public object Execute(ExecutorContext context)
{
var cmdletContext = context as CmdletContext;
// create request
var request = new Amazon.IdentityManagement.Model.CreateRoleRequest();
if (cmdletContext.AssumeRolePolicyDocument != null)
{
request.AssumeRolePolicyDocument = cmdletContext.AssumeRolePolicyDocument;
}
if (cmdletContext.Description != null)
{
request.Description = cmdletContext.Description;
}
if (cmdletContext.MaxSessionDuration != null)
{
request.MaxSessionDuration = cmdletContext.MaxSessionDuration.Value;
}
if (cmdletContext.Path != null)
{
request.Path = cmdletContext.Path;
}
if (cmdletContext.PermissionsBoundary != null)
{
request.PermissionsBoundary = cmdletContext.PermissionsBoundary;
}
if (cmdletContext.RoleName != null)
{
request.RoleName = cmdletContext.RoleName;
}
if (cmdletContext.Tag != null)
{
request.Tags = cmdletContext.Tag;
}
CmdletOutput output;
// issue call
var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint);
try
{
var response = CallAWSServiceOperation(client, request);
object pipelineOutput = null;
pipelineOutput = cmdletContext.Select(response, this);
output = new CmdletOutput
{
PipelineOutput = pipelineOutput,
ServiceResponse = response
};
}
catch (Exception e)
{
output = new CmdletOutput {
ErrorResponse = e
};
}
return(output);
}
/// <summary>
/// Initiates the asynchronous execution of the CreateRole operation.
/// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the CreateRole operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public Task<CreateRoleResponse> CreateRoleAsync(CreateRoleRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.Instance;
return InvokeAsync<CreateRoleRequest,CreateRoleResponse>(request, marshaller,
unmarshaller, cancellationToken);
}
internal CreateRoleResponse CreateRole(CreateRoleRequest request)
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.Instance;
return Invoke<CreateRoleRequest,CreateRoleResponse>(request, marshaller, unmarshaller);
}
IAsyncResult invokeCreateRole(CreateRoleRequest createRoleRequest, AsyncCallback callback, object state, bool synchronized)
{
IRequest irequest = new CreateRoleRequestMarshaller().Marshall(createRoleRequest);
var unmarshaller = CreateRoleResponseUnmarshaller.GetInstance();
AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
Invoke(result);
return result;
}
/// <summary>
/// Initiates the asynchronous execution of the CreateRole operation.
/// <seealso cref="Amazon.IdentityManagement.AmazonIdentityManagementService.CreateRole"/>
/// </summary>
///
/// <param name="createRoleRequest">Container for the necessary parameters to execute the CreateRole operation on
/// AmazonIdentityManagementService.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndCreateRole
/// operation.</returns>
public IAsyncResult BeginCreateRole(CreateRoleRequest createRoleRequest, AsyncCallback callback, object state)
{
return invokeCreateRole(createRoleRequest, callback, state, false);
}
/// <summary>
/// <para>Creates a new role for your AWS account.</para> <para>For information about limitations on the number of roles you can create, see
/// Limitations on IAM Entities in <i>Using AWS Identity and Access Management</i> .</para>
/// </summary>
///
/// <param name="createRoleRequest">Container for the necessary parameters to execute the CreateRole service method on
/// AmazonIdentityManagementService.</param>
///
/// <returns>The response from the CreateRole service method, as returned by AmazonIdentityManagementService.</returns>
///
/// <exception cref="MalformedPolicyDocumentException"/>
/// <exception cref="LimitExceededException"/>
/// <exception cref="EntityAlreadyExistsException"/>
public CreateRoleResponse CreateRole(CreateRoleRequest createRoleRequest)
{
IAsyncResult asyncResult = invokeCreateRole(createRoleRequest, null, null, true);
return EndCreateRole(asyncResult);
}
/// <summary>
/// Initiates the asynchronous execution of the CreateRole operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the CreateRole operation on AmazonIdentityManagementServiceClient.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndCreateRole
/// operation.</returns>
public IAsyncResult BeginCreateRole(CreateRoleRequest request, AsyncCallback callback, object state)
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.Instance;
return BeginInvoke<CreateRoleRequest>(request, marshaller, unmarshaller,
callback, state);
}
/// <summary>
/// Initiates the asynchronous execution of the CreateRole operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the CreateRole operation on AmazonIdentityManagementServiceClient.</param>
/// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
/// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
public void CreateRoleAsync(CreateRoleRequest request, AmazonServiceCallback<CreateRoleRequest, CreateRoleResponse> callback, AsyncOptions options = null)
{
options = options == null?new AsyncOptions():options;
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.Instance;
Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
if(callback !=null )
callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => {
AmazonServiceResult<CreateRoleRequest,CreateRoleResponse> responseObject
= new AmazonServiceResult<CreateRoleRequest,CreateRoleResponse>((CreateRoleRequest)req, (CreateRoleResponse)res, ex , ao.State);
callback(responseObject);
};
BeginInvoke<CreateRoleRequest>(request, marshaller, unmarshaller, options, callbackHelper);
}
/// <summary>
/// Initiates the asynchronous execution of the CreateRole operation.
/// <seealso cref="Amazon.IdentityManagement.IAmazonIdentityManagementService.CreateRole"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the CreateRole operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public async Task<CreateRoleResponse> CreateRoleAsync(CreateRoleRequest request, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.GetInstance();
var response = await Invoke<IRequest, CreateRoleRequest, CreateRoleResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
.ConfigureAwait(continueOnCapturedContext: false);
return response;
}
/// <summary>
/// <para>Creates a new role for your AWS account. For more information about roles, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html">Working with Roles</a> .
/// For information about limitations on role names and the number of roles you can create, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
/// AWS Identity and Access Management</i> .</para> <para>The policy grants permission to an EC2 instance to assume the role. The policy is
/// URL-encoded according to RFC 3986. For more information about RFC 3986, go to <a href="http://www.faqs.org/rfcs/rfc3986.html">http://www.faqs.org/rfcs/rfc3986.html</a> .
/// Currently, only EC2 instances can assume roles.</para>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the CreateRole service method on
/// AmazonIdentityManagementService.</param>
///
/// <returns>The response from the CreateRole service method, as returned by AmazonIdentityManagementService.</returns>
///
/// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.EntityAlreadyExistsException" />
public CreateRoleResponse CreateRole(CreateRoleRequest request)
{
var task = CreateRoleAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
throw e.InnerException;
}
}
private Amazon.IdentityManagement.Model.CreateRoleResponse CallAWSServiceOperation(IAmazonIdentityManagementService client, Amazon.IdentityManagement.Model.CreateRoleRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Identity and Access Management", "CreateRole");
try
{
#if DESKTOP
return(client.CreateRole(request));
#elif CORECLR
return(client.CreateRoleAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
/// <summary>
/// <para>Creates a new role for your AWS account. For more information about roles, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html">Working with Roles</a> .
/// For information about limitations on role names and the number of roles you can create, go to <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?LimitationsOnEntities.html">Limitations on IAM Entities</a> in <i>Using
/// AWS Identity and Access Management</i> .</para> <para>The policy grants permission to an EC2 instance to assume the role. The policy is
/// URL-encoded according to RFC 3986. For more information about RFC 3986, go to <a href="http://www.faqs.org/rfcs/rfc3986.html">http://www.faqs.org/rfcs/rfc3986.html</a> .
/// Currently, only EC2 instances can assume roles.</para>
/// </summary>
///
/// <param name="createRoleRequest">Container for the necessary parameters to execute the CreateRole service method on
/// AmazonIdentityManagementService.</param>
///
/// <returns>The response from the CreateRole service method, as returned by AmazonIdentityManagementService.</returns>
///
/// <exception cref="T:Amazon.IdentityManagement.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.LimitExceededException" />
/// <exception cref="T:Amazon.IdentityManagement.Model.EntityAlreadyExistsException" />
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
public Task<CreateRoleResponse> CreateRoleAsync(CreateRoleRequest createRoleRequest, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.GetInstance();
return Invoke<IRequest, CreateRoleRequest, CreateRoleResponse>(createRoleRequest, marshaller, unmarshaller, signer, cancellationToken);
}
internal CreateRoleResponse CreateRole(CreateRoleRequest request)
{
var task = CreateRoleAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
ExceptionDispatchInfo.Capture(e.InnerException).Throw();
return null;
}
}
public virtual string PrepMode_CreateRole(AmazonIdentityManagementServiceClient iamClient, string roleName,
string policyText, string trustRelationshipText)
{
var roleArn = String.Empty;
// Use the CreateRoleRequest object to define the role. The AssumeRolePolicyDocument property should be
// set to the value of the trustRelationshipText parameter.
var createRoleRequest = new CreateRoleRequest
{
AssumeRolePolicyDocument = trustRelationshipText,
RoleName = roleName
};
roleArn = iamClient.CreateRole(createRoleRequest).Role.Arn;
// Use the PutRolePolicyRequest object to define the request. Select whatever policy name you would like.
// The PolicyDocument property is there the policy is described.
var putRolePolicyRequest = new PutRolePolicyRequest
{
RoleName = roleName,
PolicyName = String.Format("{0}_policy", roleName),
PolicyDocument = policyText
};
iamClient.PutRolePolicy(putRolePolicyRequest);
return roleArn;
}
IAsyncResult invokeCreateRole(CreateRoleRequest request, AsyncCallback callback, object state, bool synchronized)
{
var marshaller = new CreateRoleRequestMarshaller();
var unmarshaller = CreateRoleResponseUnmarshaller.Instance;
return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
}
public static void Test(string identityProvider)
{
// Login with credentials to create the role
// credentials are defined in app.config
var iamClient = new AmazonIdentityManagementServiceClient();
string providerURL = null,
providerAppIdName = null,
providerUserIdName = null,
providerAppId = null;
switch (identityProvider)
{
case "Facebook":
providerURL = "graph.facebook.com";
providerAppIdName = "app_id";
providerUserIdName = "id";
break;
case "Google":
providerURL = "accounts.google.com";
providerAppIdName = "aud";
providerUserIdName = "sub";
break;
case "Amazon":
providerURL = "www.amazon.com";
providerAppIdName = "app_id";
providerUserIdName = "user_id";
break;
}
//identity provider specific AppId is loaded from app.config (e.g)
// FacebookProviderAppId. GoogleProviderAppId, AmazonProviderAppId
providerAppId = ConfigurationManager.AppSettings[identityProvider +
"ProviderAppId"];
// Since the string is passed to String.Format, '{' & '}' has to be escaped.
// Policy document specifies who can invoke AssumeRoleWithWebIdentity
string trustPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"": ""Allow"",
""Principal"": {{ ""Federated"": ""{1}"" }},
""Action"": ""sts:AssumeRoleWithWebIdentity"",
""Condition"": {{
""StringEquals"": {{""{1}:{2}"": ""{3}""}}
}}
}}
]
}}";
// Defines what permissions to grant when AssumeRoleWithWebIdentity is called
string accessPolicyTemplate = @"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Effect"":""Allow"",
""Action"":[""s3:GetObject"", ""s3:PutObject"", ""s3:DeleteObject""],
""Resource"": [
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}"",
""arn:aws:s3:::federationtestbucket/{0}/${{{1}:{4}}}/*""
]
}}
]
}}";
// Create Trust policy
CreateRoleRequest createRoleRequest = new CreateRoleRequest
{
RoleName = "federationtestrole",
AssumeRolePolicyDocument = string.Format(trustPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId)
};
Console.WriteLine("\nTrust Policy Document:\n{0}\n",
createRoleRequest.AssumeRolePolicyDocument);
CreateRoleResponse createRoleResponse = iamClient.CreateRole(createRoleRequest);
// Create Access policy (Permissions)
PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole",
PolicyDocument = string.Format(accessPolicyTemplate,
identityProvider,
providerURL,
providerAppIdName,
providerAppId,
providerUserIdName)
};
Console.WriteLine("\nAccess Policy Document (Permissions):\n{0}\n",
putRolePolicyRequest.PolicyDocument);
PutRolePolicyResponse putRolePolicyResponse = iamClient.PutRolePolicy(
putRolePolicyRequest);
// Sleep for the policy to replicate
System.Threading.Thread.Sleep(5000);
AmazonS3Config config = new AmazonS3Config
{
ServiceURL = "s3.amazonaws.com",
RegionEndpoint = Amazon.RegionEndpoint.USEast1
};
Federation federationTest = new Federation();
AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse = null;
switch (identityProvider)
{
case "Facebook":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingFacebook(
providerAppId,
createRoleResponse.Role.Arn);
break;
case "Google":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingGoogle(
providerAppId,
createRoleResponse.Role.Arn);
//Uncomment to perform two step process
//assumeRoleWithWebIdentityResponse =
// federationTest.GetTemporaryCredentialUsingGoogle(
// providerAppId,
// ConfigurationManager.AppSettings["GoogleProviderAppIdSecret"],
// createRoleResponse.Role.Arn);
break;
case "Amazon":
assumeRoleWithWebIdentityResponse =
federationTest.GetTemporaryCredentialUsingAmazon(
ConfigurationManager.AppSettings["AmazonProviderClientId"],
createRoleResponse.Role.Arn);
break;
}
S3Test s3Test = new S3Test();
s3Test.CreateS3Bucket("federationtestbucket",
identityProvider + "/" +
assumeRoleWithWebIdentityResponse.SubjectFromWebIdentityToken,
assumeRoleWithWebIdentityResponse.Credentials, config);
DeleteRolePolicyResponse deleteRolePolicyResponse =
iamClient.DeleteRolePolicy(new DeleteRolePolicyRequest
{
PolicyName = "federationtestrole-rolepolicy",
RoleName = "federationtestrole"
});
DeleteRoleResponse deleteRoleResponse =
iamClient.DeleteRole(new DeleteRoleRequest
{
RoleName = "federationtestrole"
});
}
