public async Task Can_Create_A_Role()
{
// Arrange
var regionalEndpoint = RegionEndpoint.EUWest1;
var amazonIdentityManagementServiceClient = new AmazonIdentityManagementServiceClient(regionalEndpoint);
var amazonSecurityTokenServiceClient = new AmazonSecurityTokenServiceClient(regionalEndpoint);
var fakePolicyRepository = new FakePolicyTemplateRepository();
var identityManagementClient = new IdentityManagementServiceClient(new AmazonIdentityManagementServiceWrapper(amazonIdentityManagementServiceClient));
var awsIdentityClient = new AwsIdentityCommandClient(
amazonIdentityManagementServiceClient,
amazonSecurityTokenServiceClient,
fakePolicyRepository,
identityManagementClient
);
var roleName = RoleName.Create("test-role-do-delete-33");
var role = await awsIdentityClient.EnsureRoleExistsAsync(roleName);
try
{
// Act
// Assert
}
finally
{
await identityManagementClient.DeleteRoleAsync(roleName);
}
}
/// <summary>
/// Used to modify cloudformation cross account artifacts to bucket owner full access.
/// </summary>
/// <param name="jobEvent">CodePipeline event.</param>
/// <param name="context">Lambda Context</param>
/// <returns>Job success of the Lambda</returns>
public async Task <AmazonWebServiceResponse> FixCloudFormationOutputArtifactAcl(CodePipelineJobEvent jobEvent, ILambdaContext context)
{
var jobId = jobEvent.CodePipelineJob.Id;
context.Logger.LogLine($"JobId: {jobId}");
using (var codePipelineClient = new AmazonCodePipelineClient())
using (var stsClient = new AmazonSecurityTokenServiceClient())
{
try
{
var jobData = jobEvent.CodePipelineJob.Data;
// Assume the role in the cloudformation account that screwed up the bucket permissions
// for the output object
var userParameters = jobData.ActionConfiguration.Configuration["UserParameters"];
var paramDict = JsonConvert.DeserializeObject <Dictionary <string, string> >(userParameters);
var roleArn = paramDict["RoleArn"];
var assumeRoleRequest = new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = "codepipeline",
DurationSeconds = 900
};
var assumeRoleResponse = await stsClient.AssumeRoleAsync(assumeRoleRequest);
// Setup an S3 Client with the sts creds
var s3Client = new AmazonS3Client(assumeRoleResponse.Credentials);
// Update the ACLs of the input artifacts
foreach (var inputArtifact in jobData.InputArtifacts)
{
var bucketName = inputArtifact.Location.S3Location.BucketName;
var bucketKey = inputArtifact.Location.S3Location.ObjectKey;
context.Logger.LogLine($"Fixing {bucketName}/{bucketKey}");
var putObjectAclRequest = new PutACLRequest
{
BucketName = bucketName,
CannedACL = S3CannedACL.BucketOwnerFullControl,
Key = bucketKey
};
await s3Client.PutACLAsync(putObjectAclRequest);
}
// Send the success response
var successResultRequest = new PutJobSuccessResultRequest
{
JobId = jobId
};
return(await codePipelineClient.PutJobSuccessResultAsync(successResultRequest));
}
catch (Exception ex)
{
// Send the failure response and log
return(await DoException(codePipelineClient, ex, jobId, context));
}
}
}
protected override CredentialsRefreshState GenerateNewCredentials()
{
var configuredRegion = AWSConfigs.AWSRegion;
var region = string.IsNullOrEmpty(configuredRegion) ? DefaultSTSClientRegion : RegionEndpoint.GetBySystemName(configuredRegion);
Amazon.SecurityToken.Model.Credentials cc = null;
try
{
var stsConfig = ServiceClientHelpers.CreateServiceConfig(ServiceClientHelpers.STS_ASSEMBLY_NAME, ServiceClientHelpers.STS_SERVICE_CONFIG_NAME);
stsConfig.RegionEndpoint = region;
var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
OidcToken oidcToken = SourceCredentials.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(TargetAudience).WithTokenFormat(OidcTokenFormat.Standard)).Result;
TargetAssumeRoleRequest.WebIdentityToken = oidcToken.GetAccessTokenAsync().Result;
AssumeRoleWithWebIdentityResponse sessionTokenResponse = stsClient.AssumeRoleWithWebIdentityAsync(TargetAssumeRoleRequest).Result;
cc = sessionTokenResponse.Credentials;
_logger.InfoFormat("New credentials created for assume role that expire at {0}", cc.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
return(new CredentialsRefreshState(new ImmutableCredentials(cc.AccessKeyId, cc.SecretAccessKey, cc.SessionToken), cc.Expiration));
}
catch (Exception e)
{
var msg = "Error exchanging Google OIDC token for AWS STS ";
var exception = new InvalidOperationException(msg, e);
Logger.GetLogger(typeof(GoogleCompatCredentials)).Error(exception, exception.Message);
throw exception;
}
}
public void SecurityTokenServiceGetFederationToken()
{
#region to-get-temporary-credentials-for-a-role-by-using-getfederationtoken-1480540749900
var client = new AmazonSecurityTokenServiceClient();
var response = client.GetFederationToken(new GetFederationTokenRequest
{
DurationSeconds = 3600,
Name = "testFedUserSession",
Policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
Tags = new List <Tag> {
new Tag {
Key = "Project",
Value = "Pegasus"
},
new Tag {
Key = "Cost-Center",
Value = "98765"
}
}
});
Credentials credentials = response.Credentials;
FederatedUser federatedUser = response.FederatedUser;
int packedPolicySize = response.PackedPolicySize;
#endregion
}
static async Task Renew()
{
Log.Info("Requesting AssumeRole: " + RoleArn + "...");
var request = new AssumeRoleRequest
{
RoleArn = RoleArn,
DurationSeconds = (int)12.Hours().TotalSeconds,
ExternalId = "Pod",
RoleSessionName = "Pod"
};
try
{
using (var client = new AmazonSecurityTokenServiceClient())
{
var response = await client.AssumeRoleAsync(request);
Log.Debug("AssumeRole response code: " + response.HttpStatusCode);
var credentials = response.Credentials;
FallbackCredentialsFactory.Reset();
FallbackCredentialsFactory.CredentialsGenerators.Insert(0, () => credentials);
Log.Debug("Obtained assume role credentials.");
}
}
catch (Exception ex)
{
Log.Error(ex, "Submitting Assume Role request failed.");
throw;
}
}
public TemporaryUploadCredentials GenerateTemporaryUploadCredentials()
{
return(base.ExecuteFunction("GenerateTemporaryUploadCredentials", delegate()
{
Credentials credentials = this.Cache15.PerLifetime("GetSessionToken", delegate()
{
// Cache is every 15 minutes, we set the expire every 30, we're good. :)
using (var client = new AmazonSecurityTokenServiceClient(this.AmazonKeyID, this.AmazonSecret, RegionEndpoint.USEast1))
{
GetSessionTokenResponse response = client.GetSessionToken(new GetSessionTokenRequest
{
DurationSeconds = (int)TimeSpan.FromMinutes(30).TotalSeconds,
});
if (response == null || response.HttpStatusCode != System.Net.HttpStatusCode.OK || response.Credentials == null)
{
throw new UIException("Unable to generate File Upload Credentials. Please try again in a few moments");
}
return response.Credentials;
}
});
return new TemporaryUploadCredentials()
{
bucket = this.AmazonBucket,
access_key_id = credentials.AccessKeyId,
secret_access_key = credentials.SecretAccessKey,
session_token = credentials.SessionToken,
};
}));
}
private async Task <Credentials> GetTemporaryCredentials(
string accessKeyId, string secretAccessKeyId)
{
AmazonSecurityTokenServiceClient stsClient =
new AmazonSecurityTokenServiceClient(accessKeyId,
secretAccessKeyId);
GetSessionTokenRequest getSessionTokenRequest =
new GetSessionTokenRequest();
getSessionTokenRequest.DurationSeconds = 7200; // seconds
GetSessionTokenResponse sessionTokenResponse =
await stsClient.GetSessionTokenAsync(getSessionTokenRequest);
Credentials credentials = sessionTokenResponse.Credentials;
//SessionAWSCredentials sessionCredentials =
// new SessionAWSCredentials(credentials.AccessKeyId,
// credentials.SecretAccessKey,
// credentials.SessionToken);
return(credentials);
}
public SessionAWSCredentials GetSamlRoleCredentails(string samlAssertion, string awsRole)
{
string[] role = awsRole.Split(',');
AssumeRoleWithSAMLRequest samlRequest = new AssumeRoleWithSAMLRequest();
samlRequest.SAMLAssertion = samlAssertion;
samlRequest.RoleArn = role[1];
samlRequest.PrincipalArn = role[0];
samlRequest.DurationSeconds = 3600;
AmazonSecurityTokenServiceClient sts;
AssumeRoleWithSAMLResponse samlResponse;
try {
sts = new AmazonSecurityTokenServiceClient();
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
catch
{
sts = new AmazonSecurityTokenServiceClient("a", "b", "c");
samlResponse = sts.AssumeRoleWithSAML(samlRequest);
}
SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
samlResponse.Credentials.AccessKeyId,
samlResponse.Credentials.SecretAccessKey,
samlResponse.Credentials.SessionToken);
return(sessionCredentials);
}
private void CreateAndCheckTestBucket()
{
TestBucketIsReady = false;
USEast1Client = new AmazonS3Client(RegionEndpoint.USEast1);
USWest1Client = new AmazonS3Client(RegionEndpoint.USWest1);
var sessionCredentials = new AmazonSecurityTokenServiceClient().GetSessionToken().Credentials;
USEast1ClientWithSessionCredentials = new AmazonS3Client(sessionCredentials, RegionEndpoint.USEast1);
TestBucket = USWest1Client.ListBuckets().Buckets.Find(bucket => bucket.BucketName.StartsWith(BucketPrefix));
if (TestBucket == null)
{
// add ticks to bucket name because the bucket namespace is shared globally
var bucketName = BucketPrefix + DateTime.Now.Ticks;
// Create the bucket but don't run the test.
// If the bucket is ready the next time this test runs we'll test then.
USWest1Client.PutBucket(new PutBucketRequest()
{
BucketRegion = S3Region.USW1,
BucketName = bucketName,
});
}
else if (TestBucket.CreationDate.AddHours(TemporaryRedirectMaxExpirationHours) < DateTime.Now)
{
BucketRegionDetector.BucketRegionCache.Clear();
TestBucketIsReady = true;
}
}
private void AWSAssumeRole(FacebookDemoModel facebookDemoModel)
{
// This is the Facebook token that we got from authenticating with Facebook
String facebookToken = facebookDemoModel.FacebookToken;
// Create AWS Security Token Service client object with anonymous credential. This methods is not using any AWS long term key or any other type of credential.
AmazonSecurityTokenServiceClient awsSTSClient = new AmazonSecurityTokenServiceClient(new Amazon.Runtime.AnonymousAWSCredentials());
// Set attribute to pass to the Security Token Service client using the AssumeRoleWithWebIdentityRequest model
Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityRequest myWebRequest = new Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityRequest();
myWebRequest.ProviderId = "graph.facebook.com"; // Set provider to Facebook
myWebRequest.RoleSessionName = "StuzioDemoSession"; // Set role session name for tracking - Name can be anything.
myWebRequest.WebIdentityToken = facebookToken; // Set the identity token to be the token we got from Facebook log in
myWebRequest.RoleArn = "arn:aws:iam::01234567890:role/YourRoleName"; // Set the AWS role in the specified account with role's Amazon Resource Name. Example: arn:aws:iam::081274447123:role/StuzioWebUserRole
myWebRequest.DurationSeconds = 3600; // Set the durtion of session.
// Using the model with attributes set, assume the role with web identity.
Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityResponse awsResponse = awsSTSClient.AssumeRoleWithWebIdentity(myWebRequest);
// Get the response from AWS once Facebook user assumes a role. Set the model data to display on UI
facebookDemoModel.AWSAccessKeyID = awsResponse.Credentials.AccessKeyId;
facebookDemoModel.AWSSecretAccessKey = awsResponse.Credentials.SecretAccessKey;
facebookDemoModel.AWSSessionToken = awsResponse.Credentials.SessionToken;
return;
}
protected override void ProcessRecord()
{
try
{
string mfaDevice = Environment.GetEnvironmentVariable("DEVOPS_AWS_MFA_DEVICE");
string devopsAccessKey = Environment.GetEnvironmentVariable("DEVOPS_AWS_ACCESS_KEY_ID");
string devopsSecretKey = Environment.GetEnvironmentVariable("DEVOPS_AWS_SECRET_ACCESS_KEY");
AmazonSecurityTokenServiceClient stsClient = string.IsNullOrEmpty(devopsAccessKey)
? new AmazonSecurityTokenServiceClient()
: new AmazonSecurityTokenServiceClient(new BasicAWSCredentials(devopsAccessKey, devopsSecretKey));
using (stsClient)
{
GetSessionTokenRequest request = new GetSessionTokenRequest
{
DurationSeconds = Duration,
SerialNumber = mfaDevice,
TokenCode = MFAToken
};
Task <GetSessionTokenResponse> response = stsClient.GetSessionTokenAsync(request);
response.Wait(1000);
WriteObject(response.Result.Credentials);
}
}
catch (Exception exception)
{
ThrowTerminatingError(new ErrorRecord(new Exception("Error getting session token", exception), "Error getting session token", ErrorCategory.InvalidOperation, null));
}
}
public AssumeRoleResponse GetTemporaryCredentials(string awsAccount)
{
try
{
using (var stsClient = new AmazonSecurityTokenServiceClient())
{
LambdaLogger.Log($"Begin assume role for AWS account with ID {awsAccount}");
AssumeRoleRequest request = new AssumeRoleRequest
{
RoleArn = $"arn:aws:iam::{awsAccount}:role/{Environment.GetEnvironmentVariable("AWS_ROLE_NAME_FOR_STS_API_GATEWAY_GET")}",
DurationSeconds = 900, //15 mins, which is the minimum accepted
RoleSessionName = "Session-for-retrieving-API-name"
};
LambdaLogger.Log($"Role ARN in request: {request.RoleArn}");
var credentialsResponse = stsClient.AssumeRoleAsync(request).GetAwaiter().GetResult();
LambdaLogger.Log($"Credentials for role with ARN {request.RoleArn} retrieved for user - {credentialsResponse.AssumedRoleUser}");
return(credentialsResponse);
}
}
catch (Exception ex)
{
LambdaLogger.Log($"An error occurred while assuming role for AWS account with ID {awsAccount}. Message: {ex.Message}");
throw;
}
}
public Credentials GetSessionToken(AWSCredentials credentials)
{
Credentials sessionCredentials = null;
using (var stsClient = new AmazonSecurityTokenServiceClient(credentials))
{
try
{
var getSessionTokenRequest = new GetSessionTokenRequest()
{
DurationSeconds = 7200
};
GetSessionTokenResponse response = stsClient.GetSessionToken(getSessionTokenRequest);
sessionCredentials = response.Credentials;
}
catch (Exception ex)
{
throw ex;
}
}
return(sessionCredentials);
}
static async Task RunExample()
{
// Identity
var client = new AmazonSecurityTokenServiceClient();
var getCallerIdReq = new GetCallerIdentityRequest();
var caller = await GetCallerIdentityResponseAsync(client, getCallerIdReq);
Console.WriteLine($"Caller identity: {caller.Arn} | {caller.Account} | {caller.UserId}");
// S3
RegionEndpoint region = RegionEndpoint.EUCentral1;
string bucketName = "dfds.static.content";
var s3Client = new AmazonS3Client(region);
var s3NewBucket = new PutBucketRequest
{
BucketName = bucketName,
BucketRegion = S3Region.EUC1,
CannedACL = S3CannedACL.Private
};
var s3BucketResponse = await s3Client.PutBucketAsync(s3NewBucket);
var s3PutObjectRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = "hello",
ContentBody = "Hi Pelle!",
ContentType = "text/plain"
};
var s3PutObjectResponse = await s3Client.PutObjectAsync(s3PutObjectRequest);
}
private AWSCredentials GetSessionCredentials(AWSCredentials credentials)
{
using (var stsClient = new AmazonSecurityTokenServiceClient(credentials))
{
GetSessionTokenResponse response = null;
// wait for eventual consistency of user creation
UtilityMethods.WaitUntil(() =>
{
try
{
response = stsClient.GetSessionToken();
return(true);
}
catch (AmazonSecurityTokenServiceException e)
{
if (String.Equals(e.ErrorCode, "InvalidClientTokenId", StringComparison.OrdinalIgnoreCase))
{
return(false);
}
else
{
throw e;
}
}
});
Assert.IsNotNull(response);
Assert.IsNotNull(response.Credentials);
return(new SessionAWSCredentials(response.Credentials.AccessKeyId,
response.Credentials.SecretAccessKey, response.Credentials.SessionToken));
}
}
public void TestAssumeRoleCredentials()
{
var clientId = Guid.NewGuid();
var roleArn = _role.Arn;
const string sessionName = "NetUser";
// sleep for IAM data to propagate
Thread.Sleep(TimeSpan.FromSeconds(10));
var sts = new AmazonSecurityTokenServiceClient(_userCredentials);
Thread.Sleep(TimeSpan.FromSeconds(60));
var request = new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = sessionName,
DurationSeconds = 3600,
ExternalId = clientId.ToString()
};
// keep this unit test even though STSAssumeRoleAWSCredentials is obsolete
#pragma warning disable 0618
var credentials = new STSAssumeRoleAWSCredentials(sts, request);
var client = new AmazonIdentityManagementServiceClient(credentials);
var response = client.ListRoles();
Assert.IsNotNull(response);
}
internal static async Task <StopInstancesResponse> StopEc2InstanceAsync(IConfiguration Configuration, string User, string AccountName, string InstanceId)
{
try
{
var accountKey = LoadAwsAccounts(Configuration).SingleOrDefault(x => x.AccountName == AccountName);
var accountRegion = RegionEndpoint.GetBySystemName(accountKey.Region);
var stsClient = new AmazonSecurityTokenServiceClient();
var sessionName = string.Format(ResourceStrings.StopAction, User, accountKey.AccountName, DateTime.Now.Ticks.ToString());
sessionName = sessionName.Length > 63 ? sessionName.Substring(0, 63) : sessionName;
var assumeRoleRequest = new AssumeRoleRequest
{
RoleArn = accountKey.RoleArn,
RoleSessionName = sessionName,
DurationSeconds = 900
};
var stsResponse = await stsClient.AssumeRoleAsync(assumeRoleRequest);
var instanceIdAsList = new List <string> {
InstanceId
};
var stopRequest = new StopInstancesRequest(instanceIdAsList);
var ec2Client = new AmazonEC2Client(stsResponse.Credentials, accountRegion);
var response = ec2Client.StopInstancesAsync(stopRequest);
ec2Client.Dispose();
stsClient.Dispose();
return(await response);
}
catch (Exception e)
{
throw new Exception(string.Format(ErrorStrings.RebootEc2InstanceError, InstanceId, e.Message), e.InnerException);
}
}
/// <summary>
/// Gets the <see cref="SessionAWSCredentials"/> based on the specified SAML assertion and role.
/// </summary>
/// <param name="samlAssertion">The SAML assertion from the identity provider.</param>
/// <param name="role">The role that the caller is assuming.</param>
/// <param name="durationInSeconds">The duration for the AWS session credentials in seconds. Default value is 3600 seconds.</param>
/// <returns>Returns a <see cref="SessionAWSCredentials"/> based on the specified SAML assertion and role.</returns>
public SessionAWSCredentials GetSessionAwsCredentials(string samlAssertion, string role, int durationInSeconds = 3600)
{
var roles = role.Split(',');
if (roles.Length > 1)
{
throw new ArgumentException("An invalid role was specified.");
}
var assumeRoleWithSamlRequest = new AssumeRoleWithSAMLRequest
{
SAMLAssertion = samlAssertion,
PrincipalArn = roles[0],
RoleArn = roles[1],
DurationSeconds = durationInSeconds
};
// Need to create a BasicAWSCredentials object and pass it to AmazonSecurityTokenServiceClient,
// otherwise a null reference exception is thrown. Will need to look into this further as to why this happens.
var basicCredential = new BasicAWSCredentials("", "");
using (var amazonSecurityTokenServiceClient = new AmazonSecurityTokenServiceClient(basicCredential))
{
var amazonRoleWithSamlResponse = amazonSecurityTokenServiceClient.AssumeRoleWithSAML(assumeRoleWithSamlRequest);
return(new SessionAWSCredentials(amazonRoleWithSamlResponse.Credentials.AccessKeyId,
amazonRoleWithSamlResponse.Credentials.SecretAccessKey, amazonRoleWithSamlResponse.Credentials.SessionToken));
}
}
public async Task <IActionResult> AssumeRoleAsync()
{
if (!HttpContext.User.Identity.IsAuthenticated)
{
return(new OkObjectResult("you have to sign in to access AWS resources"));
}
try
{
var assumeRoleRequest = new AssumeRoleWithWebIdentityRequest
{
RoleArn = "arn:aws:iam::628654266155:role/acme_app_access_s3",
RoleSessionName = "testsession",
WebIdentityToken = GetOktaTokenMiddleware.OktaToken,
};
var stsServiceClient = new AmazonSecurityTokenServiceClient(new BasicAWSCredentials("****", "*****"), RegionEndpoint.USEast2);
var response = await stsServiceClient.AssumeRoleWithWebIdentityAsync(assumeRoleRequest);
//var response = await stsServiceClient.ListRoles()
return(new OkObjectResult($"key = {response.Credentials.AccessKeyId} security = {response.Credentials.SecretAccessKey}"));
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
public static async Task <SessionAWSCredentials> GetTemporaryFederatedCredentialsAsync(string bucketName)
{
var config = new AmazonSecurityTokenServiceConfig();
var stsClient = new AmazonSecurityTokenServiceClient(config);
var federationTokenRequest = new GetFederationTokenRequest();
federationTokenRequest.DurationSeconds = 7200;
federationTokenRequest.Name = "User1";
federationTokenRequest.Policy = @"{
""Statement"":
[
{
""Sid"":""Stmt1311212314284"",
""Action"":[""s3:ListBucket""],
""Effect"":""Allow"",
""Resource"":""arn:aws:s3:::" + bucketName + @"""
}
]
}
";
GetFederationTokenResponse federationTokenResponse =
await stsClient.GetFederationTokenAsync(federationTokenRequest);
Credentials credentials = federationTokenResponse.Credentials;
var sessionCredentials = new SessionAWSCredentials(
credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
return(sessionCredentials);
}
public void TestAssumeRoleCredentials()
{
var clientId = Guid.NewGuid();
var roleArn = _role.Arn;
const string sessionName = "NetUser";
// sleep for IAM data to propagate
UtilityMethods.Sleep(TimeSpan.FromSeconds(10));
var sts = new AmazonSecurityTokenServiceClient(_userCredentials);
UtilityMethods.Sleep(TimeSpan.FromSeconds(60));
var request = new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = sessionName,
DurationSeconds = 3600,
ExternalId = clientId.ToString()
};
var credentials = new STSAssumeRoleAWSCredentials(sts, request);
var client = new AmazonIdentityManagementServiceClient(credentials);
var response = client.ListRolesAsync().Result;
Assert.IsNotNull(response);
}
public static Credentials GetTemporaryCredentials(string policy)
{
var config = new AmazonSecurityTokenServiceConfig
{
RegionEndpoint = RegionEndpoint.APSoutheast2
};
var client = new AmazonSecurityTokenServiceClient(config);
var iamClient = new AmazonIdentityManagementServiceClient(
RegionEndpoint.APSoutheast2);
var iamRoleName = EC2InstanceMetadata.GetData("/iam/security-credentials");
var role = iamClient.GetRole(
new GetRoleRequest()
{
RoleName = iamRoleName
});
var assumeRoleRequest = new AssumeRoleRequest()
{
RoleArn = role.Role.Arn,
RoleSessionName = Guid.NewGuid().ToString().Replace("-", ""),
DurationSeconds = 900
};
if (!string.IsNullOrEmpty(policy))
{
assumeRoleRequest.Policy = policy;
}
var assumeRoleResponse =
client.AssumeRole(assumeRoleRequest);
var credentials = assumeRoleResponse.Credentials;
return(credentials);
}
private static IRestRequest SignWithSTSKeysAndSecurityToken(IRestRequest restRequest, string host, string roleARN, string accessKey, string secretKey)
{
AssumeRoleResponse response = null;
using (var STSClient = new AmazonSecurityTokenServiceClient(accessKey, secretKey, RegionEndpoint.EUWest1))
{
var req = new AssumeRoleRequest()
{
RoleArn = roleARN,
DurationSeconds = 950, //put anything you want here
RoleSessionName = Guid.NewGuid().ToString()
};
response = STSClient.AssumeRoleAsync(req, new CancellationToken()).Result;
}
//auth step 3: dönen değerler bizim yeni tokenlarımızı...
var awsAuthenticationCredentials = new AWSAuthenticationCredentials
{
AccessKeyId = response.Credentials.AccessKeyId,
SecretKey = response.Credentials.SecretAccessKey,
Region = REGION
};
restRequest.AddHeader("x-amz-security-token", response.Credentials.SessionToken);
return(new AWSSigV4Signer(awsAuthenticationCredentials).Sign(restRequest, host));
}
public async Task AssumeRoleAsync(UserAccountExtended userAccount, UserRoleExtended userRole,
CancellationToken cancellationToken)
{
if (userAccount == null)
{
throw new ArgumentNullException(nameof(userAccount));
}
if (userRole == null)
{
throw new ArgumentNullException(nameof(userRole));
}
if (cancellationToken == null)
{
throw new ArgumentNullException(nameof(cancellationToken));
}
using (var stsClient = new AmazonSecurityTokenServiceClient(userAccount.AwsCredentials, _config))
{
var request = new AssumeRoleRequest
{
RoleArn = Role(userRole.AwsAccountId, userRole.Role),
RoleSessionName = userRole.AwsAccountLabel
};
var role2 = await stsClient.AssumeRoleAsync(request, cancellationToken)
.ConfigureAwait(false);
var tempAccessKeyId = role2.Credentials.AccessKeyId;
var tempSessionToken = role2.Credentials.SessionToken;
var tempSecretAccessKey = role2.Credentials.SecretAccessKey;
userRole.AwsCredentials =
new SessionAWSCredentials(tempAccessKeyId, tempSecretAccessKey, tempSessionToken);
}
}
public CognitoAWSCredentials(string accountId, string identityPoolId, string unAuthRoleArn, string authRoleArn, IAmazonCognitoIdentity cibClient, IAmazonSecurityTokenService stsClient)
{
if (string.IsNullOrEmpty(identityPoolId))
{
throw new ArgumentNullException("identityPoolId");
}
if (cibClient == null)
{
throw new ArgumentNullException("cibClient");
}
if ((unAuthRoleArn != null || authRoleArn != null) && stsClient == null)
{
throw new ArgumentNullException("stsClient");
}
AccountId = accountId;
IdentityPoolId = identityPoolId;
UnAuthRoleArn = unAuthRoleArn;
AuthRoleArn = authRoleArn;
Logins = new Dictionary <string, string>(StringComparer.Ordinal);
cib = (AmazonCognitoIdentityClient)cibClient;
sts = (AmazonSecurityTokenServiceClient)stsClient;
string cachedIdentityId = GetCachedIdentityId();
if (!string.IsNullOrEmpty(cachedIdentityId))
{
UpdateIdentity(cachedIdentityId);
currentState = GetCachedCredentials();
}
}
public async Task CreateAwsCredentialsAsync(UserAccountExtended userAccount, string mfaToken,
CancellationToken cancellationToken)
{
if (userAccount == null)
{
throw new ArgumentNullException(nameof(userAccount));
}
if (string.IsNullOrWhiteSpace(mfaToken))
{
throw new ArgumentException("Value cannot be null or whitespace.", nameof(mfaToken));
}
if (cancellationToken == null)
{
throw new ArgumentNullException(nameof(cancellationToken));
}
var basicAwsCredentials = new BasicAWSCredentials(userAccount.UserAccessKey, userAccount.UserSecretKey);
using (var stsClient = new AmazonSecurityTokenServiceClient(basicAwsCredentials, _config))
{
var getSessionTokenRequest = new GetSessionTokenRequest
{
DurationSeconds = 3600,
SerialNumber = $"arn:aws:iam::{userAccount.UserAccountId}:mfa/{userAccount.UserName}",
TokenCode = mfaToken
};
var getSessionTokenResponse =
await stsClient.GetSessionTokenAsync(getSessionTokenRequest, cancellationToken)
.ConfigureAwait(false);
userAccount.AwsCredentials = getSessionTokenResponse.Credentials;
}
}
//--- Methods ---
protected async Task <(string AccountId, string Region)?> InitializeAwsProfile(string awsProfile, string awsAccountId = null, string awsRegion = null)
{
// initialize AWS profile
if (awsProfile != null)
{
// select an alternate AWS profile by setting the AWS_PROFILE environment variable
Environment.SetEnvironmentVariable("AWS_PROFILE", awsProfile);
}
// determine default AWS region
if ((awsAccountId == null) || (awsRegion == null))
{
// determine AWS region and account
try {
var stsClient = new AmazonSecurityTokenServiceClient();
var response = await stsClient.GetCallerIdentityAsync(new GetCallerIdentityRequest());
awsAccountId = awsAccountId ?? response.Account;
awsRegion = awsRegion ?? stsClient.Config.RegionEndpoint.SystemName ?? "us-east-1";
} catch (Exception e) {
AddError("unable to determine the AWS Account Id and Region", e);
return(null);
}
}
// set AWS region for library and spawned processes
AWSConfigs.AWSRegion = awsRegion;
Environment.SetEnvironmentVariable("AWS_REGION", awsRegion);
Environment.SetEnvironmentVariable("AWS_DEFAULT_REGION", awsRegion);
return(AccountId : awsAccountId, Region : awsRegion);
}
public void TestAssumeRole()
{
var clientId = Guid.NewGuid();
var roleArn = _role.Arn;
const string sessionName = "NetUser";
// sleep for IAM data to propagate
Thread.Sleep(TimeSpan.FromSeconds(10));
var sts = new AmazonSecurityTokenServiceClient(_userCredentials);
Thread.Sleep(TimeSpan.FromSeconds(60));
var result = sts.AssumeRole(new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = sessionName,
DurationSeconds = 3600,
ExternalId = clientId.ToString()
});
var credentials = result.Credentials;
var sessionCredentials = new SessionAWSCredentials(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.SessionToken);
var client = new AmazonIdentityManagementServiceClient(sessionCredentials);
var response = client.ListRoles();
Assert.IsNotNull(response);
client = new AmazonIdentityManagementServiceClient(credentials);
response = client.ListRoles();
Assert.IsNotNull(response);
}
static async Task Main()
{
// Create the SecurityToken client and then display the identity of the
// default user.
var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole";
var client = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(REGION);
// Get and display the information about the identity of the default user.
var callerIdRequest = new GetCallerIdentityRequest();
var caller = await client.GetCallerIdentityAsync(callerIdRequest);
Console.WriteLine($"Original Caller: {caller.Arn}");
// Create the request to use with the AssumeRoleAsync call.
var assumeRoleReq = new AssumeRoleRequest()
{
DurationSeconds = 1600,
RoleSessionName = "Session1",
RoleArn = roleArnToAssume
};
var assumeRoleRes = await client.AssumeRoleAsync(assumeRoleReq);
// Now create a new client based on the credentials of the caller assuming the role.
var client2 = new AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Credentials);
// Get and display information about the caller that has assumed the defined role.
var caller2 = await client2.GetCallerIdentityAsync(callerIdRequest);
Console.WriteLine($"AssumedRole Caller: {caller2.Arn}");
}
static void Main(string[] args)
{
string accessKey = "AKIAYASBUYUORND23YUN";
string secretKey = "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";
RegionEndpoint region = RegionEndpoint.APSoutheast2;
AWSCredentials cred = new BasicAWSCredentials(accessKey, secretKey);
IAmazonSecurityTokenService stsClient = new AmazonSecurityTokenServiceClient(cred, region);
AssumeRoleRequest stsRequest = new AssumeRoleRequest();
stsRequest.DurationSeconds = 910;
stsRequest.RoleArn = "arn:aws:iam::550967231773:role/MyAssumeRole";
stsRequest.RoleSessionName = "MyAssumeRolesessionFromDotNet";
AssumeRoleResponse temporaryCred = stsClient.AssumeRoleAsync(stsRequest).Result;
IAmazonS3 client = new AmazonS3Client(temporaryCred.Credentials, region);
ListBucketsRequest request = new ListBucketsRequest();
ListBucketsResponse response = client.ListBucketsAsync(request).Result;
foreach (S3Bucket b in response.Buckets)
{
Console.WriteLine(b.BucketName);
}
Console.ReadLine();
}
private CredentialsRefreshState Authenticate(ICredentials userCredential, TimeSpan credentialDuration)
{
CredentialsRefreshState state;
SAMLAssertion assertion;
var configuredRegion = AWSConfigs.AWSRegion;
var region = string.IsNullOrEmpty(configuredRegion)
? DefaultSTSClientRegion
: RegionEndpoint.GetBySystemName(configuredRegion);
try
{
assertion = new SAMLAuthenticationController().GetSAMLAssertion(ProfileData.EndpointSettings.Endpoint.ToString(),
userCredential,
ProfileData.EndpointSettings.AuthenticationType);
}
catch (Exception e)
{
throw new AuthenticationFailedException("Authentication failure, unable to obtain SAML assertion.", e);
}
try
{
using (var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials(), region))
{
var credentials = assertion.GetRoleCredentials(stsClient, ProfileData.RoleArn, credentialDuration);
state = new CredentialsRefreshState(credentials, DateTime.UtcNow + credentialDuration);
}
}
catch (Exception e)
{
var wrappedException = new AmazonClientException("Credential generation failed following successful authentication.", e);
var logger = Logger.GetLogger(typeof(StoredProfileSAMLCredentials));
logger.Error(wrappedException, wrappedException.Message);
throw wrappedException;
}
return state;
}
