Container for the parameters to the AssumeRoleWithWebIdentity operation. Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider, such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS and the AWS SDK for Android to uniquely identify a user and supply the user with a consistent identity throughout the lifetime of an application.

To learn more about Amazon Cognito, see Amazon Cognito Overview in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.

Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS APIs in the IAM User Guide.

The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service APIs.

The credentials are valid for the duration that you specified when calling AssumeRoleWithWebIdentity, which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.

The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's GetFederationToken or GetSessionToken APIs.

Optionally, you can pass an IAM access policy to this operation. If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed. If you pass a policy to this operation, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.

Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.

Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.

For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:

상속: AmazonSecurityTokenServiceRequest
        private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
        {
            var ars = new AutoResetEvent(false);
            Amazon.SecurityToken.Model.Credentials credentials = null;
            Exception exception = null;
            sts.AssumeRoleWithWebIdentityAsync(assumeRequest, (assumeResult) =>
            {
                if (assumeResult.Exception != null)
                    exception = assumeResult.Exception;
                else
                    credentials = assumeResult.Response.Credentials;
                
                ars.Set();
            });
            ars.WaitOne();

            if (exception != null)
                throw exception;

            return credentials;
        }
		internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
        {
            var task = AssumeRoleWithWebIdentityAsync(request);
            try
            {
                return task.Result;
            }
            catch(AggregateException e)
            {
                throw e.InnerException;
            }
        }
		internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
        {
            var task = AssumeRoleWithWebIdentityAsync(request);
            try
            {
                return task.Result;
            }
            catch(AggregateException e)
            {
                ExceptionDispatchInfo.Capture(e.InnerException).Throw();
                return null;
            }
        }
        /// <summary>
        /// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web
        /// identity provider, such as Login with Amazon, Facebook, or Google. <c>AssumeRoleWithWebIdentity</c> is an API call that does not require the
        /// use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary
        /// security credentials without including long-term AWS credentials in the application or by deploying server-based proxy services that use
        /// long-term AWS credentials. </para> <para> The temporary security credentials consist of an access key ID, a secret access key, and a
        /// security token. Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for
        /// the duration that you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds
        /// (1 hour). By default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access
        /// policy to this operation. The temporary security credentials that are returned by the operation have the permissions that are associated
        /// with the access policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way
        /// to further restrict the permissions for the federated user. These policies and any applicable resource-based policies are evaluated when
        /// calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call
        /// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application
        /// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other
        /// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity
        /// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para>
        /// <ul>
        /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider"> Creating a Mobile
        /// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html"> Creating Temporary
        /// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li>
        /// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html"> Web Identity Federation Playground</a> . This
        /// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary
        /// security credentials, and then using those credentials to make a request to AWS. </li>
        /// <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for
        /// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from
        /// these providers to get and use temporary security credentials. </li>
        /// <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web Identity Federation with Mobile Applications</a> . This article
        /// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li>
        /// 
        /// </ul>
        /// 
        /// </summary>
        /// 
        /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service
        /// method on AmazonSecurityTokenService.</param>
        /// 
        /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns>
        /// 
        /// <exception cref="T:Amazon.SecurityToken.Model.PackedPolicyTooLargeException" />
        /// <exception cref="T:Amazon.SecurityToken.Model.IDPRejectedClaimException" />
        /// <exception cref="T:Amazon.SecurityToken.Model.MalformedPolicyDocumentException" />
        /// <exception cref="T:Amazon.SecurityToken.Model.InvalidIdentityTokenException" />
        /// <exception cref="T:Amazon.SecurityToken.Model.ExpiredTokenException" />
        /// <exception cref="T:Amazon.SecurityToken.Model.IDPCommunicationErrorException" />
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
		public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
            return Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(assumeRoleWithWebIdentityRequest, marshaller, unmarshaller, signer, cancellationToken);
        }
예제 #5
0
파일: Federation.cs 프로젝트: 40a/Samples
        public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle2(
            string client_id, 
            string client_secret, 
            string role)
        {
            string query = "https://accounts.google.com/o/oauth2/auth?" +
                            string.Format("client_id={0}&", client_id) +
                            "response_type=code&" +
                            "scope=email%20profile&" +
                            "redirect_uri=http://www.padisetty.com";

            string id_token = null;
            using (var wc = new WebClient())
            {
                var data = new NameValueCollection();

                data["code"] = GetToken("code", query);
                data["client_id"] = client_id;
                data["client_secret"] = client_secret;
                data["redirect_uri"] = "http://www.padisetty.com";
                data["grant_type"] = "authorization_code";

                var response = wc.UploadValues(
                    "https://accounts.google.com/o/oauth2/token",
                    "POST", data);

                string responsebody = Encoding.UTF8.GetString(response);

                dynamic result = JsonConvert.DeserializeObject(responsebody);

                id_token = result.id_token;
            }

            AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
                new AssumeRoleWithWebIdentityRequest ()
                {
                    WebIdentityToken = id_token,
                    RoleArn = role
                };
            return GetAssumeRoleWithWebIdentityResponse(assumeRoleWithWebIdentityRequest);
        }
        /// <summary>
        /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param>
        /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
        /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
        ///          procedure using the AsyncState property.</param>
        /// 
        /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndAssumeRoleWithWebIdentity
        ///         operation.</returns>
        public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state)
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;

            return BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller,
                callback, state);
        }
        private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn)
        {
            CredentialsRefreshState credentialsState;
            // Retrieve Open Id Token
            // (Reuses existing IdentityId or creates a new one)
            var identityId = await GetIdentityIdAsync().ConfigureAwait(false);
            var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identityId };
            // If logins are set, pass them to the GetOpenId call
            if (Logins.Count > 0)
                getTokenRequest.Logins = Logins;
            var getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false);
            string token = getTokenResult.Token;

            // IdentityId may have changed, save the new value
            UpdateIdentity(getTokenResult.IdentityId, true);

            // Assume role with Open Id Token
            var assumeRequest = new AssumeRoleWithWebIdentityRequest
            {
                WebIdentityToken = token,
                RoleArn = roleArn,
                RoleSessionName = "NetProviderSession",
                DurationSeconds = DefaultDurationSeconds
            };
            var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials;

            // Return new refresh state (credentials and expiration)
            credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
            return credentialsState;
        }
        // Retrieves credentials for the specific role, by making a call to STS
        private CredentialsRefreshState GetCredentialsForRole(string roleArn)
        {
            CredentialsRefreshState credentialsState;
            // Retrieve Open Id Token
            // (Reuses existing IdentityId or creates a new one)
            var identity = this.GetIdentityIdWithCaching();
            var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity.IdentityId };
            // If logins are set, pass them to the GetOpenId call
            if (Logins.Count > 0)
                getTokenRequest.Logins = Logins;

            bool retry = false;
            GetOpenIdTokenResponse getTokenResult = null;
            try 
            {
                getTokenResult = GetOpenId(getTokenRequest);
            }
            catch (AmazonCognitoIdentityException e)
            {
                if (ShouldRetry(e, identity))
                    retry = true;
                else
                    throw;
            }

            if (retry)
            {
                return GetCredentialsForRole(roleArn);
            }

            string token = getTokenResult.Token;

            // IdentityId may have changed, save the new value
            UpdateIdentity(getTokenResult.IdentityId, true);

            // Assume role with Open Id Token
            var assumeRequest = new AssumeRoleWithWebIdentityRequest
            {
                WebIdentityToken = token,
                RoleArn = roleArn,
                RoleSessionName = "NetProviderSession",
                DurationSeconds = DefaultDurationSeconds
            };
            var credentials = GetStsCredentials(assumeRequest);

            credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
            return credentialsState;
        }
        /// <summary>
        /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param>
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
        /// <returns>The task object representing the asynchronous operation.</returns>
        public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;

            return InvokeAsync<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller, 
                unmarshaller, cancellationToken);
        }
 /// <summary>
 /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
 /// </summary>
 /// 
 /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param>
 /// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
 /// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
 ///          procedure using the AsyncState property.</param>
 public void AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, AmazonServiceCallback<AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse> callback, AsyncOptions options = null)
 {
     options = options == null?new AsyncOptions():options;
     var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
     var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
     Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
     if(callback !=null )
         callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => { 
             AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse> responseObject 
                     = new AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>((AssumeRoleWithWebIdentityRequest)req, (AssumeRoleWithWebIdentityResponse)res, ex , ao.State);    
                 callback(responseObject); 
         };
     BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller, options, callbackHelper);
 }
 private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
 {
     var assumeResult = sts.AssumeRoleWithWebIdentity(assumeRequest);
     var credentials = assumeResult.Credentials;
     return credentials;
 }
        IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state, bool synchronized)
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;

            return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
        }
예제 #13
0
파일: Federation.cs 프로젝트: 40a/Samples
        public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle(
            string client_id, 
            string role)
        {
            string query = "https://accounts.google.com/o/oauth2/auth?" +
                            string.Format("client_id={0}&", client_id) +
                            "response_type=id_token&" +
                            "scope=email%20profile&" +
                            "redirect_uri=http://www.padisetty.com";

            AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
                new AssumeRoleWithWebIdentityRequest ()
                {
                    WebIdentityToken = GetToken ("id_token", query),
                    RoleArn = role
                };
            return GetAssumeRoleWithWebIdentityResponse(
                assumeRoleWithWebIdentityRequest);
        }
예제 #14
0
파일: Federation.cs 프로젝트: 40a/Samples
 AssumeRoleWithWebIdentityResponse GetAssumeRoleWithWebIdentityResponse(
     AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest)
 {
     // Start with Anonymous AWS Credentials and get temporary credentials.
     var stsClient = new AmazonSecurityTokenServiceClient(
                             new AnonymousAWSCredentials());
     assumeRoleWithWebIdentityRequest.DurationSeconds = 3600;
     assumeRoleWithWebIdentityRequest.RoleSessionName = "MySession";
     return stsClient.AssumeRoleWithWebIdentity(
                             assumeRoleWithWebIdentityRequest);
 }
        /// <summary>
        /// Returns a set of temporary security credentials for users who have been authenticated
        /// in a mobile or web application with a web identity provider, such as Amazon Cognito,
        /// Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
        /// 
        /// 
        ///  <note> 
        /// <para>
        /// For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon
        /// Cognito with the <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and
        /// the <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a> to uniquely
        /// identify a user and supply the user with a consistent identity throughout the lifetime
        /// of an application.
        /// </para>
        ///  
        /// <para>
        /// To learn more about Amazon Cognito, see <a href="http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840">Amazon
        /// Cognito Overview</a> in the <i>AWS SDK for Android Developer Guide</i> guide and <a
        /// href="http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664">Amazon
        /// Cognito Overview</a> in the <i>AWS SDK for iOS Developer Guide</i>.
        /// </para>
        ///  </note> 
        /// <para>
        /// Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of AWS security
        /// credentials. Therefore, you can distribute an application (for example, on mobile
        /// devices) that requests temporary security credentials without including long-term
        /// AWS credentials in the application, and without deploying server-based proxy services
        /// that use long-term AWS credentials. Instead, the identity of the caller is validated
        /// by using a token from the web identity provider. 
        /// </para>
        ///  
        /// <para>
        /// The temporary security credentials returned by this API consist of an access key ID,
        /// a secret access key, and a security token. Applications can use these temporary security
        /// credentials to sign calls to AWS service APIs. The credentials are valid for the duration
        /// that you specified when calling <code>AssumeRoleWithWebIdentity</code>, which can
        /// be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary
        /// security credentials are valid for 1 hour. 
        /// </para>
        ///  
        /// <para>
        /// Optionally, you can pass an IAM access policy to this operation. If you choose not
        /// to pass a policy, the temporary security credentials that are returned by the operation
        /// have the permissions that are defined in the access policy of the role that is being
        /// assumed. If you pass a policy to this operation, the temporary security credentials
        /// that are returned by the operation have the permissions that are allowed by both the
        /// access policy of the role that is being assumed, <i><b>and</b></i> the policy that
        /// you pass. This gives you a way to further restrict the permissions for the resulting
        /// temporary security credentials. You cannot use the passed policy to grant permissions
        /// that are in excess of those allowed by the access policy of the role that is being
        /// assumed. For more information, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html">Permissions
        /// for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>Using
        /// IAM</i>.
        /// </para>
        ///  
        /// <para>
        /// Before your application can call <code>AssumeRoleWithWebIdentity</code>, you must
        /// have an identity token from a supported identity provider and create a role that the
        /// application can assume. The role that your application assumes must trust the identity
        /// provider that is associated with the identity token. In other words, the identity
        /// provider must be specified in the role's trust policy. 
        /// </para>
        ///  
        /// <para>
        /// For more information about how to use web identity federation and the <code>AssumeRoleWithWebIdentity</code>
        /// API, see the following resources: 
        /// </para>
        ///  <ul> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual">Using
        /// Web Identity Federation APIs for Mobile Apps</a> and <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation
        /// Through a Web-based Identity Provider</a>. </li> <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html">
        /// Web Identity Federation Playground</a>. This interactive website lets you walk through
        /// the process of authenticating via Login with Amazon, Facebook, or Google, getting
        /// temporary security credentials, and then using those credentials to make a request
        /// to AWS. </li> <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a>
        /// and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a>. These
        /// toolkits contain sample apps that show how to invoke the identity providers, and then
        /// how to use the information from these providers to get and use temporary security
        /// credentials. </li> <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web
        /// Identity Federation with Mobile Applications</a>. This article discusses web identity
        /// federation and shows an example of how to use web identity federation to get access
        /// to content in Amazon S3. </li> </ul>
        /// </summary>
        /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service method.</param>
        /// 
        /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by SecurityTokenService.</returns>
        /// <exception cref="Amazon.SecurityToken.Model.ExpiredTokenException">
        /// The web identity token that was passed is expired or is not valid. Get a new identity
        /// token from the identity provider and then retry the request.
        /// </exception>
        /// <exception cref="Amazon.SecurityToken.Model.IDPCommunicationErrorException">
        /// The request could not be fulfilled because the non-AWS identity provider (IDP) that
        /// was asked to verify the incoming identity token could not be reached. This is often
        /// a transient error caused by network conditions. Retry the request a limited number
        /// of times so that you don't exceed the request rate. If the error persists, the non-AWS
        /// identity provider might be down or not responding.
        /// </exception>
        /// <exception cref="Amazon.SecurityToken.Model.IDPRejectedClaimException">
        /// The identity provider (IdP) reported that authentication failed. This might be because
        /// the claim is invalid.
        /// 
        ///  
        /// <para>
        /// If this error is returned for the <code>AssumeRoleWithWebIdentity</code> operation,
        /// it can also mean that the claim has expired or has been explicitly revoked. 
        /// </para>
        /// </exception>
        /// <exception cref="Amazon.SecurityToken.Model.InvalidIdentityTokenException">
        /// The web identity token that was passed could not be validated by AWS. Get a new identity
        /// token from the identity provider and then retry the request.
        /// </exception>
        /// <exception cref="Amazon.SecurityToken.Model.MalformedPolicyDocumentException">
        /// The request was rejected because the policy document was malformed. The error message
        /// describes the specific error.
        /// </exception>
        /// <exception cref="Amazon.SecurityToken.Model.PackedPolicyTooLargeException">
        /// The request was rejected because the policy document was too large. The error message
        /// describes how big the policy document is, in packed form, as a percentage of what
        /// the API allows.
        /// </exception>
        public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;

            return Invoke<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller);
        }
 IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state, bool synchronized)
 {
     IRequest irequest = new AssumeRoleWithWebIdentityRequestMarshaller().Marshall(assumeRoleWithWebIdentityRequest);
     var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
     AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
     Invoke(result);
     return result;
 }
        /// <summary>
        /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
        /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/>
        /// </summary>
        /// 
        /// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param>
        /// <param name="cancellationToken">
        ///     A cancellation token that can be used by other objects or threads to receive notice of cancellation.
        /// </param>
        /// <returns>The task object representing the asynchronous operation.</returns>
		public async Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, CancellationToken cancellationToken = default(CancellationToken))
        {
            var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
            var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
            var response = await Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
                .ConfigureAwait(continueOnCapturedContext: false);
            return response;
        }
 /// <summary>
 /// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
 /// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/>
 /// </summary>
 /// 
 /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on
 ///          AmazonSecurityTokenService.</param>
 /// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
 /// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
 ///          procedure using the AsyncState property.</param>
 /// 
 /// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking
 ///         EndAssumeRoleWithWebIdentity operation.</returns>
 public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state)
 {
     return invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, callback, state, false);
 }
 /// <summary>
 /// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web
 /// identity provider, such as Login with Amazon, Facebook, or Google. </para> <para> Calling <c>AssumeRoleWithWebIdentity</c> does not require
 /// the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary
 /// security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that
 /// use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. </para>
 /// <para> The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token.
 /// Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for the duration that
 /// you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By
 /// default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access policy to this
 /// operation. The temporary security credentials that are returned by the operation have the permissions that are associated with the access
 /// policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way to further
 /// restrict the permissions for the resulting temporary security credentials. These policies and any applicable resource-based policies are
 /// evaluated when calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call
 /// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application
 /// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other
 /// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity
 /// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para>
 /// <ul>
 /// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider" > Creating a Mobile
 /// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html" > Creating Temporary
 /// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li>
 /// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html" > Web Identity Federation Playground</a> . This
 /// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary
 /// security credentials, and then using those credentials to make a request to AWS. </li>
 /// <li> <a href="http://aws.amazon.com/sdkforios/" >AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/" >AWS SDK for
 /// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from
 /// these providers to get and use temporary security credentials. </li>
 /// <li> <a href="http://aws.amazon.com/articles/4617974389850313" >Web Identity Federation with Mobile Applications</a> . This article
 /// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li>
 /// 
 /// </ul>
 /// 
 /// </summary>
 /// 
 /// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service
 ///          method on AmazonSecurityTokenService.</param>
 /// 
 /// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns>
 /// 
 /// <exception cref="PackedPolicyTooLargeException"/>
 /// <exception cref="IDPRejectedClaimException"/>
 /// <exception cref="MalformedPolicyDocumentException"/>
 /// <exception cref="InvalidIdentityTokenException"/>
 /// <exception cref="ExpiredTokenException"/>
 /// <exception cref="IDPCommunicationErrorException"/>
 public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest)
 {
     IAsyncResult asyncResult = invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, null, null, true);
     return EndAssumeRoleWithWebIdentity(asyncResult);
 }
예제 #20
0
 private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
 {
     var assumeResult = Amazon.Runtime.Internal.Util.AsyncHelpers.RunSync<AssumeRoleWithWebIdentityResponse>(() => sts.AssumeRoleWithWebIdentityAsync(assumeRequest));
     var credentials = assumeResult.Credentials;
     return credentials;
 }
        // Retrieves credentials for the specific role, by making a call to STS
        private CredentialsRefreshState GetCredentialsForRole(string roleArn)
        {
            CredentialsRefreshState credentialsState;
            // Retrieve Open Id Token
            // (Reuses existing IdentityId or creates a new one)
            var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = GetIdentityId() };
            // If logins are set, pass them to the GetOpenId call
            if (Logins.Count > 0)
                getTokenRequest.Logins = Logins;
            var getTokenResult = GetOpenId(getTokenRequest);
            string token = getTokenResult.Token;

            // IdentityId may have changed, save the new value
            UpdateIdentity(getTokenResult.IdentityId, true);

            // Assume role with Open Id Token
            var assumeRequest = new AssumeRoleWithWebIdentityRequest
            {
                WebIdentityToken = token,
                RoleArn = roleArn,
                RoleSessionName = "NetProviderSession",
                DurationSeconds = DefaultDurationSeconds
            };
            var credentials = GetStsCredentials(assumeRequest);

            credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
            return credentialsState;
        }
        private Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityRequest request)
        {
            Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithWebIdentity");

            try
            {
#if DESKTOP
                return(client.AssumeRoleWithWebIdentity(request));
#elif CORECLR
                return(client.AssumeRoleWithWebIdentityAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
            }
            catch (AmazonServiceException exc)
            {
                var webException = exc.InnerException as System.Net.WebException;
                if (webException != null)
                {
                    throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
                }

                throw;
            }
        }
예제 #23
-1
파일: Federation.cs 프로젝트: 40a/Samples
        public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingFacebook(
            string client_id, 
            string role)
        {
            string query = "https://www.facebook.com/dialog/oauth?" +
                string.Format ("client_id={0}&", client_id) +
                "response_type=token&" +
                "redirect_uri=https://www.facebook.com/connect/login_success.html";

            AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
                new AssumeRoleWithWebIdentityRequest ()
                {
                    ProviderId = "graph.facebook.com",
                    WebIdentityToken = GetToken("access_token", query),
                    RoleArn = role,
                };

            return GetAssumeRoleWithWebIdentityResponse (assumeRoleWithWebIdentityRequest);
        }
예제 #24
-1
파일: Federation.cs 프로젝트: 40a/Samples
        public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingAmazon(
            string client_id, 
            string role)
        {
            string query = "https://www.amazon.com/ap/oa?" +
                            string.Format("client_id={0}&", client_id) +
                            "response_type=token&" +
                            "scope=profile&" +
                            "redirect_uri=https://www.google.com";

            AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
                new AssumeRoleWithWebIdentityRequest ()
                {
                    ProviderId = "www.amazon.com",
                    WebIdentityToken = GetToken("access_token", query),
                    RoleArn = role
                };
            return GetAssumeRoleWithWebIdentityResponse(
                assumeRoleWithWebIdentityRequest);
        }
예제 #25
-22
        private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn)
        {
            CredentialsRefreshState credentialsState;
            // Retrieve Open Id Token
            // (Reuses existing IdentityId or creates a new one)
            var identity = await GetIdentityIdAsync(RefreshIdentityOptions.Refresh).ConfigureAwait(false);
            var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity };
            // If logins are set, pass them to the GetOpenId call
            if (Logins.Count > 0)
                getTokenRequest.Logins = Logins;

            bool retry = false;
            GetOpenIdTokenResponse getTokenResult = null;
            try
            {
                getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false);
            }
            catch (AmazonCognitoIdentityException e)
            {
                if (ShouldRetry(e))
                    retry = true;
                else
                    throw;
            }

            if (retry)
            {
                return await GetCredentialsForRoleAsync(roleArn);
            }

            string token = getTokenResult.Token;

            // IdentityId may have changed, save the new value
            UpdateIdentity(getTokenResult.IdentityId);

            // Assume role with Open Id Token
            var assumeRequest = new AssumeRoleWithWebIdentityRequest
            {
                WebIdentityToken = token,
                RoleArn = roleArn,
                RoleSessionName = "NetProviderSession",
                DurationSeconds = DefaultDurationSeconds
            };
            var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials;

            // Return new refresh state (credentials and expiration)
            credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
            return credentialsState;
        }