRoleWithSAML(AssumeRoleWithSAMLRequest request, AsyncCallback callback, object state, bool synchronized) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.Instance; return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer); }
/// <summary> /// <para> Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This /// operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific /// credentials or configuration. </para> <para> The temporary security credentials returned by this operation consist of an access key ID, a /// secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services. The /// credentials are valid for the duration that you specified when calling <c>AssumeRoleWithSAML</c> , which can be up to 3600 seconds (1 hour) /// or until the time specified in the SAML authentication response's <c>NotOnOrAfter</c> value, whichever is shorter.</para> /// <para><b>NOTE:</b>The maximum duration for a session is 1 hour, and the minimum duration is 15 minutes, even if values outside this range /// are specified. </para> <para>Optionally, you can pass an AWS IAM access policy to this operation. The temporary security credentials that /// are returned by the operation have the permissions that are associated with the access policy of the role being assumed, except for any /// permissions explicitly denied by the policy you pass. This gives you a way to further restrict the permissions for the federated user. These /// policies and any applicable resource-based policies are evaluated when calls to AWS are made using the temporary security credentials. /// </para> <para> Before your application can call <c>AssumeRoleWithSAML</c> , you must configure your SAML identity provider (IdP) to issue /// the claims required by AWS. Additionally, you must use AWS Identity and Access Management (AWS IAM) to create a SAML provider entity in your /// AWS account that represents your identity provider, and create an AWS IAM role that specifies this SAML provider in its trust policy. /// </para> <para> Calling <c>AssumeRoleWithSAML</c> does not require the use of AWS security credentials. The identity of the caller is /// validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider. </para> <para>For /// more information, see the following resources:</para> /// <ul> /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html">Creating Temporary Security Credentials for SAML /// Federation</a> in the <i>Using Temporary Security Credentials</i> guide. </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html">SAML Providers</a> in the <i>Using /// IAM</i> guide. </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html">Configuring a Relying Party and Claims in /// the Using IAM guide. </a> </li> /// <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html">Creating a Role for SAML-Based Federation</a> in the /// <i>Using IAM</i> guide. </li> /// /// </ul> /// /// </summary> /// /// <param name="assumeRoleWithSAMLRequest">Container for the necessary parameters to execute the AssumeRoleWithSAML service method on /// AmazonSecurityTokenService.</param> /// /// <returns>The response from the AssumeRoleWithSAML service method, as returned by AmazonSecurityTokenService.</returns> /// /// <exception cref="T:Amazon.SecurityToken.Model.PackedPolicyTooLargeException" /> /// <exception cref="T:Amazon.SecurityToken.Model.IDPRejectedClaimException" /> /// <exception cref="T:Amazon.SecurityToken.Model.MalformedPolicyDocumentException" /> /// <exception cref="T:Amazon.SecurityToken.Model.InvalidIdentityTokenException" /> /// <exception cref="T:Amazon.SecurityToken.Model.ExpiredTokenException" /> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> public Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest, CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance(); return Invoke<IRequest, AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse>(assumeRoleWithSAMLRequest, marshaller, unmarshaller, signer, cancellationToken); }
internal AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request) { var task = AssumeRoleWithSAMLAsync(request); try { return task.Result; } catch(AggregateException e) { throw e.InnerException; } }
internal AssumeRoleWithSAMLResponse AssumeRoleWithSAML(AssumeRoleWithSAMLRequest request) { var task = AssumeRoleWithSAMLAsync(request); try { return task.Result; } catch(AggregateException e) { ExceptionDispatchInfo.Capture(e.InnerException).Throw(); return null; } }
/// <summary> /// Initiates the asynchronous execution of the AssumeRoleWithSAML operation. /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithSAML"/> /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithSAML operation.</param> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> /// <returns>The task object representing the asynchronous operation.</returns> public async Task<AssumeRoleWithSAMLResponse> AssumeRoleWithSAMLAsync(AssumeRoleWithSAMLRequest request, CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new AssumeRoleWithSAMLRequestMarshaller(); var unmarshaller = AssumeRoleWithSAMLResponseUnmarshaller.GetInstance(); var response = await Invoke<IRequest, AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse>(request, marshaller, unmarshaller, signer, cancellationToken) .ConfigureAwait(continueOnCapturedContext: false); return response; }
private Amazon.SecurityToken.Model.AssumeRoleWithSAMLResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithSAMLRequest request) { Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithSAML"); try { #if DESKTOP return(client.AssumeRoleWithSAML(request)); #elif CORECLR return(client.AssumeRoleWithSAMLAsync(request).GetAwaiter().GetResult()); #else #error "Unknown build edition" #endif } catch (AmazonServiceException exc) { var webException = exc.InnerException as System.Net.WebException; if (webException != null) { throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException); } throw; } }