private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
{
var ars = new AutoResetEvent(false);
Amazon.SecurityToken.Model.Credentials credentials = null;
Exception exception = null;
sts.AssumeRoleWithWebIdentityAsync(assumeRequest, (assumeResult) =>
{
if (assumeResult.Exception != null)
{
exception = assumeResult.Exception;
}
else
{
credentials = assumeResult.Response.Credentials;
}
ars.Set();
});
ars.WaitOne();
if (exception != null)
{
throw exception;
}
return(credentials);
}
protected override CredentialsRefreshState GenerateNewCredentials()
{
var configuredRegion = AWSConfigs.AWSRegion;
var region = string.IsNullOrEmpty(configuredRegion) ? DefaultSTSClientRegion : RegionEndpoint.GetBySystemName(configuredRegion);
Amazon.SecurityToken.Model.Credentials cc = null;
try
{
var stsConfig = ServiceClientHelpers.CreateServiceConfig(ServiceClientHelpers.STS_ASSEMBLY_NAME, ServiceClientHelpers.STS_SERVICE_CONFIG_NAME);
stsConfig.RegionEndpoint = region;
var stsClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());
OidcToken oidcToken = SourceCredentials.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(TargetAudience).WithTokenFormat(OidcTokenFormat.Standard)).Result;
TargetAssumeRoleRequest.WebIdentityToken = oidcToken.GetAccessTokenAsync().Result;
AssumeRoleWithWebIdentityResponse sessionTokenResponse = stsClient.AssumeRoleWithWebIdentityAsync(TargetAssumeRoleRequest).Result;
cc = sessionTokenResponse.Credentials;
_logger.InfoFormat("New credentials created for assume role that expire at {0}", cc.Expiration.ToString("yyyy-MM-ddTHH:mm:ss.fffffffK", CultureInfo.InvariantCulture));
return(new CredentialsRefreshState(new ImmutableCredentials(cc.AccessKeyId, cc.SecretAccessKey, cc.SessionToken), cc.Expiration));
}
catch (Exception e)
{
var msg = "Error exchanging Google OIDC token for AWS STS ";
var exception = new InvalidOperationException(msg, e);
Logger.GetLogger(typeof(GoogleCompatCredentials)).Error(exception, exception.Message);
throw exception;
}
}
public void CreateS3Bucket(string bucketName, string key, Credentials credentials, AmazonS3Config config)
{
var s3Client = new AmazonS3Client(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.SessionToken, config);
string content = "Hello World2!";
// Put an object in the user's "folder".
s3Client.PutObject(new PutObjectRequest
{
BucketName = bucketName,
Key = key,
ContentBody = content
});
Console.WriteLine("Updated key={0} with content={1}", key, content);
}
private CredentialsRefreshState GetCredentialsForRole(string roleArn)
{
string text = GetIdentityId(RefreshIdentityOptions.Refresh);
GetOpenIdTokenRequest getOpenIdTokenRequest = new GetOpenIdTokenRequest
{
IdentityId = text
};
if (Logins.Count > 0)
{
getOpenIdTokenRequest.Logins = Logins;
}
bool flag = false;
GetOpenIdTokenResponse getOpenIdTokenResponse = null;
try
{
getOpenIdTokenResponse = GetOpenId(getOpenIdTokenRequest);
}
catch (AmazonCognitoIdentityException e)
{
if (!ShouldRetry(e))
{
throw;
}
flag = true;
}
if (flag)
{
return(GetCredentialsForRole(roleArn));
}
string token = getOpenIdTokenResponse.Token;
UpdateIdentity(getOpenIdTokenResponse.IdentityId);
AssumeRoleWithWebIdentityRequest assumeRequest = new AssumeRoleWithWebIdentityRequest
{
WebIdentityToken = token,
RoleArn = roleArn,
RoleSessionName = "NetProviderSession",
DurationSeconds = DefaultDurationSeconds
};
Amazon.SecurityToken.Model.Credentials stsCredentials = GetStsCredentials(assumeRequest);
return(new CredentialsRefreshState(stsCredentials.GetCredentials(), stsCredentials.Expiration));
}
public GetFederationTokenResult WithCredentials(Credentials credentials)
{
this.credentials = credentials;
return this;
}
public AssumeRoleWithWebIdentityResult WithCredentials(Credentials credentials)
{
this.credentials = credentials;
return this;
}
public virtual AmazonS3Client AppMode_CreateS3Client(Credentials credentials, RegionEndpoint regionEndpoint)
{
AmazonS3Client s3Client;
var sessionCredentials = new SessionAWSCredentials(
credentials.AccessKeyId,
credentials.SecretAccessKey,
credentials.SessionToken);
s3Client = new AmazonS3Client(sessionCredentials, regionEndpoint);
return s3Client;
}
public AssumeRoleWithWebIdentityResult WithCredentials(Credentials credentials)
{
this.credentials = credentials;
return(this);
}
public GetSessionTokenResult WithCredentials(Credentials credentials)
{
this.credentials = credentials;
return(this);
}
/// <summary>
/// Create session/temporary credentials using the provided credentials (previously returned from the AssumeRole
/// method), and use the session credentials to create an S3 client object.
/// </summary>
/// <param name="credentials">The credentials to use for creating session credentials.</param>
/// <param name="regionEndpoint">The region endpoint to use for the client.</param>
/// <returns>The S3 client object.</returns>
public override AmazonS3Client AppMode_CreateS3Client(Credentials credentials, RegionEndpoint regionEndpoint)
{
//TODO: Replace this call to the base class with your own method implementation.
return base.AppMode_CreateS3Client(credentials, regionEndpoint);
}
